Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected MBR rootkit on machine


  • This topic is locked This topic is locked
11 replies to this topic

#1 tifosia

tifosia

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 30 August 2010 - 04:16 PM

I suspect I have a root kit on my machine. Originally I had an issue with WUAUCLT.exe hijacking Skype.exe which was flagged up by my Sygate Firewall. As part of resolving that issue I ran Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7, the output of this scan highlighted a potential rootkit infection.

[codebox]
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A3E0860]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f58cb8
\Driver\atapi -> 0x8a3e0860
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
Warning: possible MBR rootkit infection !
user & kernel MBR OK [/codebox]

The machine is a Windows XP Media Center Version 2002 running SP3, protection includes Sygate Personal Firewall and Windows Defender.
I have ran MalwareBytes Anti Malware which returned nothing. I have Daemon tools installed which I understand can sometimes be picked up as a rootkit.

I can provide additional details and logs if you can let me know what information is needed to proceed.
How should I proceed to fully check whether I have a root kit and disinfect as appropriate?

Thanks

Edited by Budapest, 06 September 2010 - 01:37 AM.
Moved from AII ~BP


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 07 September 2010 - 08:30 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 11 September 2010 - 06:09 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 12 September 2010 - 09:48 AM

Reopened at user's request

-----------------------------------------

The log you PMd me showed no infections.

Please run TDSSKiller and let's see if this rootkit has been doing the damage
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 tifosia

tifosia
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 12 September 2010 - 10:00 AM

The suspicious file I (Atapi.sys) I believe is a false positive, I understand this is a result of Daemon tools virtual CD drive hooking into the Kernel.


