Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirect virus


  • This topic is locked This topic is locked
38 replies to this topic

#1 mascot

mascot

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 02 August 2010 - 02:14 PM

Here's my problem:

I use alltheweb.com as my search engine, and after I do a search and click on one of the results, the URL address changes to "http://results.yahoo.com" and then it redirects to a page other than the one I clicked on. Once I see "results.yahoo.com", if I click back to the original search results page and click the same link it will go to the intended site. After I have done this, the link from the search results works properly every time. Basically, that "results.yahoo.com" only happens on each unique page that I click on from my search results, and not on links that I have already visited.

Occasionally, while I'm on a page, the site will redirect on it's own to another page, but that is only occasional.

I've tried Lavasoft, Spybot S&D, and McAfee Virus Scan Enterprise 8.5 and the problem still exists.

Thanks (Orange Blossom) for the reply. I tried running the GMER scan and after almost 36 hours it was still scanning, so I stopped it. Is it supposed to take that long? I will be out of town starting wednesday, so if it's supposed to take 2 or 3 days to scan then I'll run GMER again, but even when I stopped the scan it locked up my computer and I had to reboot. I'm just confused as to why this is happening....taking so long for GMER to scan. What I did notice is a ton of temporary interet files (even though I've used "delete temporary internet files" several times, and I also have a lot of "$NtUninstallKB________" files under the Windows directory.

The GMER log I couldn't post, but the DDS, ComboFix are posted below, and Attach log is attached.


Here is the DDS log:
######################################################
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:14:40.64 on Sun 08/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1214 [GMT -7:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Documents and Settings\Owner\Application Data\mjusbsp\magicJack.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mascotgraphics.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {D63F58E9-B8BB-4DBA-B2A0-44F72C2A61BD} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-8287-79A187E26987} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [cdloader] "c:\documents and settings\owner\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256715629937
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256715624093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-1 64288]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2009-1-19 277544]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-10-28 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-10-28 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-10-28 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-10-28 168776]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-2-25 58600]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-7-30 256512]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2010-1-17 1527900]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2010-1-17 544768]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-08-01 19:57:56 0 d-----w- c:\program files\Runtime Software
2010-08-01 19:51:18 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-08-01 05:00:04 0 d-----w- c:\windows\system32\NtmsData
2010-07-30 23:37:35 0 d-----w- C:\spoolerlogs
2010-07-30 20:23:28 0 d-sha-r- C:\cmdcons
2010-07-30 20:19:32 0 d-s---w- C:\ComboFix
2010-07-30 17:13:18 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-30 17:13:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 17:13:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-30 17:13:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-30 17:13:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 05:41:28 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-20 04:35:50 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-20 04:04:14 0 d-----w- c:\program files\MSXML 6.0
2010-07-20 03:38:36 0 d-sh--w- C:\RECYCLER(2)
2010-07-19 14:47:30 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-19 14:47:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-19 09:09:54 0 d-----w- c:\docume~1\alluse~1\applic~1\FrontLine Registry Cleaner
2010-07-19 09:09:48 0 d-----w- c:\program files\Frontline Registry Cleaner
2010-07-19 09:02:41 77312 ----a-w- c:\windows\MBR.exe
2010-07-19 09:02:39 98816 ----a-w- c:\windows\sed.exe
2010-07-19 09:02:39 256512 ----a-w- c:\windows\PEV.exe
2010-07-19 09:02:39 161792 ----a-w- c:\windows\SWREG.exe
2010-07-19 08:29:52 0 d-----w- c:\windows\system32\appmgmt
2010-07-13 21:30:32 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-09 22:06:27 0 d-----w- c:\program files\FileASSASSIN
2010-07-09 20:07:43 198720000 ----a-w- C:\t2hg.5
2010-07-09 20:07:43 198720000 ----a-w- C:\t2hg.3
2010-07-09 20:07:43 190078464 ----a-w- C:\t2hg.4

==================== Find3M ====================

2010-08-01 02:10:30 2516 --sh--w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-07-12 08:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-27 19:52:03 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-06-27 19:52:01 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-06-22 11:36:29 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-09 14:50:24 35416 ----a-w- c:\windows\fonts\phoenix_.ttf
2010-06-09 14:28:41 43264 ----a-w- c:\windows\fonts\defatted_milk-Outline.ttf
2010-06-09 14:28:41 33364 ----a-w- c:\windows\fonts\defatted_milk-Light.ttf
2010-06-09 14:28:41 33284 ----a-w- c:\windows\fonts\defatted_milk-Bold.ttf
2010-06-09 14:28:41 33176 ----a-w- c:\windows\fonts\defatted_milk-Condensed.ttf
2010-06-09 14:28:41 32992 ----a-w- c:\windows\fonts\defatted_milk-Reg.ttf
2010-06-08 00:34:52 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-08 00:34:42 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-08 00:34:42 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-08 00:34:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-08 00:34:40 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-08 00:34:40 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-06-07 23:57:00 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-07 23:57:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-07 23:57:00 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-07 23:57:00 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57:00 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-06-07 23:57:00 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-07 23:57:00 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57:00 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-06-07 23:57:00 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-07 23:57:00 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
2010-05-28 19:58:26 600680 ----a-w- c:\windows\system32\nvuninst.exe
2009-10-28 08:15:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102820091029\index.dat

