Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Variant of TDL3 or TDSS


  • This topic is locked This topic is locked
9 replies to this topic

#1 sirona

sirona

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 18 August 2010 - 10:53 AM

I have been getting lots of search engine redirects as well as some other problems (ie mass spams sent from my e-mail). I have used AVG free anti-virus for a long time, and I think I got infected during that time. Then I uninstalled it and installed Avira anti-vir because I heard it's better at catching rootkits. I also ran spybot search & destroy but got no results. From your forums, and other malware sites on the internet, I got some tips that Hitman Pro 3 helps, so I installed and ran that. It catches nothing but displays the infamous "variant of TDL3 detected, the device stack of the hard disk is referencing a hidden driver" message.
Also looking at similar posts on the forum, I have installed and ran Kaspersky TDSS killer, which detects nothing and esage's TDSS remover, which says infection detected, then reboots my computer, then scans and catched nothing.
I am writing my dissertation thesis on this computer and I really really don't want to re-format it right now as my deadline is very close. I want to clean it up for now, get it to work until I'm done with my thesis and then I'll do a fresh install of Windows.
I'll appreciate any help tremendously.

(As a side note, I have bought this computer and installed windows XP in Jan 2010. I find it a bit suspicious that some files show the modification or creation date as 2008 or 2006. Also, I've been doing some manual search for system files with "TDSS" in the name from Start-->Search a few days ago, and since then I can't search for anything. It seems like the search algorithm enters an infinite loop and searches the same folders over and over again. I'm afraid any other anti malware programs' scan functions may have the same problem.)

Here is my DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Nergis at 17:33:12.12 on 18/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.500 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS.2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS.2\Explorer.EXE
C:\WINDOWS.2\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS.2\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS.2\system32\ctfmon.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS.2\system32\svchost.exe -k imgsvc
C:\WINDOWS.2\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Nergis\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows.2\system32\ctfmon.exe
uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
mRun: [igfxtray] c:\windows.2\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows.2\system32\hkcmd.exe
mRun: [igfxpers] c:\windows.2\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows.2\system32\CTFMON.EXE
StartupFolder: c:\docume~1\nergis\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\nergis\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\documents and settings\nergis\start menu\programs\startup\Dropbox.lnk.disabled
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Microsoft Excel'e Gö&nder - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {3BCF05C8-E14E-4F52-ACFB-8FE7AE4829ED} = 213.191.92.86 62.109.123.6
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: egypack - egypack.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nergis\applic~1\mozilla\firefox\profiles\zr4f6f4z.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SSHDRV85;SSHDRV85;c:\windows.2\system32\drivers\SSHDRV85.sys [2010-2-6 78848]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-31 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-31 267432]
R2 avgntflt;avgntflt;c:\windows.2\system32\drivers\avgntflt.sys [2010-7-31 60936]
R3 SNCT511;PC Camera (6005 CIF);c:\windows.2\system32\drivers\snct511.sys [2010-7-9 229376]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-31 11608]
S3 rk_remover-boot;rk_remover-boot;c:\windows.2\system32\drivers\rk_remover.sys [2010-8-18 52736]
S3 vsdatant;vsdatant;c:\windows.2\system32\vsdatant.sys [2007-11-14 394952]