CODE
2010/09/12 15:55:54.0285    TDSS rootkit removing tool 2.4.2.1 Sep  7 2010 14:43:44
2010/09/12 15:55:54.0285    ================================================================================
2010/09/12 15:55:54.0285    SystemInfo:
2010/09/12 15:55:54.0285    
2010/09/12 15:55:54.0285    OS Version: 5.1.2600 ServicePack: 3.0
2010/09/12 15:55:54.0285    Product type: Workstation
2010/09/12 15:55:54.0285    ComputerName: DOUGAL
2010/09/12 15:55:54.0285    UserName: Tifosia
2010/09/12 15:55:54.0285    Windows directory: C:\WINDOWS
2010/09/12 15:55:54.0285    System windows directory: C:\WINDOWS
2010/09/12 15:55:54.0285    Processor architecture: Intel x86
2010/09/12 15:55:54.0285    Number of processors: 1
2010/09/12 15:55:54.0285    Page size: 0x1000
2010/09/12 15:55:54.0285    Boot type: Normal boot
2010/09/12 15:55:54.0285    ================================================================================
2010/09/12 15:55:55.0660    Initialize success
2010/09/12 15:55:59.0613    ================================================================================
2010/09/12 15:55:59.0613    Scan started
2010/09/12 15:55:59.0613    Mode: Manual;
2010/09/12 15:55:59.0613    ================================================================================
2010/09/12 15:56:00.0613    ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/12 15:56:00.0676    ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/12 15:56:00.0738    aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/12 15:56:00.0785    AFD             (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/12 15:56:00.0910    AmdK8           (e6a2299284013ec4de3419481a62069f) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/09/12 15:56:00.0973    Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/09/12 15:56:01.0113    AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/12 15:56:01.0145    atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/12 15:56:01.0145    Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/09/12 15:56:01.0160    atapi - detected Locked file (1)
2010/09/12 15:56:01.0207    Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/12 15:56:01.0254    audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/12 15:56:01.0285    Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/12 15:56:01.0348    btaudio         (0c7b763abda79b53e2016af1af8b9706) C:\WINDOWS\system32\drivers\btaudio.sys
2010/09/12 15:56:01.0379    BTDriver        (1b24333d2bcb4dc1c5c3b15bedace5b4) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/09/12 15:56:01.0426    BthEnum         (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2010/09/12 15:56:01.0473    BTHMODEM        (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
2010/09/12 15:56:01.0504    BthPan          (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2010/09/12 15:56:01.0567    BTHPORT         (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2010/09/12 15:56:01.0613    BTHUSB          (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2010/09/12 15:56:01.0676    BTKRNL          (54e368a1768c627f2adb8ab5624d0bc4) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/09/12 15:56:01.0754    BTSERIAL        (8aeca4330654da58423e7fe03a704513) C:\WINDOWS\system32\drivers\btserial.sys
2010/09/12 15:56:01.0801    BTWDNDIS        (bde1502aabe76f71d32178e5c6a58e89) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/09/12 15:56:01.0879    cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/12 15:56:01.0957    Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/12 15:56:01.0988    Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/12 15:56:02.0020    Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/12 15:56:02.0332    COMMONFX        (22f8692fd3e017ead334945b3199b0e3) C:\WINDOWS\system32\drivers\COMMONFX.SYS
2010/09/12 15:56:02.0442    COMMONFX.SYS    (22f8692fd3e017ead334945b3199b0e3) C:\WINDOWS\System32\drivers\COMMONFX.SYS
2010/09/12 15:56:02.0535    CT20XUT.DLL     (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL
2010/09/12 15:56:02.0582    ctac32k         (aa7e939bc07965a807c6ac2f1d4d22b7) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/09/12 15:56:02.0645    ctaud2k         (79e7abbf928d8a8002ebba0985905dc1) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/09/12 15:56:02.0723    CTAUDFX         (6d98048890b44191e0daed4639a9f18c) C:\WINDOWS\system32\drivers\CTAUDFX.SYS
2010/09/12 15:56:02.0801    CTAUDFX.SYS     (6d98048890b44191e0daed4639a9f18c) C:\WINDOWS\System32\drivers\CTAUDFX.SYS
2010/09/12 15:56:02.0864    ctdvda2k        (a216c8698c4406a031af6f867afe4f92) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/09/12 15:56:02.0910    CTEAPSFX.DLL    (81c8e9fa3be9274dded6d34e92a8e221) C:\WINDOWS\system32\CTEAPSFX.DLL
2010/09/12 15:56:02.0957    CTEDSPFX.DLL    (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL
2010/09/12 15:56:03.0004    CTEDSPIO.DLL    (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL
2010/09/12 15:56:03.0035    CTEDSPSY.DLL    (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL
2010/09/12 15:56:03.0114    CTERFXFX        (5192225e2adfd36d0fc7d61b8e0bae87) C:\WINDOWS\system32\drivers\CTERFXFX.SYS
2010/09/12 15:56:03.0160    CTERFXFX.SYS    (5192225e2adfd36d0fc7d61b8e0bae87) C:\WINDOWS\System32\drivers\CTERFXFX.SYS
2010/09/12 15:56:03.0239    CTEXFIFX.DLL    (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL
2010/09/12 15:56:03.0332    CTHWIUT.DLL     (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL
2010/09/12 15:56:03.0395    ctprxy2k        (ce3395b054b641e454c8861020ff1d82) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/09/12 15:56:03.0473    CTSBLFX         (8750c640d3068861117fa9166b8aecde) C:\WINDOWS\system32\drivers\CTSBLFX.SYS
2010/09/12 15:56:03.0551    CTSBLFX.SYS     (8750c640d3068861117fa9166b8aecde) C:\WINDOWS\System32\drivers\CTSBLFX.SYS
2010/09/12 15:56:03.0582    ctsfm2k         (01b9017d05d82b6fbcd5cecce93f3aa7) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/09/12 15:56:03.0645    d346bus         (99159e3ef20a4792aefe4115e8ad0957) C:\WINDOWS\system32\DRIVERS\d346bus.sys
2010/09/12 15:56:03.0692    d346prt         (fb228cd598b7686e98fbf7bfb55666eb) C:\WINDOWS\system32\Drivers\d346prt.sys
2010/09/12 15:56:03.0754    Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/12 15:56:03.0785    DKRtWrt         (d6a4d12c744359f6eb93bbdebcfbe351) C:\WINDOWS\system32\DRIVERS\DKRtWrt.sys