============= FINISH: 14:15:32.85 ===============

###########################################################


The Combo Fix log:
###########################################################

ComboFix 10-07-19.01 - Owner 07/19/2010 20:24:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1398 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-20 02:56 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2010-07-20 02:56 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe
2010-07-20 02:56 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2010-07-20 02:55 . 2010-07-20 02:55 -------- d-----w- C:\spoolerlogs
2010-07-19 14:47 . 2010-07-19 15:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-19 14:47 . 2010-07-19 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-19 14:32 . 2010-07-19 14:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-07-19 09:09 . 2010-07-19 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-07-19 09:09 . 2010-07-19 09:29 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-07-18 18:27 . 2010-07-18 18:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 21:30 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-09 22:06 . 2010-07-18 18:26 -------- d-----w- c:\program files\FileASSASSIN
2010-07-09 21:52 . 2010-07-09 21:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WinZip
2010-06-27 19:47 . 2010-06-27 19:52 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-06-27 19:47 . 2010-06-27 19:52 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-06-27 19:47 . 2010-06-27 19:52 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-06-27 19:47 . 2010-06-07 23:57 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-27 19:47 . 2010-06-07 23:57 10256384 ----a-w- c:\windows\system32\nvcompiler.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 02:56 . 2009-10-28 10:19 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2010-07-19 14:34 . 2010-04-01 03:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-19 08:29 . 2009-10-30 14:16 -------- d-----w- c:\program files\Java
2010-07-19 08:29 . 2009-10-30 14:16 -------- d-----w- c:\program files\Common Files\Java
2010-07-19 00:09 . 2009-10-30 21:15 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-07-19 00:09 . 2009-10-30 21:15 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-07-12 13:11 . 2009-10-28 18:09 -------- d-----w- c:\program files\Thumbs4
2010-07-08 15:19 . 2009-10-29 22:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Sites
2010-07-08 15:19 . 2009-10-29 22:37 -------- d-----w- c:\documents and settings\Owner\Application Data\SiteClasses
2010-07-04 16:22 . 2009-10-27 17:17 377856 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-27 19:52 . 2010-02-26 03:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-16 13:01 . 2010-03-02 00:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-16 00:43 . 2010-05-30 22:47 -------- d-----w- c:\program files\QuickTime
2010-06-16 00:42 . 2010-06-16 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-14 14:31 . 2009-10-27 15:28 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-08 01:20 . 2010-03-31 13:08 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-06-08 00:34 . 2010-06-08 00:34 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-08 00:34 . 2010-06-08 00:34 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-08 00:34 . 2010-06-08 00:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-08 00:34 . 2010-06-08 00:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-08 00:34 . 2010-06-08 00:34 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-08 00:34 . 2010-06-08 00:34 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-06-07 23:57 . 2009-10-28 08:04 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-07 23:57 . 2009-10-28 08:04 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-07 23:57 . 2009-09-27 23:12 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-07 23:57 . 2009-09-27 23:12 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-07 23:57 . 2009-09-27 23:12 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57 . 2009-09-27 23:12 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57 . 2009-09-27 23:12 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-06-07 23:57 . 2009-09-27 23:12 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-07 23:57 . 2009-09-27 23:12 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57 . 2009-09-27 23:12 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-06-05 23:15 . 2009-10-30 14:15 -------- d-----w- c:\documents and settings\Owner\Application Data\MP3Rocket
2010-06-05 23:13 . 2009-10-30 14:15 -------- d-----w- c:\program files\MP3 Rocket
2010-06-05 17:17 . 2010-03-02 00:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-01 23:47 . 2010-02-25 04:47 -------- d-----w- c:\program files\LooksBuilderSE
2010-05-30 22:49 . 2010-05-24 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-30 22:49 . 2010-01-16 19:29 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-30 22:49 . 2010-01-16 19:29 -------- d-----w- c:\program files\DivX
2010-05-30 22:49 . 2010-05-24 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-30 22:47 . 2010-05-27 04:07 -------- d-----w- c:\program files\QuickTime(2)
2010-05-29 04:01 . 2010-05-29 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-05-28 19:58 . 2010-02-26 03:21 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-05-25 01:56 . 2010-01-16 19:50 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2010-05-24 21:12 . 2010-05-24 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-24 21:12 . 2010-05-24 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-24 18:33 . 2009-10-29 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-02 05:22 . 2007-07-22 10:31 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-02-25 2387968]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-02 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-16 16384512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-16 137752]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-06-03 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-08 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-08 13902440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2007-07-22 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-29 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-29 98304]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/1/2010 5:19 PM 64288]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [1/19/2009 11:31 AM 277544]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/25/2010 8:21 PM 58600]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/17/2010 10:44 AM 1527900]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [1/17/2010 10:46 AM 544768]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-02-25 18:12 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mascotgraphics.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
.
- - - - ORPHANS REMOVED - - - -