=============== Created Last 30 ================

2010-08-18 15:31:57 0 ----a-w- c:\documents and settings\nergis\defogger_reenable
2010-08-18 10:08:51 16384 ----atw- c:\temp\Perflib_Perfdata_418.dat
2010-08-18 00:06:47 0 d-sha-r- C:\cmdcons
2010-08-18 00:04:11 98816 ----a-w- c:\windows.2\sed.exe
2010-08-18 00:04:11 77312 ----a-w- c:\windows.2\MBR.exe
2010-08-18 00:04:11 256512 ----a-w- c:\windows.2\PEV.exe
2010-08-18 00:04:11 161792 ----a-w- c:\windows.2\SWREG.exe
2010-08-17 23:28:42 52736 ----a-w- c:\windows.2\system32\drivers\rk_remover.sys
2010-08-17 11:10:11 0 d-----w- c:\program files\common files\Macrovision Shared
2010-08-16 22:31:03 73728 ----a-w- c:\windows.2\system32\javacpl.cpl
2010-08-16 22:31:03 423656 ----a-w- c:\windows.2\system32\deployJava1.dll
2010-08-16 21:00:10 1824 ----a-w- c:\windows.2\system32\.crusader
2010-08-16 11:36:15 152064 ----a-w- c:\temp\0.09192115260202871.exe
2010-08-15 17:40:52 16968 ----a-w- c:\windows.2\system32\drivers\hitmanpro35.sys
2010-08-15 17:40:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-08-15 17:40:21 0 d-----w- c:\program files\Hitman Pro 3.5
2010-08-13 20:43:14 4 ----a-w- c:\docume~1\nergis\applic~1\avdrn.dat
2010-08-13 11:14:54 54156 ---ha-w- c:\windows.2\QTFont.qfn
2010-08-13 11:14:54 1409 ----a-w- c:\windows.2\QTFont.for
2010-08-11 21:49:07 16384 ----atw- c:\temp\Perflib_Perfdata_380.dat
2010-08-07 15:20:05 16384 ----atw- c:\temp\Perflib_Perfdata_6c8.dat
2010-08-06 12:12:47 16384 ----atw- c:\temp\Perflib_Perfdata_404.dat
2010-08-04 22:51:36 16384 ----atw- c:\temp\Perflib_Perfdata_704.dat
2010-08-04 12:00:12 16384 ----atw- c:\temp\Perflib_Perfdata_374.dat
2010-08-04 11:23:35 16384 ----atw- c:\temp\Perflib_Perfdata_2fc.dat
2010-08-04 11:15:16 16384 ----atw- c:\temp\Perflib_Perfdata_754.dat
2010-08-04 10:57:36 0 d-sh--w- c:\windows.2\efee3f32f
2010-08-04 08:13:34 16384 ----atw- c:\temp\Perflib_Perfdata_700.dat
2010-08-02 18:11:43 16384 ----atw- c:\temp\Perflib_Perfdata_728.dat
2010-08-02 18:09:20 16384 ----atw- c:\temp\Perflib_Perfdata_630.dat
2010-08-02 10:57:31 0 d-----w- c:\temp\hsperfdata_SYSTEM
2010-08-02 10:43:27 0 d-sh--w- c:\windows.2\system32\lowsec
2010-07-31 17:11:46 16384 ----atw- c:\temp\Perflib_Perfdata_244.dat
2010-07-31 16:49:42 0 d-sh--w- c:\temp\Temporary Internet Files
2010-07-31 16:49:42 0 d-sh--w- c:\temp\History
2010-07-31 16:49:42 0 d-sh--w- c:\temp\Cookies
2010-07-31 16:31:23 0 d-----w- c:\docume~1\nergis\applic~1\Avira
2010-07-31 16:29:44 0 d-----w- c:\windows.2\system32\NtmsData
2010-07-31 16:21:46 60936 ----a-w- c:\windows.2\system32\drivers\avgntflt.sys
2010-07-31 16:21:46 0 d-----w- c:\program files\Avira
2010-07-31 16:21:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-07-31 16:16:25 0 d-----w- c:\temp\AVSETUP_4c544c59
2010-07-31 11:58:02 0 d-----w- c:\temp\6391539b-ca14-42e3-8faf-d9ef9eaa68fa
2010-07-30 15:57:29 0 d-----w- c:\temp\19df6969-fe2e-42cd-8737-bfd00bc54dc0
2010-07-30 06:54:41 0 d-----w- c:\temp\5df7fe96-34dd-4806-bcf5-ab15a3456914
2010-07-29 14:22:38 0 d-----w- c:\temp\0475e675-967b-448e-8f7f-86d81f43dc36
2010-07-28 15:02:35 0 d-----w- c:\temp\75779733-192b-479b-ab57-edc813902a9b
2010-07-27 23:50:35 0 d-----w- c:\temp\983f670b-761d-4508-9d91-cd3f2996001e
2010-07-27 07:35:42 0 d-----w- c:\temp\daeeb8be-2c4a-4992-b6e2-c74cd0f993f2
2010-07-26 16:05:15 0 d-----w- c:\temp\bb2c1df3-2369-4228-9990-3841d308d986
2010-07-26 07:53:47 0 d-----w- c:\windows.2\ERUNT
2010-07-26 07:26:28 505856 ----a-w- C:\sdfixinfo.doc
2010-07-26 07:23:08 0 d-----w- C:\How to use SDFix_files
2010-07-26 07:23:05 47265 ----a-w- C:\How to use SDFix.htm
2010-07-26 07:22:04 0 d-----w- C:\SDFix
2010-07-26 06:31:04 0 d-----w- c:\temp\a217e2f3-9698-46cc-b305-ebd963351e37
2010-07-25 21:08:39 16384 ----atw- c:\temp\Perflib_Perfdata_1d4.dat
2010-07-25 20:57:52 16384 ----atw- c:\temp\Perflib_Perfdata_1d8.dat
2010-07-25 07:26:13 0 d-----w- c:\temp\65e8d795-ebab-4020-a4af-fe2e74940c0e
2010-07-24 17:12:59 0 d-----w- c:\temp\a4c1e86b-ad76-4b21-a01e-a05a20e28e20
2010-07-24 07:25:48 0 d-----w- c:\temp\30b9ae92-4ed3-4b3b-918c-57af29271be7
2010-07-23 16:51:12 0 d-----w- c:\temp\6ffa23f7-7e11-4d6c-89f3-e1486f105aa9
2010-07-23 07:26:28 0 d-----w- c:\temp\641ab798-fa35-40cb-a32e-4410b712bf70
2010-07-22 15:52:17 0 d-----w- c:\temp\45b6238e-640e-4e14-8da0-a2e27e0410ff
2010-07-22 15:25:10 0 d-----w- c:\temp\drra.tmp
2010-07-22 06:39:51 0 d-----w- c:\temp\262f62d2-9876-490c-ad2e-b2822b5328af
2010-07-21 20:15:03 0 d-----w- c:\temp\lbxb.tmp
2010-07-21 15:48:21 0 d-----w- c:\temp\48d04280-f72a-49c8-989d-e01669bd46c8
2010-07-21 06:09:11 0 d-----w- c:\temp\f29d65a7-41c1-4ac1-961a-b7d4cc6ab162
2010-07-20 20:36:38 0 d-----w- c:\docume~1\nergis\applic~1\Dropbox
2010-07-20 15:50:32 0 d-----w- c:\temp\6c9ea955-d8eb-491b-8f67-f8eb0deaf98a
2010-07-20 06:06:04 0 d-----w- c:\temp\74d6fd90-f3e8-41dc-a6c3-ee1fa538c052
2010-07-19 19:27:06 225 ----a-w- c:\windows.2\wininit.ini
2010-07-19 18:00:51 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-19 18:00:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-19 17:07:43 150 ----a-w- C:\zrpt.xml
2010-07-19 17:04:08 0 d-----w- c:\docume~1\nergis\applic~1\CCB1F9C298A877998363D724252FE2D3
2010-07-19 16:53:35 0 d-----w- c:\temp\68a12cdb-0d29-4ec7-b3b7-c20b1e91e9bb

==================== Find3M ====================

2010-08-02 13:16:56 60976 ----a-w- c:\windows.2\fonts\TradeGothicLTStd-BdCn20.ttf
2010-07-26 07:28:32 24576 ----a-w- c:\windows.2\system32\userinit.exe
2010-05-24 21:08:05 420864 ----a-w- c:\windows.2\system32\ntvdm.exe
2010-01-20 13:35:16 32768 --sha-w- c:\windows.2\system32\config\systemprofile\local settings\history\history.ie5\mshist012010012020100121\index.dat

============= FINISH: 17:34:14.64 ===============

Sorry forgot the GMER attachment.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 18 August 2010 - 05:09 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:20 PM

Posted 26 August 2010 - 02:50 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 sirona

sirona
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 August 2010 - 05:02 AM

Hi myrti!
I am pasting the OTL.Txt below. I will attach the extras.txt in an attachment.
Thank you for your help! smile.gif