2010/09/12 15:56:03.0848    dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/12 15:56:03.0910    dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/12 15:56:03.0942    dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/12 15:56:03.0989    DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/12 15:56:04.0067    drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/12 15:56:04.0145    emupia          (71b09041642de925e6150eb525dcc3bf) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/09/12 15:56:04.0223    Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/12 15:56:04.0270    Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/12 15:56:04.0301    Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/12 15:56:04.0426    Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/12 15:56:04.0473    FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/12 15:56:04.0645    FNETTHJM        (f01e22d86f5d86819da806c32cd09b3e) C:\WINDOWS\system32\drivers\fnetthjm.sys
2010/09/12 15:56:04.0692    Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/12 15:56:04.0739    Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/12 15:56:04.0770    giveio          (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2010/09/12 15:56:04.0848    Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/12 15:56:04.0911    ha10kx2k        (2e37c43fb534f1d85dcf552d5b2af9ba) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/09/12 15:56:04.0989    hamachi         (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2010/09/12 15:56:05.0051    hap16v2k        (607b73dc2a69a98c7f10b5702d947319) C:\WINDOWS\system32\drivers\hap16v2k.sys
2010/09/12 15:56:05.0098    hap17v2k        (f674eeaa2d1ed14606aedfed65c34893) C:\WINDOWS\system32\drivers\hap17v2k.sys
2010/09/12 15:56:05.0145    HidBth          (7bd2de4c85eb4241eed57672b16a7d8d) C:\WINDOWS\system32\DRIVERS\hidbth.sys
2010/09/12 15:56:05.0176    hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/12 15:56:05.0254    HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/12 15:56:05.0426    i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/12 15:56:05.0457    Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/12 15:56:05.0567    Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/12 15:56:05.0598    IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/12 15:56:05.0645    IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/12 15:56:05.0676    IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/12 15:56:05.0723    IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/12 15:56:05.0770    irda            (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/09/12 15:56:05.0801    IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/12 15:56:05.0864    irsir           (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2010/09/12 15:56:05.0911    isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/12 15:56:05.0957    ISODisk         (96f2f5884d02535e2d4dfc849836f4a6) C:\WINDOWS\system32\drivers\ISODisk.sys
2010/09/12 15:56:06.0004    Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/12 15:56:06.0036    kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/12 15:56:06.0067    kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/12 15:56:06.0098    KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/12 15:56:06.0176    MaxiAcom        (04892dc693c1ccc277d09abfc693816b) C:\WINDOWS\system32\Drivers\MaxiAcom.SYS
2010/09/12 15:56:06.0207    maxivista       (9740bb8a1966445d3a335e441a4b207f) C:\WINDOWS\system32\DRIVERS\maxivista.sys
2010/09/12 15:56:06.0270    MHNDRV          (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/09/12 15:56:06.0317    mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/12 15:56:06.0364    Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/12 15:56:06.0411    Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/12 15:56:06.0426    mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/12 15:56:06.0473    MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/12 15:56:06.0520    MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/12 15:56:06.0567    MRxSmb          (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/12 15:56:06.0614    Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/12 15:56:06.0661    MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/12 15:56:06.0692    MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/12 15:56:06.0739    MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/12 15:56:06.0770    mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/12 15:56:06.0801    Mup             (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/12 15:56:06.0864    NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/12 15:56:06.0879    NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/12 15:56:06.0911    Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/12 15:56:06.0942    NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/12 15:56:06.0973    NDProxy         (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/12 15:56:07.0004    NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/12 15:56:07.0051    NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/12 15:56:07.0145    NIC1394         (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/09/12 15:56:07.0208    nm              (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2010/09/12 15:56:07.0254    NPF             (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
2010/09/12 15:56:07.0301    Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/12 15:56:07.0333    Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/12 15:56:07.0379    Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/12 15:56:07.0567    nv              (23b95a09677e62ec8d1641ecf39b9bfb) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/12 15:56:07.0723    nvata           (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\DRIVERS\nvata.sys
2010/09/12 15:56:07.0770    nvax            (f3d3015e52f2732042197d4edcaac2cb) C:\WINDOWS\system32\drivers\nvax.sys
2010/09/12 15:56:07.0801    NVENETFD        (97724affdd7a5a47c3bc07ccd1b88745) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/09/12 15:56:07.0817    nvnetbus        (82c2b3a89b9edfa6287c5aba1a4e6a99) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/09/12 15:56:07.0864    nvnforce        (6d6fd2b7035d415621acaf1e555c8b90) C:\WINDOWS\system32\drivers\nvapu.sys
2010/09/12 15:56:07.0911    NVR0Dev         (61d6b1c71ad94f8485e966bebc36d092) C:\WINDOWS\nvoclock.sys