BHO-{D63F58E9-B8BB-4DBA-B2A0-44F72C2A61BD} - (no file)
WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-2139871995-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,72,d7,54,16,71,12,43,b0,7f,df,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,72,d7,54,16,71,12,43,b0,7f,df,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-07-19 20:30:38
ComboFix-quarantined-files.txt 2010-07-20 03:30

Pre-Run: 401,624,743,936 bytes free
Post-Run: 403,346,374,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 60EFC6C8984518FBFC58816C8E090D3C


Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:05 PM

Posted 09 August 2010 - 07:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 mascot

mascot
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 11 August 2010 - 12:48 AM

Hi, yes, I'm still here. I just got back from vacation this evening, and will be at work all day Wednesday...but I'll be sure to check for your reply.

Thank you!



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:05 PM

Posted 11 August 2010 - 04:53 PM

Okay, well first you should not be running Combofix yourself

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Now, we do need to run it again, the original run was three weeks ago now. If you still have it then run it and agree any updates. If you don't then download it from one of these links:
Please post the log. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:05 PM

Posted 14 August 2010 - 08:02 AM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 mascot

mascot
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 14 August 2010 - 10:15 AM

Yes, I'm planning on running ComboFix this weekend. I just got back from vacation the other day and I have not had time to sit at my computer for very long (work, catching up, etc.) I will post the results when I run it.

thanks.

#7 mascot

mascot
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 14 August 2010 - 02:18 PM

Here's the log file:
ComboFix 10-08-14.02 - Owner 08/14/2010 12:07:45.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1272 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\comres(3).dll
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
.