OTL logfile created on: 27/08/2010 11:53:02 - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Nergis\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 525.00 Mb Available Physical Memory | 52.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2500 2500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS.2 | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 22.32 Gb Free Space | 59.93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SIRONA
Current User Name: Nergis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/27 11:50:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nergis\My Documents\Downloads\OTL.exe
PRC - [2010/08/17 13:10:11 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/07/23 04:09:38 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/23 04:09:38 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/23 13:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/12/29 16:21:24 | 005,722,112 | ---- | M] (XemiComputers ltd.) -- C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.2\explorer.exe
PRC - [2008/01/11 20:54:31 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/08/27 11:50:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nergis\My Documents\Downloads\OTL.exe
MOD - [2009/10/02 13:26:06 | 000,044,032 | ---- | M] () -- C:\Program Files\XemiComputers\Active Desktop Calendar\MouseHook.dll
MOD - [2008/04/14 13:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.2\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2010/08/17 13:10:11 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/03/23 13:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Nergis\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/08/18 11:46:52 | 000,052,736 | ---- | M] (eSage Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS.2\system32\drivers\rk_remover.sys -- (rk_remover-boot)
DRV - [2010/03/23 13:15:36 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS.2\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS.2\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS.2\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/02/06 00:36:52 | 000,078,848 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS.2\system32\drivers\SSHDRV85.sys -- (SSHDRV85)
DRV - [2009/08/26 16:10:26 | 000,213,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS.2\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS.2\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS.2\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/11/14 19:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS.2\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/01/18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS.2\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS.2\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2002/11/26 18:16:56 | 000,229,376 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS.2\system32\drivers\snct511.sys -- (SNCT511) PC Camera (6005 CIF)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.2\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.2\system32\blank.htm
IE - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/iat/us_de.aspx
IE - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B8 31 28 62 E4 99 CA 01 [binary data]
IE - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/15 17:49:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/17 00:31:03 | 000,000,000 | ---D | M]