2010/09/12 15:56:08.0301    NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/12 15:56:08.0348    NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/12 15:56:08.0395    ohci1394        (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/09/12 15:56:08.0458    ossrv           (e852a590216f0da2b94df5a937585554) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/09/12 15:56:08.0504    Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/09/12 15:56:08.0551    PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/12 15:56:08.0583    ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/12 15:56:08.0614    PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/12 15:56:08.0661    PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/12 15:56:08.0692    Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/12 15:56:08.0880    PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/12 15:56:08.0958    PQNTDrv         (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2010/09/12 15:56:08.0989    Processor       (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/09/12 15:56:09.0020    PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/12 15:56:09.0067    Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/12 15:56:09.0114    PxHelp20        (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/12 15:56:09.0286    RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/12 15:56:09.0317    Rasirda         (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/09/12 15:56:09.0364    Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/12 15:56:09.0395    RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/12 15:56:09.0411    Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/12 15:56:09.0458    Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/12 15:56:09.0489    RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/12 15:56:09.0520    rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/12 15:56:09.0567    RDPWD           (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/12 15:56:09.0645    redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/12 15:56:09.0708    RFCOMM          (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2010/09/12 15:56:09.0817    SANDRA          (230fd3749904ca045ea5ec0aa14006e9) E:\PROGRAMS\SiSoftware Sandra Lite 2010c\WNt500x86\Sandra.sys
2010/09/12 15:56:09.0880    sbp2port        (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2010/09/12 15:56:09.0958    Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/12 15:56:10.0005    serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/12 15:56:10.0020    Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/12 15:56:10.0083    Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/12 15:56:10.0161    snapman380      (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys
2010/09/12 15:56:10.0208    speedfan        (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2010/09/12 15:56:10.0255    splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/12 15:56:10.0301    sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/12 15:56:10.0348    Srv             (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/12 15:56:10.0395    swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/12 15:56:10.0426    swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/12 15:56:10.0551    sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/12 15:56:10.0583    Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/12 15:56:10.0630    TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/12 15:56:10.0676    tdrpman140      (9855c40de1de32aaa4e290a361cda0f3) C:\WINDOWS\system32\DRIVERS\tdrpm140.sys
2010/09/12 15:56:10.0723    TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/12 15:56:10.0755    Teefer          (99336d4da97b4eeaafab46a4f8e512e6) C:\WINDOWS\system32\Drivers\Teefer.sys
2010/09/12 15:56:10.0786    TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/12 15:56:10.0833    tifsfilter      (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2010/09/12 15:56:10.0880    timounter       (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys
2010/09/12 15:56:10.0958    tooeumj         (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\kreq.sys
2010/09/12 15:56:11.0036    truecrypt       (db0815523ac07445a2f09dcd2acea8c3) C:\WINDOWS\system32\drivers\truecrypt.sys
2010/09/12 15:56:11.0067    Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/12 15:56:11.0130    Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/12 15:56:11.0177    usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/12 15:56:11.0192    usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/12 15:56:11.0223    usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/12 15:56:11.0255    usbohci         (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/09/12 15:56:11.0270    usbstor         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/12 15:56:11.0302    VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/12 15:56:11.0348    VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/12 15:56:11.0427    Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/12 15:56:11.0489    wceusbsh        (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
2010/09/12 15:56:11.0536    wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/12 15:56:11.0567    wg3n            (a67340b874df9eaf5b226e5f3473b9da) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
2010/09/12 15:56:11.0614    wg4n            (851216e2816b7b7e74b5f7ef1d4acfb7) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
2010/09/12 15:56:11.0645    wg5n            (aedd1fe0df660411d15da3c57cfc2402) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
2010/09/12 15:56:11.0661    wg6n            (dd0d719a58df79086462bd5fc972a908) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
2010/09/12 15:56:11.0770    WpdUsb          (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/09/12 15:56:11.0817    wpsdrvnt        (93c145dceb13156322423efd62d4549a) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2010/09/12 15:56:11.0864    WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/12 15:56:11.0895    WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/12 15:56:11.0958    yukonwxp        (bac4e920c920168c302c90c0f37740f6) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2010/09/12 15:56:11.0989    ================================================================================
2010/09/12 15:56:11.0989    Scan finished
2010/09/12 15:56:11.0989    ================================================================================
2010/09/12 15:56:12.0067    Detected object count: 1
2010/09/12 15:56:30.0318    Locked file(atapi) - User select action: Skip
2010/09/12 15:56:42.0210    Deinitialize success