2010-08-14 10:00 . 2010-08-14 10:00 -------- d-----w- c:\windows\LastGood
2010-08-14 00:25 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2010-08-14 00:25 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe
2010-08-14 00:25 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2010-08-03 19:04 . 2010-08-03 19:04 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6249aa61-n\msvcp71.dll
2010-08-03 19:04 . 2010-08-03 19:04 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6249aa61-n\jmc.dll
2010-08-03 19:04 . 2010-08-03 19:04 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6249aa61-n\msvcr71.dll
2010-08-03 19:04 . 2010-08-03 19:04 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-27070934-n\decora-sse.dll
2010-08-03 19:04 . 2010-08-03 19:04 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-27070934-n\decora-d3d.dll
2010-08-02 23:52 . 2010-08-02 23:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-02 22:22 . 2010-08-02 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-08-02 22:22 . 2010-08-02 23:47 -------- d-----w- c:\program files\Yahoo!
2010-08-02 21:59 . 2010-08-02 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-01 19:57 . 2010-08-01 19:57 -------- d-----w- c:\program files\Runtime Software
2010-08-01 05:00 . 2010-08-02 23:48 -------- d-----w- c:\windows\system32\NtmsData
2010-07-30 23:37 . 2010-07-30 23:37 -------- d-----w- C:\spoolerlogs
2010-07-30 17:13 . 2010-07-30 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-30 17:13 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 17:13 . 2010-07-30 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-30 17:13 . 2010-07-30 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 17:13 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 05:42 . 2010-07-25 05:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2010-07-25 05:41 . 2010-07-25 05:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-25 05:41 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-21 04:40 . 2010-07-21 04:40 2605008 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-07-21 04:39 . 2010-07-21 04:39 -------- d-----w- c:\program files\Common Files\Java
2010-07-20 04:04 . 2010-07-20 04:04 -------- d-----w- c:\program files\MSXML 6.0
2010-07-20 03:38 . 2010-07-20 04:33 -------- d-----w- C:\RECYCLER(2)
2010-07-19 14:47 . 2010-07-21 04:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-19 14:47 . 2010-07-21 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-19 14:32 . 2010-07-19 14:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-07-19 09:09 . 2010-07-19 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-07-19 09:09 . 2010-07-19 09:29 -------- d-----w- c:\program files\Frontline Registry Cleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 00:25 . 2009-10-28 10:19 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2010-08-03 15:31 . 2009-10-30 21:15 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-03 15:31 . 2009-10-30 21:15 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-02 22:24 . 2010-01-16 19:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-07-21 04:48 . 2009-10-29 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-21 04:37 . 2009-10-30 14:16 -------- d-----w- c:\program files\Java
2010-07-20 03:44 . 2009-10-27 15:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-19 14:34 . 2010-04-01 03:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-18 18:26 . 2010-07-09 22:06 -------- d-----w- c:\program files\FileASSASSIN
2010-07-12 13:11 . 2009-10-28 18:09 -------- d-----w- c:\program files\Thumbs4
2010-07-12 08:55 . 2010-03-02 00:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2010-03-02 00:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-08 15:19 . 2009-10-29 22:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Sites
2010-07-08 15:19 . 2009-10-29 22:37 -------- d-----w- c:\documents and settings\Owner\Application Data\SiteClasses
2010-07-04 16:22 . 2009-10-27 17:17 377856 ------w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2009-10-28 08:05 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 19:52 . 2010-02-26 03:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-27 19:52 . 2010-06-27 19:47 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-06-27 19:52 . 2010-06-27 19:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-06-27 19:52 . 2010-06-27 19:47 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-06-23 13:44 . 2009-10-28 08:05 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 11:36 . 2010-05-30 23:17 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-21 15:27 . 2009-10-28 08:05 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-03 22:56 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-16 00:43 . 2010-05-30 22:47 -------- d-----w- c:\program files\QuickTime
2010-06-16 00:42 . 2010-06-16 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-14 14:31 . 2009-10-27 15:28 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2007-07-22 10:31 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 00:34 . 2010-06-08 00:34 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-08 00:34 . 2010-06-08 00:34 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-08 00:34 . 2010-06-08 00:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-08 00:34 . 2010-06-08 00:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-08 00:34 . 2010-06-08 00:34 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-08 00:34 . 2010-06-08 00:34 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-06-07 23:57 . 2010-06-27 19:47 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-07 23:57 . 2010-06-27 19:47 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-07 23:57 . 2009-10-28 08:04 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-07 23:57 . 2009-10-28 08:04 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-07 23:57 . 2009-09-27 23:12 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-07 23:57 . 2009-09-27 23:12 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-07 23:57 . 2009-09-27 23:12 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57 . 2009-09-27 23:12 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57 . 2009-09-27 23:12 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-06-07 23:57 . 2009-09-27 23:12 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-07 23:57 . 2009-09-27 23:12 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57 . 2009-09-27 23:12 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-05-28 19:58 . 2010-02-26 03:21 600680 ----a-w- c:\windows\system32\nvuninst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-02-25 2387968]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-02 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-16 16384512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-16 137752]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-06-03 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-08 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-08 13902440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2007-07-22 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-29 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-29 98304]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/1/2010 5:19 PM 64288]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [1/19/2009 11:31 AM 277544]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 1355416]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/25/2010 8:21 PM 58600]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/17/2010 10:44 AM 1527900]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 10:19 AM 15008]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [1/17/2010 10:46 AM 544768]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-02-25 18:12 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-08-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 17:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mascotgraphics.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
.
- - - - ORPHANS REMOVED - - - -

BHO-{D63F58E9-B8BB-4DBA-B2A0-44F72C2A61BD} - (no file)
WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-14 12:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-2139871995-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,72,d7,54,16,71,12,43,b0,7f,df,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,72,d7,54,16,71,12,43,b0,7f,df,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-14 12:15:31
ComboFix-quarantined-files.txt 2010-08-14 19:15
ComboFix2.txt 2010-07-20 03:30

Pre-Run: 398,040,735,744 bytes free
Post-Run: 398,168,326,144 bytes free

- - End Of File - - 97056E7D111A1584040388A20F86D6BA


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:05 PM

Posted 14 August 2010 - 05:26 PM

Just a clean up to do, please run Combofix again, as instructed below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
Folder::
c:\documents and settings\Owner\Application Data\mjusbsp

RegLock::
[HKEY_USERS\S-1-5-21-1957994488-2139871995-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Just confirming, you are still having redirections?
Posted Image
m0le is a proud member of UNITE

#9 mascot

mascot
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 14 August 2010 - 06:16 PM

Yes, still having the redirections. Here's the txt file:

ComboFix 10-08-14.02 - Owner 08/14/2010 16:01:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1379 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
.