[2010/08/15 17:49:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nergis\Application Data\Mozilla\Extensions
[2010/08/27 10:15:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nergis\Application Data\Mozilla\Firefox\Profiles\zr4f6f4z.default\extensions
[2010/08/16 15:12:48 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Nergis\Application Data\Mozilla\Firefox\Profiles\zr4f6f4z.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/08/27 10:15:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/17 00:31:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/08/17 00:30:46 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/23 02:29:54 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/07/23 02:29:54 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/07/23 02:29:54 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/07/23 02:29:54 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/08/17 00:19:08 | 000,000,686 | ---- | M]) - C:\WINDOWS.2\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe (XemiComputers ltd.)
O4 - Startup: C:\Documents and Settings\Nergis\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Nergis\Application Data\Dropbox\bin\Dropbox.exe ()
O4 - Startup: C:\Documents and Settings\Nergis\Start Menu\Programs\Startup\Dropbox.lnk.disabled ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1177238915-1085031214-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.2\Network Diagnostic\xpnetdiag.exe File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} http://content.systemrequirementslab.com.s...ri_4.1.71.0.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS.2\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\egypack: DllName - egypack.dll - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS.2\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - CLSID or File not found.
O24 - Desktop WallPaper: C:\Documents and Settings\Nergis\Application Data\XemiComputers\Active Desktop Calendar\Desktop\Active Desktop Calendar.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nergis\Application Data\XemiComputers\Active Desktop Calendar\Desktop\Active Desktop Calendar.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/20 15:24:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk - C:\WINDOWS.2\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico - ()
MsConfig - StartUpReg: SpybotSD TeaTimer - hkey= - key= - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: klmdb.sys - Driver
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS.2\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS.2\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Klasörleri
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS.2\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS.2\system32\Rundll32.exe C:\WINDOWS.2\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C7AA62EC-36AF-AB53-2D99-ADF033348F50} - Browser Customizations
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS.2\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS.2\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS.2\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS.2\system32\rundll32.exe" "C:\WINDOWS.2\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3acm - C:\WINDOWS.2\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS.2\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS.2\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS.2\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS.2\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS.2\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS.2\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS.2\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS.2\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS.2\System32\ff_vfw.dll ()
Drivers32: VIDC.HFYU - C:\WINDOWS.2\System32\huffyuv.dll (Disappearing Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS.2\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS.2\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS.2\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS.2\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.VP70 - C:\WINDOWS.2\System32\vp7vfw.dll (On2.com)
Drivers32: VIDC.XVID - C:\WINDOWS.2\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS.2\System32\DivX.dll (DivX, Inc.)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: wuauserv - C:\WINDOWS\system32\wuauserv.dll File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/08/24 18:54:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Nergis\Recent
[2010/08/20 13:55:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\Desktop\figure stuff
[2010/08/20 12:01:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\Desktop\dlvo-AB mag comparison
[2010/08/19 23:48:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\Desktop\now
[2010/08/19 16:29:16 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS.2\System32\bootdelete.exe
[2010/08/19 16:27:18 | 000,134,464 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS.2\System32\LnkProtect.dll
[2010/08/18 18:42:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\Desktop\comp bleep
[2010/08/18 16:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\Local Settings\Application Data\Identities
[2010/08/18 02:06:47 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/18 02:04:11 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS.2\SWXCACLS.exe
[2010/08/18 02:04:11 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS.2\SWREG.exe
[2010/08/18 02:04:11 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS.2\SWSC.exe
[2010/08/18 02:04:11 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS.2\NIRCMD.exe
[2010/08/18 02:03:56 | 000,000,000 | ---D | C] -- C:\WINDOWS.2\ERDNT
[2010/08/18 01:28:42 | 000,052,736 | ---- | C] (eSage Lab) -- C:\WINDOWS.2\System32\drivers\rk_remover.sys
[2010/08/17 13:10:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2010/08/17 00:31:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/17 00:31:03 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\deployJava1.dll
[2010/08/17 00:31:03 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\javaws.exe
[2010/08/17 00:31:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\javaw.exe
[2010/08/17 00:31:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\java.exe
[2010/08/17 00:31:03 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\javacpl.cpl
[2010/08/17 00:30:38 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/08/16 22:45:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2010/08/16 22:43:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/08/16 11:56:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2010/08/15 19:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/08/15 19:40:21 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/08/15 17:49:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\Local Settings\Application Data\Mozilla
[2010/08/15 17:48:18 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/08/09 08:46:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\Desktop\wagner
[2010/08/09 08:16:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\My Documents\acrobat_KeyGen
[2010/08/04 12:57:36 | 000,000,000 | -HSD | C] -- C:\WINDOWS.2\efee3f32f
[2010/08/03 10:59:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/08/02 13:06:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/08/02 12:57:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/08/02 12:57:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/08/02 12:43:27 | 000,000,000 | -HSD | C] -- C:\WINDOWS.2\System32\lowsec
[2010/07/31 18:49:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/31 18:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nergis\Application Data\Avira
[2010/07/31 18:29:44 | 000,000,000 | ---D | C] -- C:\WINDOWS.2\System32\NtmsData
[2010/07/31 18:21:48 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS.2\System32\drivers\ssmdrv.sys
[2010/07/31 18:21:46 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS.2\System32\drivers\avipbb.sys
[2010/07/31 18:21:46 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS.2\System32\drivers\avgntflt.sys
[2010/07/31 18:21:46 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS.2\System32\drivers\avgntdd.sys
[2010/07/31 18:21:46 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS.2\System32\drivers\avgntmgr.sys
[2010/07/31 18:21:46 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/07/31 18:21:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[3 C:\WINDOWS.2\*.tmp files -> C:\WINDOWS.2\*.tmp -> ]