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 12 September 2010 - 05:51 PM

Let's check the atapi file out.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 tifosia

tifosia
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 14 September 2010 - 04:27 PM

CODE
ComboFix 10-09-14.01 - Tifosia 14/09/2010  22:03:14.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2046.1536 [GMT 1:00]
Running from: c:\documents and settings\Tifosia\Local Settings\Application Data\Opera\Opera\temporary_downloads\ComboFix.exe
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\daemon.dll

.
(((((((((((((((((((((((((   Files Created from 2010-08-14 to 2010-09-14  )))))))))))))))))))))))))))))))
.

2010-09-12 17:35 . 2010-09-14 12:42    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\GrabIt
2010-09-11 14:34 . 2010-09-11 14:34    --------    d--h--w-    c:\program files\InstallJammer Registry
2010-09-11 14:34 . 2010-09-14 21:12    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\Gmote
2010-09-09 21:22 . 2010-09-09 21:22    --------    d-----w-    c:\program files\Common Files\Java
2010-09-09 21:22 . 2010-09-09 21:22    423656    ----a-w-    c:\windows\system32\deployJava1.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 21:13 . 2009-04-29 12:58    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\skypePM
2010-09-14 21:13 . 2009-04-28 16:01    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\Skype
2010-09-14 21:11 . 2009-04-28 14:15    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\Hamachi
2010-09-14 18:59 . 2009-05-30 21:50    --------    d-----w-    c:\program files\Common Files\Wise Installation Wizard
2010-09-11 16:31 . 2009-05-18 10:43    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\dvdcss
2010-09-05 22:19 . 2009-04-28 14:17    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\uTorrent
2010-08-31 14:13 . 2010-01-10 21:19    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-08-22 19:25 . 2009-04-29 16:45    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\CoreFTP
2010-08-20 21:27 . 2009-10-03 09:41    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\Spotify
2010-08-14 11:57 . 2010-02-28 14:03    2316    ----a-w-    c:\documents and settings\All Users\Application Data\xml278.tmp
2010-08-14 11:57 . 2010-02-28 14:03    14096    ----a-w-    c:\documents and settings\All Users\Application Data\xml277.tmp
2010-08-14 11:57 . 2010-02-28 14:03    10390    ----a-w-    c:\documents and settings\All Users\Application Data\xml276.tmp
2010-08-07 12:10 . 2010-08-06 23:14    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\vlc
2010-08-07 11:52 . 2009-04-28 11:16    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-08-03 00:51 . 2009-05-26 15:02    1324    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-07-29 18:29 . 2009-04-28 15:32    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\.purple
2010-07-29 18:27 . 2010-07-29 18:27    2157    ----a-w-    c:\documents and settings\Tifosia\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-07-29 18:27 . 2010-07-29 18:27    2095    ----a-w-    c:\documents and settings\Tifosia\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2010-07-29 18:27 . 2010-07-29 18:27    1089    ----a-w-    c:\documents and settings\Tifosia\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2010-07-27 15:08 . 2010-07-27 15:08    --------    d-----w-    c:\documents and settings\All Users\Application Data\WinZip
2010-07-24 19:09 . 2009-04-28 19:14    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-18 21:30 . 2010-07-18 21:16    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\UltraVNC
2010-07-07 12:02 . 2010-07-07 12:02    655360    ----a-w-    c:\documents and settings\Tifosia\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-07-07 12:02 . 2010-07-07 12:02    282624    ----a-w-    c:\documents and settings\Tifosia\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-07-07 12:02 . 2010-07-07 12:02    208896    ----a-w-    c:\documents and settings\Tifosia\Application Data\Spotify\Gracenote\gnsdk_dsp.dll
2010-07-01 12:52 . 2010-07-06 08:24    1496064    ----a-w-    c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 12:51 . 2010-07-06 08:24    43008    ----a-w-    c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 12:51 . 2010-07-06 08:24    338944    ----a-w-    c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 12:51 . 2010-07-06 08:24    346112    ----a-w-    c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-30 12:31 . 2004-08-10 12:00    149504    ----a-w-    c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-10 12:00    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-10 12:00    1851904    ----a-w-    c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 12:00    354304    ----a-w-    c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 12:00    80384    ----a-w-    c:\windows\system32\iccvid.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 15:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-10 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
[7] 2004-08-10 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Skype"="e:\programs\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-03 4344472]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-03 960376]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"nwiz"="nwiz.exe" [2009-03-27 1657376]
"WinVNC"="e:\programs\TightVNC\WinVNC.exe" [2009-03-05 585728]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"DAEMON Tools-1033"="e:\programs\DAEMON Tools\daemon.exe" [2004-03-12 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Tifosia\Start Menu\Programs\Startup\