2010-08-14 10:00 . 2010-08-14 10:00 -------- d-----w- c:\windows\LastGood
2010-08-14 00:25 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2010-08-14 00:25 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe
2010-08-14 00:25 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2010-08-03 19:04 . 2010-08-03 19:04 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6249aa61-n\msvcp71.dll
2010-08-03 19:04 . 2010-08-03 19:04 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6249aa61-n\jmc.dll
2010-08-03 19:04 . 2010-08-03 19:04 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6249aa61-n\msvcr71.dll
2010-08-03 19:04 . 2010-08-03 19:04 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-27070934-n\decora-sse.dll
2010-08-03 19:04 . 2010-08-03 19:04 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-27070934-n\decora-d3d.dll
2010-08-02 23:52 . 2010-08-02 23:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-02 22:22 . 2010-08-02 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-08-02 22:22 . 2010-08-02 23:47 -------- d-----w- c:\program files\Yahoo!
2010-08-02 21:59 . 2010-08-02 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-01 19:57 . 2010-08-01 19:57 -------- d-----w- c:\program files\Runtime Software
2010-08-01 05:00 . 2010-08-02 23:48 -------- d-----w- c:\windows\system32\NtmsData
2010-07-30 23:37 . 2010-07-30 23:37 -------- d-----w- C:\spoolerlogs
2010-07-30 17:13 . 2010-07-30 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-30 17:13 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 17:13 . 2010-07-30 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-30 17:13 . 2010-07-30 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 17:13 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 05:42 . 2010-07-25 05:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2010-07-25 05:41 . 2010-07-25 05:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-25 05:41 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-21 04:40 . 2010-07-21 04:40 2605008 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-07-21 04:39 . 2010-07-21 04:39 -------- d-----w- c:\program files\Common Files\Java
2010-07-20 04:04 . 2010-07-20 04:04 -------- d-----w- c:\program files\MSXML 6.0
2010-07-20 03:38 . 2010-07-20 04:33 -------- d-----w- C:\RECYCLER(2)
2010-07-19 14:47 . 2010-07-21 04:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-19 14:47 . 2010-07-21 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-19 14:32 . 2010-07-19 14:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-07-19 09:09 . 2010-07-19 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-07-19 09:09 . 2010-07-19 09:29 -------- d-----w- c:\program files\Frontline Registry Cleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 00:25 . 2009-10-28 10:19 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2010-08-03 15:31 . 2009-10-30 21:15 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-03 15:31 . 2009-10-30 21:15 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-02 22:24 . 2010-01-16 19:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-07-21 04:48 . 2009-10-29 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-21 04:37 . 2009-10-30 14:16 -------- d-----w- c:\program files\Java
2010-07-20 03:44 . 2009-10-27 15:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-19 14:34 . 2010-04-01 03:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-18 18:26 . 2010-07-09 22:06 -------- d-----w- c:\program files\FileASSASSIN
2010-07-12 13:11 . 2009-10-28 18:09 -------- d-----w- c:\program files\Thumbs4
2010-07-12 08:55 . 2010-03-02 00:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2010-03-02 00:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-08 15:19 . 2009-10-29 22:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Sites
2010-07-08 15:19 . 2009-10-29 22:37 -------- d-----w- c:\documents and settings\Owner\Application Data\SiteClasses
2010-07-04 16:22 . 2009-10-27 17:17 377856 ------w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2009-10-28 08:05 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 19:52 . 2010-02-26 03:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-27 19:52 . 2010-06-27 19:47 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-06-27 19:52 . 2010-06-27 19:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-06-27 19:52 . 2010-06-27 19:47 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-06-23 13:44 . 2009-10-28 08:05 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 11:36 . 2010-05-30 23:17 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-21 15:27 . 2009-10-28 08:05 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-03 22:56 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-16 00:43 . 2010-05-30 22:47 -------- d-----w- c:\program files\QuickTime
2010-06-16 00:42 . 2010-06-16 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-14 14:31 . 2009-10-27 15:28 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2007-07-22 10:31 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 00:34 . 2010-06-08 00:34 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-08 00:34 . 2010-06-08 00:34 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-08 00:34 . 2010-06-08 00:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-08 00:34 . 2010-06-08 00:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-08 00:34 . 2010-06-08 00:34 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-08 00:34 . 2010-06-08 00:34 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-06-07 23:57 . 2010-06-27 19:47 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-07 23:57 . 2010-06-27 19:47 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-07 23:57 . 2009-10-28 08:04 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-07 23:57 . 2009-10-28 08:04 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-07 23:57 . 2009-09-27 23:12 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-07 23:57 . 2009-09-27 23:12 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-07 23:57 . 2009-09-27 23:12 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57 . 2009-09-27 23:12 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57 . 2009-09-27 23:12 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-06-07 23:57 . 2009-09-27 23:12 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-07 23:57 . 2009-09-27 23:12 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57 . 2009-09-27 23:12 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-05-28 19:58 . 2010-02-26 03:21 600680 ----a-w- c:\windows\system32\nvuninst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-02-25 2387968]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-02 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-16 16384512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-16 137752]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-06-03 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-08 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-08 13902440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2007-07-22 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-29 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-29 98304]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/1/2010 5:19 PM 64288]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [1/19/2009 11:31 AM 277544]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 1355416]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/25/2010 8:21 PM 58600]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [1/17/2010 10:44 AM 1527900]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 10:19 AM 15008]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [1/17/2010 10:46 AM 544768]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-02-25 18:12 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-08-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 17:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mascotgraphics.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-14 16:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3488)
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-08-14 16:09:54
ComboFix-quarantined-files.txt 2010-08-14 23:09
ComboFix2.txt 2010-08-14 19:15
ComboFix3.txt 2010-07-20 03:30