[1 C:\WINDOWS.2\System32\*.tmp files -> C:\WINDOWS.2\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/27 10:55:32 | 000,016,968 | ---- | M] () -- C:\WINDOWS.2\System32\drivers\hitmanpro35.sys
[2010/08/27 10:53:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS.2\tasks\SA.DAT
[2010/08/27 10:53:12 | 000,002,206 | ---- | M] () -- C:\WINDOWS.2\System32\wpa.dbl
[2010/08/27 10:53:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS.2\bootstat.dat
[2010/08/27 10:52:28 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Nergis\NTUSER.DAT
[2010/08/27 10:52:28 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Nergis\ntuser.ini
[2010/08/26 09:55:37 | 000,521,706 | ---- | M] () -- C:\Documents and Settings\Nergis\Desktop\d0 value.pdf
[2010/08/26 06:47:52 | 000,000,773 | ---- | M] () -- C:\WINDOWS.2\win.ini
[2010/08/24 20:18:23 | 000,002,269 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/08/19 16:29:16 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS.2\System32\bootdelete.exe
[2010/08/19 16:27:18 | 000,134,464 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS.2\System32\LnkProtect.dll
[2010/08/18 17:31:57 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Nergis\defogger_reenable
[2010/08/18 11:46:52 | 000,052,736 | ---- | M] (eSage Lab) -- C:\WINDOWS.2\System32\drivers\rk_remover.sys
[2010/08/18 02:06:55 | 000,000,285 | RHS- | M] () -- C:\boot.ini
[2010/08/17 00:30:45 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\deployJava1.dll
[2010/08/17 00:30:45 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\javaws.exe
[2010/08/17 00:30:45 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\javaw.exe
[2010/08/17 00:30:45 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\java.exe
[2010/08/17 00:30:45 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS.2\System32\javacpl.cpl
[2010/08/17 00:19:08 | 000,000,686 | ---- | M] () -- C:\WINDOWS.2\System32\drivers\etc\HOSTS
[2010/08/16 23:00:10 | 000,001,824 | ---- | M] () -- C:\WINDOWS.2\System32\.crusader
[2010/08/16 22:45:32 | 000,054,156 | -H-- | M] () -- C:\WINDOWS.2\QTFont.qfn
[2010/08/16 22:45:32 | 000,001,409 | ---- | M] () -- C:\WINDOWS.2\QTFont.for
[2010/08/16 15:09:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS.2\nsreg.dat
[2010/08/15 19:40:22 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/08/15 09:57:54 | 000,042,496 | ---- | M] () -- C:\Documents and Settings\Nergis\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/13 22:43:14 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Nergis\Application Data\avdrn.dat
[2010/08/07 18:41:49 | 000,000,225 | ---- | M] () -- C:\WINDOWS.2\wininit.ini
[2010/08/03 10:36:56 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Nergis\Desktop\Internet.lnk
[2010/08/02 20:12:27 | 000,021,232 | ---- | M] () -- C:\Documents and Settings\Nergis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/02 18:43:58 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Nergis\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/02 17:21:31 | 000,118,952 | ---- | M] () -- C:\WINDOWS.2\System32\FNTCACHE.DAT
[2010/08/02 16:41:35 | 000,114,365 | ---- | M] () -- C:\Documents and Settings\Nergis\Desktop\IR2010_YOURNAME_COMPANYNAME.pdf
[2010/07/31 18:03:32 | 002,552,858 | -H-- | M] () -- C:\Documents and Settings\Nergis\Local Settings\Application Data\IconCache.db
[3 C:\WINDOWS.2\*.tmp files -> C:\WINDOWS.2\*.tmp -> ]
[1 C:\WINDOWS.2\System32\*.tmp files -> C:\WINDOWS.2\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/26 09:55:37 | 000,521,706 | ---- | C] () -- C:\Documents and Settings\Nergis\Desktop\d0 value.pdf
[2010/08/18 17:31:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Nergis\defogger_reenable
[2010/08/18 02:04:11 | 000,256,512 | ---- | C] () -- C:\WINDOWS.2\PEV.exe
[2010/08/18 02:04:11 | 000,098,816 | ---- | C] () -- C:\WINDOWS.2\sed.exe
[2010/08/18 02:04:11 | 000,080,412 | ---- | C] () -- C:\WINDOWS.2\grep.exe
[2010/08/18 02:04:11 | 000,077,312 | ---- | C] () -- C:\WINDOWS.2\MBR.exe
[2010/08/18 02:04:11 | 000,068,096 | ---- | C] () -- C:\WINDOWS.2\zip.exe
[2010/08/16 23:00:10 | 000,001,824 | ---- | C] () -- C:\WINDOWS.2\System32\.crusader
[2010/08/16 15:09:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS.2\nsreg.dat
[2010/08/15 19:40:52 | 000,016,968 | ---- | C] () -- C:\WINDOWS.2\System32\drivers\hitmanpro35.sys
[2010/08/15 19:40:22 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/08/13 22:43:14 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Nergis\Application Data\avdrn.dat
[2010/08/13 13:14:54 | 000,054,156 | -H-- | C] () -- C:\WINDOWS.2\QTFont.qfn
[2010/08/13 13:14:54 | 000,001,409 | ---- | C] () -- C:\WINDOWS.2\QTFont.for
[2010/08/03 10:36:56 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Nergis\Desktop\Internet.lnk
[2010/08/02 14:25:05 | 000,114,365 | ---- | C] () -- C:\Documents and Settings\Nergis\Desktop\IR2010_YOURNAME_COMPANYNAME.pdf
[2010/07/19 21:27:06 | 000,000,225 | ---- | C] () -- C:\WINDOWS.2\wininit.ini
[2010/07/09 20:42:25 | 000,229,376 | ---- | C] () -- C:\WINDOWS.2\System32\drivers\snct511.sys
[2010/07/09 20:42:25 | 000,061,440 | ---- | C] () -- C:\WINDOWS.2\System32\dsnct511.dll
[2010/07/09 20:42:25 | 000,049,152 | ---- | C] () -- C:\WINDOWS.2\System32\vsnct511.dll
[2010/07/09 20:42:25 | 000,015,493 | ---- | C] () -- C:\WINDOWS.2\snct511.ini
[2010/05/25 04:18:08 | 000,000,345 | ---- | C] () -- C:\WINDOWS.2\QTW.INI
[2010/03/23 13:26:48 | 000,201,512 | ---- | C] () -- C:\WINDOWS.2\System32\vpnapi.dll
[2010/03/23 13:17:40 | 000,197,416 | ---- | C] () -- C:\WINDOWS.2\System32\CSGina.dll
[2010/02/06 00:36:52 | 000,078,848 | ---- | C] () -- C:\WINDOWS.2\System32\drivers\SSHDRV85.sys
[2010/01/26 14:44:57 | 000,000,038 | ---- | C] () -- C:\WINDOWS.2\avisplitter.ini
[2010/01/26 14:44:56 | 000,881,664 | ---- | C] () -- C:\WINDOWS.2\System32\xvidcore.dll
[2010/01/26 14:44:56 | 000,205,824 | ---- | C] () -- C:\WINDOWS.2\System32\xvidvfw.dll
[2010/01/26 14:44:54 | 000,085,504 | ---- | C] () -- C:\WINDOWS.2\System32\ff_vfw.dll
[2010/01/26 14:44:54 | 000,000,547 | ---- | C] () -- C:\WINDOWS.2\System32\ff_vfw.dll.manifest
[2010/01/20 22:22:54 | 000,178,176 | ---- | C] () -- C:\WINDOWS.2\System32\unrar.dll
[2010/01/20 22:11:26 | 000,042,496 | ---- | C] () -- C:\Documents and Settings\Nergis\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/20 18:59:28 | 000,000,402 | ---- | C] () -- C:\WINDOWS.2\ODBC.INI
[2008/04/14 13:00:00 | 000,355,112 | ---- | C] () -- C:\WINDOWS.2\System32\msjetol1.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS.2\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 13:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS.2\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 13:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS.2\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2007/01/23 17:22:16 | 000,032,890 | ---- | M] () MD5=4FA5D1120762802A741F374F8B391E69 -- C:\Program Files\MATLAB\R2009b\sys\perl\win32\lib\auto\Win32\EventLog\EventLog.dll
[2008/04/14 13:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS.2\system32\dllcache\eventlog.dll
[2008/04/14 13:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS.2\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS.2\system32\dllcache\netlogon.dll
[2008/04/14 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS.2\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 13:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS.2\system32\dllcache\scecli.dll
[2008/04/14 13:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS.2\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS.2\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS.2\system32\dxtrans.dll
[2009/03/08 05:31:56 | 000,183,808 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS.2\system32\iepeers.dll
[1 C:\WINDOWS.2\system32\*.tmp files -> C:\WINDOWS.2\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/01/20 15:50:44 | 000,094,208 | ---- | M] () -- C:\WINDOWS.2\system32\config\default.sav
[2010/01/20 15:50:44 | 001,089,536 | ---- | M] () -- C:\WINDOWS.2\system32\config\software.sav
[2010/01/20 15:50:44 | 000,913,408 | ---- | M] () -- C:\WINDOWS.2\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/08/27 10:55:32 | 000,016,968 | ---- | M] () -- C:\WINDOWS.2\system32\drivers\hitmanpro35.sys
[2010/08/18 11:46:52 | 000,052,736 | ---- | M] (eSage Lab) -- C:\WINDOWS.2\system32\drivers\rk_remover.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS.2\System32\ntvdm.exe:SummaryInformation
< End of report >