android-notifier-desktop.lnk - e:\programs\Android Notifier Desktop\android-notifier-desktop.exe [2010-9-1 163152]
ClearTemp.bat [2009-4-28 345]
GmoteServer.lnk - e:\programs\Gmote\GmoteServer.exe [2010-9-11 451584]
hamachi.lnk - e:\programs\Hamachi\hamachi.exe [2009-4-28 625952]
Samurize (2).lnk - c:\program files\Samurize\Client.exe [2007-4-7 2010624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-4-28 98304]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Tifosia^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Tifosia\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DevconDefaultDB]
c:\windows\system32\READREG [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-10-03 21:40    165144    ----a-w-    c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2009-03-04 11:30    46592    ----a-w-    c:\windows\system32\ctasio.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12    110592    ----a-w-    c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12    15360    ----a-w-    c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2009-03-04 11:45    19456    ----a-w-    c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2007-04-09 11:32    19968    ----a-w-    c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-03-12 21:43    81920    ----a-w-    e:\programs\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ------w-    c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-27 09:03    13684736    ----a-w-    c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-03-27 09:03    86016    ----a-w-    c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
2004-12-20 16:12    131072    ----a-w-    c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-03-27 09:03    1657376    ----a-w-    c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18    413696    ----a-w-    c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-06-12 13:42    1238352    ----a-w-    e:\games\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\PROGRAMS\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\PROGRAMS\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\PROGRAMS\\TightVNC\\WinVNC.exe"=
"e:\\PROGRAMS\\DC++\\DCPlusPlus.exe"=
"e:\\PROGRAMS\\DCHUB\\DCHub.exe"=
"e:\\PROGRAMS\\DCHUB\\Direct Connect Hub Interface.exe"=
"e:\\PROGRAMS\\Spotify\\spotify.exe"=
"e:\\PROGRAMS\\Http explorer\\hexplorer.exe"=
"e:\\PROGRAMS\\Diskeeper\\DkService.exe"=
"e:\\PROGRAMS\\2BrightSparks\\SyncBackSE\\SyncBackSE.exe"=
"e:\\GAMES\\EA Games\\Command and Conquer Generals\\game.dat"=
"e:\\PROGRAMS\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\PROGRAMS\\SiSoftware Sandra Lite 2010c\\RpcAgentSrv.exe"=
"e:\\PROGRAMS\\SiSoftware Sandra Lite 2010c\\WNt500x86\\sandra.mui"=
"e:\\PROGRAMS\\Opera\\opera.exe"=
"e:\\GAMES\\Steam\\Steam.exe"=
"e:\\GAMES\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"e:\\PROGRAMS\\SiSoftware Sandra Lite 2010c\\WNt500x86\\RpcSandraSrv.exe"=
"e:\\PROGRAMS\\Iometer 2006.07.27\\Dynamo.exe"=
"e:\\PROGRAMS\\Iometer 2006.07.27\\Iometer.exe"=
"e:\\GAMES\\Steam\\steamapps\\Tifosia@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"e:\\PROGRAMS\\ICW\\Bin\\rsync.exe"=
"e:\\PROGRAMS\\ICW\\Bin\\ftp.exe"=
"e:\\PROGRAMS\\ICW\\Bin\\sshd.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\android-notifier-desktop.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"e:\\PROGRAMS\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"22:TCP"= 22:TCP:SSH
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [28/04/2009 15:13 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [28/04/2009 15:13 5248]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [28/04/2009 13:37 971168]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [07/03/2010 01:01 9600]
R2 HamachiService;Hamachi Service;e:\programs\Hamachi\hamachi.exe [28/04/2009 15:14 625952]
R2 MaxiAcom;MaxiAcom;c:\windows\system32\drivers\Maxiacom.SYS [26/05/2009 15:58 6016]
R2 OpenSSHServer;Openssh SSHD;e:\programs\ICW\Bin\cygrunsrv.exe [14/05/2009 01:22 68096]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [04/03/2009 14:42 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [04/03/2009 14:42 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [04/03/2009 14:42 566296]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [28/02/2010 16:14 41120]
R3 maxivista;Maxi_Vista_DriverA;c:\windows\system32\drivers\maxivista.sys [26/05/2009 15:58 4864]
S2 gupdate1c9da0483ef6b40;Google Update Service (gupdate1c9da0483ef6b40);c:\program files\Google\Update\GoogleUpdate.exe [21/05/2009 12:08 133104]
S3 BrlAPI;BrlAPI;e:\programs\ICW\Bin\cygrunsrv.exe [14/05/2009 01:22 68096]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [04/03/2009 14:42 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [28/04/2009 18:47 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [04/03/2009 14:42 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [04/03/2009 14:42 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [04/03/2009 14:42 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [04/03/2009 14:42 566296]
S3 FNETTHJM;Freecom Turbo USB 2.0;c:\windows\system32\drivers\fnetthjm.sys [11/05/2009 19:18 23936]
S3 IMNPF;WinPcap Packet Driver (IMNPF);c:\windows\system32\drivers\IMNPF.sys --> c:\windows\system32\drivers\IMNPF.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/11/2007 21:22 34064]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;e:\programs\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe [28/02/2010 15:00 93336]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]
.
Contents of the 'Scheduled Tasks' folder