Pre-Run: 398,156,677,120 bytes free
Post-Run: 398,176,866,304 bytes free

- - End Of File - - BD1A13DE1B6385DCFCD56FFC3DB7D808

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:05 PM

Posted 14 August 2010 - 06:35 PM

We need to check for rootkits

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#11 mascot

mascot
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 14 August 2010 - 07:07 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000dd

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB80D8000 ultra.sys
0xB7EF3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB80E8000 disk.sys
0xB80F8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7ED3000 fltmgr.sys
0xB7EC1000 sr.sys
0xB8108000 Lbd.sys
0xB8118000 PxHelp20.sys
0xB7EAA000 KSecDD.sys
0xB7E1D000 Ntfs.sys
0xB7DF0000 NDIS.sys
0xB7DD6000 Mup.sys
0xB6FC7000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6FB3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB6F8B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB6F72000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB8478000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB6F4E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8480000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8198000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB8488000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8490000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB81A8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB7DAE000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB81B8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB81C8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB6F2B000 \SystemRoot\system32\DRIVERS\ks.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8682000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB7DA6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6F14000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8208000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8218000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8498000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB6F03000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8228000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB84A0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB84A8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB6ED3000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8238000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB84B0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB85F0000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6E75000 \SystemRoot\system32\DRIVERS\update.sys
0xB8540000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB6E47000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0xB8258000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8268000 \SystemRoot\system32\drivers\nvhda32.sys
0xB4BFB000 \SystemRoot\system32\drivers\portcls.sys
0xB8278000 \SystemRoot\system32\drivers\drmk.sys
0xB4772000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB8288000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85F6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8340000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB85F8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB8702000 \SystemRoot\System32\Drivers\Null.SYS
0xB85FA000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8370000 \SystemRoot\System32\drivers\vga.sys
0xB85FC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85FE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8378000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8380000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB4C43000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB46C7000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB466E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB82A8000 \SystemRoot\system32\drivers\mfetdik.sys
0xB4648000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB4620000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB82B8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB45FE000 \SystemRoot\System32\drivers\afd.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB45D3000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB4563000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB8388000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0xB82D8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB8390000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB8398000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB82F8000 \SystemRoot\system32\drivers\usbaudio.sys
0xB4C27000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB8308000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB83A0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB83A8000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB4C23000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB4477000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB8158000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB445F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB866A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB46EA000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8408000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB868A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB416B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB44F3000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xB3BE2000 \SystemRoot\system32\drivers\wdmaud.sys
0xB3C7F000 \SystemRoot\system32\drivers\sysaudio.sys
0xB38BD000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB3852000 \??\C:\WINDOWS\system32\drivers\acedrv11.sys
0xB37D3000 \SystemRoot\system32\DRIVERS\srv.sys
0xB39A4000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xB35A3000 \SystemRoot\system32\drivers\mfehidk.sys
0xB83E0000 \SystemRoot\system32\drivers\mfebopk.sys
0xB3BB2000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB3B72000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB312A000 \SystemRoot\System32\Drivers\HTTP.sys
0xB8644000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xB83F0000 \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys
0xB28D5000 \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys
0xB1446000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 47):
0 System Idle Process
4 System
680 C:\WINDOWS\system32\smss.exe
736 csrss.exe
760 C:\WINDOWS\system32\winlogon.exe
804 C:\WINDOWS\system32\services.exe
816 C:\WINDOWS\system32\lsass.exe
996 C:\WINDOWS\system32\nvsvc32.exe
1028 C:\WINDOWS\system32\svchost.exe
1092 svchost.exe
1188 C:\WINDOWS\system32\svchost.exe
1336 svchost.exe
1408 svchost.exe
1796 C:\WINDOWS\system32\spoolsv.exe
1976 C:\WINDOWS\RTHDCPL.exe
2032 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE
2040 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
180 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
428 C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
500 C:\Program Files\McAfee\Common Framework\Mctray.exe
584 C:\WINDOWS\system32\rundll32.exe
616 C:\Program Files\Common Files\Java\Java Update\jusched.exe
628 C:\WINDOWS\system32\ctfmon.exe
660 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
884 C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
520 svchost.exe
2024 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
724 C:\Program Files\Java\jre6\bin\jqs.exe
988 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1168 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
280 C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
1568 C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
2052 naPrdMgr.exe
2184 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
2300 C:\WINDOWS\system32\svchost.exe
2808 C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
3260 alg.exe
3504 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
3652 unsecapp.exe
3820 wmiprvse.exe
2924 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
3020 C:\WINDOWS\system32\wscntfy.exe
2640 C:\WINDOWS\system32\wuauclt.exe
3488 C:\WINDOWS\explorer.exe
3540 C:\Program Files\Internet Explorer\iexplore.exe
600 C:\Program Files\Messenger\msmsgs.exe
2060 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: WDCWD5000AAVS-00ZTB0, Rev: 01.01B01
PhysicalDrive1 Model Number: WD3200AAJ External, Rev: 1.06