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:20 PM

Posted 27 August 2010 - 05:09 AM

Hi,

please run a scan with Rootkit Unhooker too:

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 sirona

sirona
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 August 2010 - 08:52 AM

Hi and thanks for your quick reply.
Here is the requested report:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
!!!!!!!!!!!Hidden driver: 0x85FE2000 00000364 2153129568 bytes
0x804D7000 C:\WINDOWS.2\system32\ntoskrnl.exe 2188928 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2188928 bytes
0x804D7000 RAW 2188928 bytes
0x804D7000 WMIxWDM 2188928 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS.2\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF72BD000 C:\WINDOWS.2\system32\DRIVERS\ialmnt5.sys 1167360 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBFA45000 C:\WINDOWS.2\System32\ialmdd5.DLL 983040 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF7115000 C:\WINDOWS.2\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xAA4B7000 C:\WINDOWS.2\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0xF747A000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAAD3C000 C:\WINDOWS.2\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF702C000 C:\WINDOWS.2\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAAE21000 C:\WINDOWS.2\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAA43D000 C:\WINDOWS.2\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xAAEAD000 C:\WINDOWS.2\system32\drivers\SSHDRV85.sys 307200 bytes (-, Direct Port Access - Helper Driver)
0xAA1A4000 C:\WINDOWS.2\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF720F000 C:\WINDOWS.2\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xBFA0A000 C:\WINDOWS.2\System32\ialmdev5.DLL 241664 bytes (Intel Corporation, Component GHAL Driver)
0xAAC94000 C:\WINDOWS.2\system32\DRIVERS\snct511.sys 229376 bytes (-, PC Camera driver)
0xF7273000 C:\WINDOWS.2\system32\DRIVERS\b57xp32.sys 221184 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xF708A000 C:\WINDOWS.2\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75BE000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xAA78A000 C:\WINDOWS.2\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF744D000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAADAC000 C:\WINDOWS.2\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAADF9000 C:\WINDOWS.2\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7568000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAAD16000 C:\WINDOWS.2\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF71EB000 C:\WINDOWS.2\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF724F000 C:\WINDOWS.2\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF71C8000 C:\WINDOWS.2\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAADD7000 C:\WINDOWS.2\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAACCC000 C:\WINDOWS.2\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xBF9E8000 C:\WINDOWS.2\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS.2\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7530000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF70E2000 C:\WINDOWS.2\system32\DRIVERS\dne2000.sys 126976 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xF758E000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7433000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7550000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF7550000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAAC54000 C:\WINDOWS.2\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7507000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF70CB000 C:\WINDOWS.2\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAAB27000 C:\WINDOWS.2\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0xAA74D000 C:\WINDOWS.2\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7101000 C:\WINDOWS.2\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF72A9000 C:\WINDOWS.2\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAAE7A000 C:\WINDOWS.2\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF9C7000 C:\WINDOWS.2\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF751E000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF75AD000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF70BA000 C:\WINDOWS.2\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF76BD000 C:\WINDOWS.2\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF77AD000 C:\WINDOWS.2\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF779D000 C:\WINDOWS.2\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF778D000 C:\WINDOWS.2\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBF9D9000 C:\WINDOWS.2\System32\ialmrnt5.dll 61440 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF77BD000 C:\WINDOWS.2\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAAA07000 C:\WINDOWS.2\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF784D000 C:\WINDOWS.2\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF764D000 C:\WINDOWS.2\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF77CD000 C:\WINDOWS.2\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF76CD000 C:\WINDOWS.2\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF762D000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF77ED000 C:\WINDOWS.2\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF767D000 C:\WINDOWS.2\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF761D000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF77DD000 C:\WINDOWS.2\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF760D000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF782D000 C:\WINDOWS.2\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF780D000 C:\WINDOWS.2\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF763D000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF76DD000 C:\WINDOWS.2\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF773D000 C:\WINDOWS.2\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF77FD000 C:\WINDOWS.2\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF787D000 C:\WINDOWS.2\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAA09C000 C:\WINDOWS.2\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF769D000 C:\WINDOWS.2\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF798D000 C:\WINDOWS.2\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79A5000 C:\WINDOWS.2\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7915000 C:\WINDOWS.2\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7975000 C:\WINDOWS.2\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF788D000 C:\WINDOWS.2\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7935000 C:\WINDOWS.2\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF793D000 C:\WINDOWS.2\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7995000 C:\WINDOWS.2\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xF790D000 C:\WINDOWS.2\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF797D000 C:\WINDOWS.2\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7985000 C:\WINDOWS.2\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7895000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7925000 C:\WINDOWS.2\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF792D000 C:\WINDOWS.2\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF791D000 C:\WINDOWS.2\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF79C5000 C:\WINDOWS.2\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7008000 C:\WINDOWS.2\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7AF9000 C:\WINDOWS.2\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAAB13000 C:\WINDOWS.2\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7AD9000 C:\WINDOWS.2\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7A21000 C:\WINDOWS.2\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAAFA8000 C:\WINDOWS.2\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7020000 C:\WINDOWS.2\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7010000 C:\WINDOWS.2\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7ADD000 C:\WINDOWS.2\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7AA1000 C:\WINDOWS.2\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7B77000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xF7B59000 C:\WINDOWS.2\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B11000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7B8B000 C:\WINDOWS.2\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B57000 C:\WINDOWS.2\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B0F000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7B5B000 C:\WINDOWS.2\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B53000 C:\WINDOWS.2\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7B5D000 C:\WINDOWS.2\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B31000 C:\WINDOWS.2\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B37000 C:\WINDOWS.2\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B0D000 C:\WINDOWS.2\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x85A9B000 C:\WINDOWS.2\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7C7F000 C:\WINDOWS.2\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BF3000 C:\WINDOWS.2\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7CD8000 C:\WINDOWS.2\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BD5000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x85FF5A17 ?_empty_? 1513 bytes
==============================================
>Stealth
==============================================
0xF7550000 WARNING: suspicious driver modification [atapi.sys::0x85FF5A17]