2010-09-12 c:\windows\Tasks\AdobeAAMUpdater-1.0-DOUGAL-Tifosia.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-02 02:44]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 11:08]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 11:08]

2010-09-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2010-09-12 c:\windows\Tasks\SyncBackSE Leicester to London.job
- e:\programs\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-04-28 14:17]

2009-11-22 c:\windows\Tasks\SyncBackSE Zebedee Sync.job
- e:\programs\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-04-28 14:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = socks=localhost:5555
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - e:\programs\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {D026AC0B-78E1-4291-84EE-D30CE27BCF6C} = 208.67.222.222
FF - ProfilePath - c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - component: c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: e:\programs\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-14 22:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A438F00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f58cb8
\Driver\atapi -> 0x8a438f00
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1547161642-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F22FF30-0C64-EFD3-37CC-B653701D63C2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oannacgceikjncablofokpfbgbnbal"=hex:6a,61,69,62,6a,70,6b,68,6c,6e,63,69,68,69,
   6e,69,67,6f,65,6b,00,6f
"nadnndckicjjedlmcffmmgcamdio"=hex:6a,61,69,62,6a,70,6b,68,6c,6e,63,69,68,69,
   6e,69,67,6f,65,6b,00,6f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4272)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\nvwddi.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
e:\programs\Haali\MatroskaSplitter\mmfinfo.dll
e:\programs\Haali\MatroskaSplitter\mkunicode.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
e:\programs\Diskeeper\DkService.exe
c:\program files\Java\jre6\launch4j-tmp\android-notifier-desktop.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
e:\programs\CDBurnerXP\NMSAccessU.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
e:\programs\ICW\bin\sshd.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\dllhost.exe
e:\programs\Skype\Plugin Manager\skypePM.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2010-09-14  22:16:57 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-14 21:16

Pre-Run: 4,571,484,160 bytes free
Post-Run: 4,570,382,336 bytes free

- - End Of File - - DD9E1FB28CC67524104EFD5AF555DD72




#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 14 September 2010 - 06:41 PM

Yes, the atapi file has been modified.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

RegNull::
[HKEY_USERS\S-1-5-21-854245398-1547161642-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F22FF30-0C64-EFD3-37CC-B653701D63C2}*]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please also run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#9 tifosia

tifosia
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 September 2010 - 01:08 PM

I believe that the atapi file has not been modified maliciously, but by the virtual CD drive tool Daemon tools, I still think this is a false positive.


CODE
ComboFix 10-09-14.05 - Tifosia 15/09/2010  18:46:00.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2046.1548 [GMT 1:00]
Running from: c:\documents and settings\Tifosia\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tifosia\Desktop\CFScript.txt
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((   Files Created from 2010-08-15 to 2010-09-15  )))))))))))))))))))))))))))))))
.