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive1 RE: Western Digital MBR code detected
SHA1: CCCF1B32EE08ECFB66B30883CFF6110F69219FEA


Done!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:05 PM

Posted 14 August 2010 - 07:25 PM

That's okay, let's try TDSSKiller to see if anything's still around
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#13 mascot

mascot
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 14 August 2010 - 07:30 PM

No threats found....

2010/08/14 17:28:31.0343 TDSS rootkit removing tool 2.4.1.1 Aug 10 2010 14:48:09
2010/08/14 17:28:31.0343 ================================================================================
2010/08/14 17:28:31.0343 SystemInfo:
2010/08/14 17:28:31.0343
2010/08/14 17:28:31.0343 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/14 17:28:31.0343 Product type: Workstation
2010/08/14 17:28:31.0343 ComputerName: OWNER-PC
2010/08/14 17:28:31.0343 UserName: Owner
2010/08/14 17:28:31.0343 Windows directory: C:\WINDOWS
2010/08/14 17:28:31.0343 System windows directory: C:\WINDOWS
2010/08/14 17:28:31.0343 Processor architecture: Intel x86
2010/08/14 17:28:31.0343 Number of processors: 2
2010/08/14 17:28:31.0343 Page size: 0x1000
2010/08/14 17:28:31.0343 Boot type: Normal boot
2010/08/14 17:28:31.0343 ================================================================================
2010/08/14 17:28:31.0500 Initialize success
2010/08/14 17:28:38.0671 ================================================================================
2010/08/14 17:28:38.0671 Scan started
2010/08/14 17:28:38.0671 Mode: Manual;
2010/08/14 17:28:38.0671 ================================================================================
2010/08/14 17:28:40.0203 acedrv11 (a6fe70357a68ad1e279cd1012419cce6) C:\WINDOWS\system32\drivers\acedrv11.sys
2010/08/14 17:28:40.0640 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/14 17:28:41.0031 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/14 17:28:41.0609 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/14 17:28:42.0000 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/14 17:28:45.0359 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/14 17:28:45.0765 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/14 17:28:46.0515 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/14 17:28:46.0937 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/14 17:28:47.0328 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/14 17:28:47.0843 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/14 17:28:48.0234 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/08/14 17:28:49.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/14 17:28:49.0390 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/14 17:28:49.0781 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/14 17:28:51.0703 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/14 17:28:52.0156 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/14 17:28:52.0625 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/14 17:28:53.0015 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/14 17:28:53.0390 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/14 17:28:54.0203 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/14 17:28:54.0609 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/14 17:28:55.0015 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/14 17:28:55.0421 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/14 17:28:55.0828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/14 17:28:56.0234 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/14 17:28:56.0640 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/14 17:28:57.0046 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/14 17:28:57.0453 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/14 17:28:57.0843 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/14 17:28:58.0296 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/14 17:28:59.0093 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/14 17:29:00.0250 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/14 17:29:00.0765 ialm (c4018896856a1a1f1f3a0a6ee7206551) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/08/14 17:29:01.0203 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/14 17:29:02.0109 IntcAzAudAddService (b1a809e7fe19becd5aca61f0e7088c8c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/14 17:29:02.0921 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/14 17:29:03.0343 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/14 17:29:03.0734 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/14 17:29:04.0140 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/14 17:29:04.0531 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/14 17:29:04.0937 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/14 17:29:05.0328 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/14 17:29:05.0750 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/14 17:29:06.0140 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/14 17:29:06.0546 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/14 17:29:06.0937 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/14 17:29:07.0062 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/08/14 17:29:07.0468 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/08/14 17:29:08.0296 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
2010/08/14 17:29:08.0718 mfeapfk (1f334eb2a13816df45671ebb98896da7) C:\WINDOWS\system32\drivers\mfeapfk.sys
2010/08/14 17:29:09.0109 mfeavfk (8a1dedbbdad33587f6fad780ce4b34b5) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/08/14 17:29:09.0515 mfebopk (d800e31a019a6979698eef0507baa746) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/08/14 17:29:09.0890 mfehidk (0ae14fab8e25c258c6ebf3827c649273) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/08/14 17:29:10.0031 mferkdk (e72afc5056f6804c616e7dc32a38945f) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
2010/08/14 17:29:10.0437 mfetdik (a47f0f63e92730de15d41624ab998c5c) C:\WINDOWS\system32\drivers\mfetdik.sys
2010/08/14 17:29:10.0859 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/14 17:29:11.0281 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/14 17:29:11.0687 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/14 17:29:12.0078 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/14 17:29:12.0468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/14 17:29:13.0265 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/14 17:29:13.0671 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/14 17:29:14.0125 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/14 17:29:14.0531 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/14 17:29:14.0921 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/14 17:29:15.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/14 17:29:15.0734 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/14 17:29:16.0125 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/08/14 17:29:16.0531 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/14 17:29:16.0921 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/08/14 17:29:17.0343 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/14 17:29:17.0750 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/08/14 17:29:18.0156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/14 17:29:18.0562 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/14 17:29:18.0968 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/14 17:29:19.0375 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/14 17:29:19.0796 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/14 17:29:20.0203 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/14 17:29:20.0656 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/14 17:29:21.0062 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/14 17:29:21.0484 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/14 17:29:22.0093 nv (18281a647f8d2a0afd00f4a9f52c59f4) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/14 17:29:22.0703 NVHDA (2d2b7b3ad297c659efa1d02852ca9860) C:\WINDOWS\system32\drivers\nvhda32.sys
2010/08/14 17:29:23.0109 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/14 17:29:23.0515 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/14 17:29:23.0937 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/14 17:29:24.0343 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/14 17:29:24.0734 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/14 17:29:25.0140 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/14 17:29:25.0921 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/14 17:29:26.0328 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/14 17:29:29.0046 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/14 17:29:29.0453 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/14 17:29:29.0937 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/14 17:29:30.0328 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/14 17:29:32.0625 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/14 17:29:33.0031 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/14 17:29:33.0453 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/14 17:29:33.0875 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/14 17:29:34.0265 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/14 17:29:34.0703 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/14 17:29:35.0125 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/14 17:29:35.0578 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/14 17:29:36.0000 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/14 17:29:36.0437 rspndr (0e11b35e972796042044bc27ce13b065) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2010/08/14 17:29:36.0875 RTLE8023xp (badabe0940c01619e8510b90fb314929) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/08/14 17:29:37.0312 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/14 17:29:37.0703 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/14 17:29:38.0093 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/14 17:29:38.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/14 17:29:39.0328 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/08/14 17:29:39.0718 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/08/14 17:29:40.0515 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/14 17:29:40.0937 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/14 17:29:41.0359 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/14 17:29:41.0812 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/08/14 17:29:42.0203 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/14 17:29:42.0609 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/14 17:29:44.0531 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/14 17:29:44.0968 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/14 17:29:45.0406 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/14 17:29:45.0796 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/14 17:29:46.0203 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/14 17:29:47.0015 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/14 17:29:47.0437 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/08/14 17:29:47.0843 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/14 17:29:48.0296 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/08/14 17:29:48.0718 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/14 17:29:49.0125 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/14 17:29:49.0500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/14 17:29:49.0906 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/14 17:29:50.0281 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/14 17:29:50.0671 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/14 17:29:51.0062 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/08/14 17:29:51.0453 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/14 17:29:52.0234 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/14 17:29:52.0687 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/14 17:29:53.0078 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
2010/08/14 17:29:53.0843 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/14 17:29:54.0281 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/08/14 17:29:54.0687 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/14 17:29:55.0078 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/14 17:29:55.0125 ================================================================================
2010/08/14 17:29:55.0125 Scan finished
2010/08/14 17:29:55.0125 ================================================================================