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:20 PM

Posted 27 August 2010 - 10:23 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run TDSSKiller and post the log in your next reply:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 sirona

sirona
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 August 2010 - 11:01 AM

well it is now done checking and it says
"maliciouys objects"
with one reult.
next to it it says cure and i have one option: continue.
I haven't pressed on continue and I can't paste the report yet as it's still being used by the TDSS killer.
what should i do? should i change the "cure" to "skip"?

the malicious object is
rootkit.win32.tdss.tdl4
MBR
name: harddisc0\MBR

(I'm waiting for your reply before i close the window.)
(edit:ok i couldnt wait anymore, i said continue and it said will cure infection after reboot so, i rebooted.)

Edited by sirona, 27 August 2010 - 05:41 PM.


#8 sirona

sirona
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 August 2010 - 01:26 PM

ok i could open the .txt file now.
I still haven't closed the TDSS killer window though. should i just cure the infection?
here is th log requested:

2010/08/27 17:56:46.0343 TDSS rootkit removing tool 2.4.1.3 Aug 27 2010 08:53:42
2010/08/27 17:56:46.0343 ================================================================================
2010/08/27 17:56:46.0343 SystemInfo:
2010/08/27 17:56:46.0343
2010/08/27 17:56:46.0343 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/27 17:56:46.0343 Product type: Workstation
2010/08/27 17:56:46.0343 ComputerName: SIRONA
2010/08/27 17:56:46.0343 UserName: Nergis
2010/08/27 17:56:46.0343 Windows directory: C:\WINDOWS.2
2010/08/27 17:56:46.0343 System windows directory: C:\WINDOWS.2
2010/08/27 17:56:46.0343 Processor architecture: Intel x86
2010/08/27 17:56:46.0343 Number of processors: 1
2010/08/27 17:56:46.0343 Page size: 0x1000
2010/08/27 17:56:46.0343 Boot type: Normal boot
2010/08/27 17:56:46.0343 ================================================================================
2010/08/27 17:56:46.0500 Initialize success
2010/08/27 17:56:58.0859 ================================================================================
2010/08/27 17:56:58.0859 Scan started
2010/08/27 17:56:58.0859 Mode: Manual;
2010/08/27 17:56:58.0859 ================================================================================
2010/08/27 17:56:59.0265 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS.2\system32\DRIVERS\ACPI.sys
2010/08/27 17:56:59.0312 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS.2\system32\drivers\ACPIEC.sys
2010/08/27 17:56:59.0390 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS.2\system32\drivers\aec.sys
2010/08/27 17:56:59.0437 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS.2\System32\drivers\afd.sys
2010/08/27 17:56:59.0656 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS.2\system32\DRIVERS\asyncmac.sys
2010/08/27 17:56:59.0687 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS.2\system32\DRIVERS\atapi.sys
2010/08/27 17:56:59.0734 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS.2\system32\DRIVERS\atmarpc.sys
2010/08/27 17:56:59.0781 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS.2\system32\DRIVERS\audstub.sys
2010/08/27 17:56:59.0859 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/08/27 17:56:59.0890 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS.2\system32\DRIVERS\avgntflt.sys
2010/08/27 17:56:59.0921 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS.2\system32\DRIVERS\avipbb.sys
2010/08/27 17:56:59.0968 b57w2k (8143be3d94866258f0b93373830cef01) C:\WINDOWS.2\system32\DRIVERS\b57xp32.sys
2010/08/27 17:57:00.0031 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS.2\system32\drivers\Beep.sys
2010/08/27 17:57:00.0187 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS.2\system32\drivers\cbidf2k.sys
2010/08/27 17:57:00.0218 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS.2\system32\DRIVERS\CCDECODE.sys
2010/08/27 17:57:00.0359 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS.2\system32\drivers\Cdaudio.sys
2010/08/27 17:57:00.0406 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS.2\system32\drivers\Cdfs.sys
2010/08/27 17:57:00.0453 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS.2\system32\DRIVERS\cdrom.sys
2010/08/27 17:57:00.0578 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS.2\system32\DRIVERS\CVirtA.sys
2010/08/27 17:57:00.0640 CVPNDRVA (18994842386fd3039279d7865740abbd) C:\WINDOWS.2\system32\Drivers\CVPNDRVA.sys
2010/08/27 17:57:00.0718 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS.2\system32\DRIVERS\disk.sys
2010/08/27 17:57:00.0781 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS.2\system32\drivers\dmboot.sys
2010/08/27 17:57:00.0843 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS.2\system32\drivers\dmio.sys
2010/08/27 17:57:00.0875 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS.2\system32\drivers\dmload.sys
2010/08/27 17:57:00.0921 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS.2\system32\drivers\DMusic.sys
2010/08/27 17:57:00.0968 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS.2\system32\DRIVERS\dne2000.sys
2010/08/27 17:57:01.0046 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS.2\system32\drivers\drmkaud.sys
2010/08/27 17:57:01.0093 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS.2\system32\drivers\Fastfat.sys
2010/08/27 17:57:01.0125 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS.2\system32\drivers\Fdc.sys
2010/08/27 17:57:01.0171 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS.2\system32\drivers\Fips.sys
2010/08/27 17:57:01.0187 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS.2\system32\drivers\Flpydisk.sys
2010/08/27 17:57:01.0218 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS.2\system32\DRIVERS\fltMgr.sys
2010/08/27 17:57:01.0250 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS.2\system32\drivers\Fs_Rec.sys
2010/08/27 17:57:01.0296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS.2\system32\DRIVERS\ftdisk.sys
2010/08/27 17:57:01.0406 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS.2\system32\DRIVERS\msgpc.sys
2010/08/27 17:57:01.0484 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS.2\system32\DRIVERS\hidusb.sys
2010/08/27 17:57:01.0562 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS.2\system32\Drivers\HTTP.sys
2010/08/27 17:57:01.0640 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS.2\system32\drivers\i8042prt.sys
2010/08/27 17:57:01.0734 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS.2\system32\DRIVERS\ialmnt5.sys
2010/08/27 17:57:01.0812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS.2\system32\DRIVERS\imapi.sys
2010/08/27 17:57:01.0875 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS.2\system32\DRIVERS\intelide.sys
2010/08/27 17:57:01.0890 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS.2\system32\DRIVERS\intelppm.sys
2010/08/27 17:57:01.0937 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS.2\system32\DRIVERS\Ip6Fw.sys
2010/08/27 17:57:01.0968 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS.2\system32\DRIVERS\ipfltdrv.sys
2010/08/27 17:57:02.0000 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS.2\system32\DRIVERS\ipinip.sys
2010/08/27 17:57:02.0031 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS.2\system32\DRIVERS\ipnat.sys
2010/08/27 17:57:02.0062 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS.2\system32\DRIVERS\ipsec.sys
2010/08/27 17:57:02.0109 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS.2\system32\DRIVERS\irenum.sys
2010/08/27 17:57:02.0140 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS.2\system32\DRIVERS\isapnp.sys
2010/08/27 17:57:02.0187 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS.2\system32\DRIVERS\kbdclass.sys
2010/08/27 17:57:02.0265 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS.2\system32\DRIVERS\kbdhid.sys
2010/08/27 17:57:02.0328 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS.2\system32\drivers\kmixer.sys
2010/08/27 17:57:02.0375 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS.2\system32\drivers\KSecDD.sys
2010/08/27 17:57:02.0453 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS.2\system32\drivers\mnmdd.sys
2010/08/27 17:57:02.0484 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS.2\system32\drivers\Modem.sys
2010/08/27 17:57:02.0500 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS.2\system32\DRIVERS\mouclass.sys
2010/08/27 17:57:02.0546 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS.2\system32\DRIVERS\mouhid.sys
2010/08/27 17:57:02.0562 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS.2\system32\drivers\MountMgr.sys
2010/08/27 17:57:02.0640 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS.2\system32\DRIVERS\mrxdav.sys
2010/08/27 17:57:02.0671 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS.2\system32\DRIVERS\mrxsmb.sys
2010/08/27 17:57:02.0718 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS.2\system32\drivers\Msfs.sys
2010/08/27 17:57:02.0765 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS.2\system32\drivers\MSKSSRV.sys
2010/08/27 17:57:02.0812 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS.2\system32\drivers\MSPCLOCK.sys
2010/08/27 17:57:02.0843 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS.2\system32\drivers\MSPQM.sys
2010/08/27 17:57:02.0890 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS.2\system32\DRIVERS\mssmbios.sys
2010/08/27 17:57:02.0921 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS.2\system32\drivers\MSTEE.sys