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:05 PM

Posted 14 August 2010 - 07:36 PM

Let's take a look at the registry and see what's been attached.

Open Notepad (go to Start > Run and type in Notepad and click OK).
Copy/paste the following text inside the code box into a new notepad document.

CODE
@ECHO OFF
regedit /e look1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"
regedit /e look2.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"
Type look*.txt >log.txt
start log.txt
del look1.txt look2.txt
del %0
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save
  • Close the Notepad.
  • Locate look.bat on the desktop.
  • Double click the icon or Right-click to run it as administrator if you have Vista or Windows 7.
  • A notepad opens, copy and paste the content (log.txt) to your reply.

Posted Image
m0le is a proud member of UNITE

#15 mascot

mascot
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 14 August 2010 - 07:39 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
@="Live Search"
"DisplayName"="@ieframe.dll,-12512"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{D9E570D4-C7BF-4928-899E-E8DEE707951C}"
"Version"=dword:00000002
"DownloadUpdates"=dword:00000000
"UpgradeTime"=hex:74,80,78,c2,b9,d1,ca,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D9E570D4-C7BF-4928-899E-E8DEE707951C}]
"DisplayName"="alltheweb"
"URL"="http://www.alltheweb.com/search?cat=web&cs=utf8&q={searchTerms}&rys=0&itag=crv&_sb_lang=pref"
"Codepage"=dword:0000fde9






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users