2010/08/27 17:57:02.0953 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS.2\system32\drivers\Mup.sys
2010/08/27 17:57:03.0000 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS.2\system32\DRIVERS\NABTSFEC.sys
2010/08/27 17:57:03.0031 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS.2\system32\drivers\NDIS.sys
2010/08/27 17:57:03.0093 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS.2\system32\DRIVERS\NdisIP.sys
2010/08/27 17:57:03.0125 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS.2\system32\DRIVERS\ndistapi.sys
2010/08/27 17:57:03.0156 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS.2\system32\DRIVERS\ndisuio.sys
2010/08/27 17:57:03.0187 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS.2\system32\DRIVERS\ndiswan.sys
2010/08/27 17:57:03.0203 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS.2\system32\drivers\NDProxy.sys
2010/08/27 17:57:03.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS.2\system32\DRIVERS\netbios.sys
2010/08/27 17:57:03.0265 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS.2\system32\DRIVERS\netbt.sys
2010/08/27 17:57:03.0406 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS.2\system32\drivers\Npfs.sys
2010/08/27 17:57:03.0453 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS.2\system32\drivers\Ntfs.sys
2010/08/27 17:57:03.0500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS.2\system32\drivers\Null.sys
2010/08/27 17:57:03.0546 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS.2\system32\DRIVERS\nwlnkflt.sys
2010/08/27 17:57:03.0578 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS.2\system32\DRIVERS\nwlnkfwd.sys
2010/08/27 17:57:03.0609 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS.2\system32\DRIVERS\parport.sys
2010/08/27 17:57:03.0625 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS.2\system32\drivers\PartMgr.sys
2010/08/27 17:57:03.0656 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS.2\system32\drivers\ParVdm.sys
2010/08/27 17:57:03.0687 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS.2\system32\DRIVERS\pci.sys
2010/08/27 17:57:03.0734 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS.2\system32\drivers\PCIIde.sys
2010/08/27 17:57:03.0781 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS.2\system32\drivers\Pcmcia.sys
2010/08/27 17:57:03.0953 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS.2\system32\DRIVERS\raspptp.sys
2010/08/27 17:57:03.0984 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS.2\system32\DRIVERS\psched.sys
2010/08/27 17:57:04.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS.2\system32\DRIVERS\ptilink.sys
2010/08/27 17:57:04.0125 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS.2\system32\DRIVERS\rasacd.sys
2010/08/27 17:57:04.0140 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS.2\system32\DRIVERS\rasl2tp.sys
2010/08/27 17:57:04.0156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS.2\system32\DRIVERS\raspppoe.sys
2010/08/27 17:57:04.0187 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS.2\system32\DRIVERS\raspti.sys
2010/08/27 17:57:04.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS.2\system32\DRIVERS\rdbss.sys
2010/08/27 17:57:04.0250 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS.2\system32\DRIVERS\RDPCDD.sys
2010/08/27 17:57:04.0296 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS.2\system32\DRIVERS\rdpdr.sys
2010/08/27 17:57:04.0359 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS.2\system32\drivers\RDPWD.sys
2010/08/27 17:57:04.0453 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS.2\system32\DRIVERS\redbook.sys
2010/08/27 17:57:04.0578 rk_remover-boot (1bdb2a8bce998ef9592d7f1ff6e76996) C:\WINDOWS.2\system32\drivers\rk_remover.sys
2010/08/27 17:57:04.0640 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS.2\system32\DRIVERS\secdrv.sys
2010/08/27 17:57:04.0718 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS.2\system32\drivers\senfilt.sys
2010/08/27 17:57:04.0781 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS.2\system32\DRIVERS\serenum.sys
2010/08/27 17:57:04.0812 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS.2\system32\DRIVERS\serial.sys
2010/08/27 17:57:04.0859 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS.2\system32\drivers\Sfloppy.sys
2010/08/27 17:57:04.0921 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS.2\system32\DRIVERS\SLIP.sys
2010/08/27 17:57:04.0968 smwdm (0066ff77aeb4ae70066f7e94d5a6d866) C:\WINDOWS.2\system32\drivers\smwdm.sys
2010/08/27 17:57:05.0015 SNCT511 (f769063ef4adca02fee657bf7eab7d3d) C:\WINDOWS.2\system32\DRIVERS\snct511.sys
2010/08/27 17:57:05.0093 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS.2\system32\DRIVERS\SONYPVU1.SYS
2010/08/27 17:57:05.0156 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS.2\system32\drivers\splitter.sys
2010/08/27 17:57:05.0187 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS.2\system32\DRIVERS\sr.sys
2010/08/27 17:57:05.0234 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS.2\system32\DRIVERS\srv.sys
2010/08/27 17:57:05.0296 SSHDRV85 (f0be373861a3f34cfab55c1b7ce1feb5) C:\WINDOWS.2\system32\drivers\SSHDRV85.sys
2010/08/27 17:57:05.0328 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS.2\system32\DRIVERS\ssmdrv.sys
2010/08/27 17:57:05.0359 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS.2\system32\DRIVERS\StreamIP.sys
2010/08/27 17:57:05.0390 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS.2\system32\DRIVERS\swenum.sys
2010/08/27 17:57:05.0468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS.2\system32\drivers\swmidi.sys
2010/08/27 17:57:05.0593 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS.2\system32\drivers\sysaudio.sys
2010/08/27 17:57:05.0656 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS.2\system32\DRIVERS\tcpip.sys
2010/08/27 17:57:05.0734 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS.2\system32\drivers\TDPIPE.sys
2010/08/27 17:57:05.0781 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS.2\system32\drivers\TDTCP.sys
2010/08/27 17:57:05.0812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS.2\system32\DRIVERS\termdd.sys
2010/08/27 17:57:05.0890 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS.2\system32\drivers\Udfs.sys
2010/08/27 17:57:05.0953 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS.2\system32\DRIVERS\update.sys
2010/08/27 17:57:06.0000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS.2\system32\DRIVERS\usbccgp.sys
2010/08/27 17:57:06.0031 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS.2\system32\DRIVERS\usbehci.sys
2010/08/27 17:57:06.0046 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS.2\system32\DRIVERS\usbhub.sys
2010/08/27 17:57:06.0093 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS.2\system32\DRIVERS\USBSTOR.SYS
2010/08/27 17:57:06.0125 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS.2\system32\DRIVERS\usbuhci.sys
2010/08/27 17:57:06.0140 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS.2\System32\drivers\vga.sys
2010/08/27 17:57:06.0218 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS.2\system32\drivers\VolSnap.sys
2010/08/27 17:57:06.0328 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS.2\system32\vsdatant.sys
2010/08/27 17:57:06.0468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS.2\system32\DRIVERS\wanarp.sys
2010/08/27 17:57:06.0562 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS.2\system32\drivers\wdmaud.sys
2010/08/27 17:57:06.0671 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS.2\system32\DRIVERS\WSTCODEC.SYS
2010/08/27 17:57:06.0718 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS.2\system32\DRIVERS\WudfPf.sys
2010/08/27 17:57:06.0750 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS.2\system32\DRIVERS\wudfrd.sys
2010/08/27 17:57:06.0812 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/08/27 17:57:06.0812 ================================================================================
2010/08/27 17:57:06.0812 Scan finished
2010/08/27 17:57:06.0812 ================================================================================
2010/08/27 17:57:06.0828 Detected object count: 1


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:20 PM

Posted 29 August 2010 - 06:17 AM

Hi,

yes please cure. Sorry for taking so long to get back.

First please get a backup of the MBR:
  • Please download mbr.exe and save it to C:\windows <- (Important!).
  • Open NOTEPAD and copy/paste the text in the quotebox below into it:
    CODE
    @ECHO OFF
    CD "%~DP0"
    MBR -c 0 1 backup_mbr.zip
    DEL %0

  • Save this as mbrlook.bat. Choose to "Save type as - All Files" and save it to your Desktop.
    It should look like this:
  • Double click the mbrlook.bat to run it.
  • A file named mbr.zip will be created on your desktop. Please attach that to your next reply.

Once we have the backup of the file, I'll give you the instructions to replace the MBR.

Then run TDSSKiller again and select cure to remove the infection.

After curing, please run a new scan with MBRCheck.

Please download MBRCheck.exe to your desktop.
  1. Double click to run it
  2. It will prompt you with some text
  3. Left click on title bar (where program name and path is written)
  4. From menu chose Edit -> Select All
  5. Now just click Enter key on keyboard to copy selected text
  6. Now paste that text here for me.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:20 PM

Posted 07 September 2010 - 05:11 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users