2010-09-12 17:35 . 2010-09-14 12:42    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\GrabIt
2010-09-11 14:34 . 2010-09-11 14:34    --------    d--h--w-    c:\program files\InstallJammer Registry
2010-09-11 14:34 . 2010-09-15 17:53    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\Gmote
2010-09-09 21:22 . 2010-09-09 21:22    --------    d-----w-    c:\program files\Common Files\Java
2010-09-09 21:22 . 2010-09-09 21:22    423656    ----a-w-    c:\windows\system32\deployJava1.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 17:57 . 2009-04-28 14:15    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\Hamachi
2010-09-15 17:55 . 2009-04-29 12:58    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\skypePM
2010-09-15 17:55 . 2009-04-28 16:01    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\Skype
2010-09-14 18:59 . 2009-05-30 21:50    --------    d-----w-    c:\program files\Common Files\Wise Installation Wizard
2010-09-11 16:31 . 2009-05-18 10:43    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\dvdcss
2010-09-05 22:19 . 2009-04-28 14:17    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\uTorrent
2010-08-31 14:13 . 2010-01-10 21:19    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-08-22 19:25 . 2009-04-29 16:45    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\CoreFTP
2010-08-20 21:27 . 2009-10-03 09:41    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\Spotify
2010-08-14 11:57 . 2010-02-28 14:03    2316    ----a-w-    c:\documents and settings\All Users\Application Data\xml278.tmp
2010-08-14 11:57 . 2010-02-28 14:03    14096    ----a-w-    c:\documents and settings\All Users\Application Data\xml277.tmp
2010-08-14 11:57 . 2010-02-28 14:03    10390    ----a-w-    c:\documents and settings\All Users\Application Data\xml276.tmp
2010-08-07 12:10 . 2010-08-06 23:14    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\vlc
2010-08-07 11:52 . 2009-04-28 11:16    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-08-03 00:51 . 2009-05-26 15:02    1324    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-07-29 18:29 . 2009-04-28 15:32    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\.purple
2010-07-29 18:27 . 2010-07-29 18:27    2157    ----a-w-    c:\documents and settings\Tifosia\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-07-29 18:27 . 2010-07-29 18:27    2095    ----a-w-    c:\documents and settings\Tifosia\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2010-07-29 18:27 . 2010-07-29 18:27    1089    ----a-w-    c:\documents and settings\Tifosia\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2010-07-27 15:08 . 2010-07-27 15:08    --------    d-----w-    c:\documents and settings\All Users\Application Data\WinZip
2010-07-24 19:09 . 2009-04-28 19:14    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-18 21:30 . 2010-07-18 21:16    --------    d-----w-    c:\documents and settings\Tifosia\Application Data\UltraVNC
2010-07-07 12:02 . 2010-07-07 12:02    655360    ----a-w-    c:\documents and settings\Tifosia\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-07-07 12:02 . 2010-07-07 12:02    282624    ----a-w-    c:\documents and settings\Tifosia\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-07-07 12:02 . 2010-07-07 12:02    208896    ----a-w-    c:\documents and settings\Tifosia\Application Data\Spotify\Gracenote\gnsdk_dsp.dll
2010-07-01 12:52 . 2010-07-06 08:24    1496064    ----a-w-    c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 12:51 . 2010-07-06 08:24    43008    ----a-w-    c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 12:51 . 2010-07-06 08:24    338944    ----a-w-    c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 12:51 . 2010-07-06 08:24    346112    ----a-w-    c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-30 12:31 . 2004-08-10 12:00    149504    ----a-w-    c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-10 12:00    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-10 12:00    1851904    ----a-w-    c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 12:00    354304    ----a-w-    c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 18:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-10 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
[7] 2004-08-10 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Skype"="e:\programs\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-03 4344472]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-03 960376]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"nwiz"="nwiz.exe" [2009-03-27 1657376]
"WinVNC"="e:\programs\TightVNC\WinVNC.exe" [2009-03-05 585728]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"DAEMON Tools-1033"="e:\programs\DAEMON Tools\daemon.exe" [2004-03-12 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Tifosia\Start Menu\Programs\Startup\
android-notifier-desktop.lnk - e:\programs\Android Notifier Desktop\android-notifier-desktop.exe [2010-9-1 163152]
ClearTemp.bat [2009-4-28 345]
GmoteServer.lnk - e:\programs\Gmote\GmoteServer.exe [2010-9-11 451584]
hamachi.lnk - e:\programs\Hamachi\hamachi.exe [2009-4-28 625952]
Samurize (2).lnk - c:\program files\Samurize\Client.exe [2007-4-7 2010624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-4-28 98304]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Tifosia^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Tifosia\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DevconDefaultDB]
c:\windows\system32\READREG [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-10-03 21:40    165144    ----a-w-    c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2009-03-04 11:30    46592    ----a-w-    c:\windows\system32\ctasio.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12    110592    ----a-w-    c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12    15360    ----a-w-    c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2009-03-04 11:45    19456    ----a-w-    c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2007-04-09 11:32    19968    ----a-w-    c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-03-12 21:43    81920    ----a-w-    e:\programs\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ------w-    c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-27 09:03    13684736    ----a-w-    c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-03-27 09:03    86016    ----a-w-    c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
2004-12-20 16:12    131072    ----a-w-    c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-03-27 09:03    1657376    ----a-w-    c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18    413696    ----a-w-    c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-06-12 13:42    1238352    ----a-w-    e:\games\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\PROGRAMS\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\PROGRAMS\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\PROGRAMS\\TightVNC\\WinVNC.exe"=
"e:\\PROGRAMS\\DC++\\DCPlusPlus.exe"=
"e:\\PROGRAMS\\DCHUB\\DCHub.exe"=
"e:\\PROGRAMS\\DCHUB\\Direct Connect Hub Interface.exe"=
"e:\\PROGRAMS\\Spotify\\spotify.exe"=
"e:\\PROGRAMS\\Http explorer\\hexplorer.exe"=
"e:\\PROGRAMS\\Diskeeper\\DkService.exe"=
"e:\\PROGRAMS\\2BrightSparks\\SyncBackSE\\SyncBackSE.exe"=
"e:\\GAMES\\EA Games\\Command and Conquer Generals\\game.dat"=
"e:\\PROGRAMS\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\PROGRAMS\\SiSoftware Sandra Lite 2010c\\RpcAgentSrv.exe"=
"e:\\PROGRAMS\\SiSoftware Sandra Lite 2010c\\WNt500x86\\sandra.mui"=
"e:\\PROGRAMS\\Opera\\opera.exe"=
"e:\\GAMES\\Steam\\Steam.exe"=
"e:\\GAMES\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"e:\\PROGRAMS\\SiSoftware Sandra Lite 2010c\\WNt500x86\\RpcSandraSrv.exe"=
"e:\\PROGRAMS\\Iometer 2006.07.27\\Dynamo.exe"=
"e:\\PROGRAMS\\Iometer 2006.07.27\\Iometer.exe"=
"e:\\GAMES\\Steam\\steamapps\\Tifosia@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"e:\\PROGRAMS\\ICW\\Bin\\rsync.exe"=
"e:\\PROGRAMS\\ICW\\Bin\\ftp.exe"=
"e:\\PROGRAMS\\ICW\\Bin\\sshd.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\android-notifier-desktop.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"e:\\PROGRAMS\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"22:TCP"= 22:TCP:SSH
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [28/04/2009 15:13 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [28/04/2009 15:13 5248]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [28/04/2009 13:37 971168]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [07/03/2010 01:01 9600]
R2 HamachiService;Hamachi Service;e:\programs\Hamachi\hamachi.exe [28/04/2009 15:14 625952]
R2 MaxiAcom;MaxiAcom;c:\windows\system32\drivers\Maxiacom.SYS [26/05/2009 15:58 6016]
R2 OpenSSHServer;Openssh SSHD;e:\programs\ICW\Bin\cygrunsrv.exe [14/05/2009 01:22 68096]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [04/03/2009 14:42 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [04/03/2009 14:42 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [04/03/2009 14:42 566296]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [28/02/2010 16:14 41120]
R3 maxivista;Maxi_Vista_DriverA;c:\windows\system32\drivers\maxivista.sys [26/05/2009 15:58 4864]
S2 gupdate1c9da0483ef6b40;Google Update Service (gupdate1c9da0483ef6b40);c:\program files\Google\Update\GoogleUpdate.exe [21/05/2009 12:08 133104]
S3 BrlAPI;BrlAPI;e:\programs\ICW\Bin\cygrunsrv.exe [14/05/2009 01:22 68096]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [04/03/2009 14:42 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [28/04/2009 18:47 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [04/03/2009 14:42 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [04/03/2009 14:42 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [04/03/2009 14:42 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [04/03/2009 14:42 566296]
S3 FNETTHJM;Freecom Turbo USB 2.0;c:\windows\system32\drivers\fnetthjm.sys [11/05/2009 19:18 23936]
S3 IMNPF;WinPcap Packet Driver (IMNPF);c:\windows\system32\drivers\IMNPF.sys --> c:\windows\system32\drivers\IMNPF.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/11/2007 21:22 34064]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;e:\programs\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe [28/02/2010 15:00 93336]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]
.
Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\AdobeAAMUpdater-1.0-DOUGAL-Tifosia.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-02 02:44]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 11:08]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 11:08]

2010-09-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2010-09-12 c:\windows\Tasks\SyncBackSE Leicester to London.job
- e:\programs\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-04-28 14:17]

2009-11-22 c:\windows\Tasks\SyncBackSE Zebedee Sync.job
- e:\programs\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-04-28 14:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = socks=localhost:5555
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - e:\programs\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {D026AC0B-78E1-4291-84EE-D30CE27BCF6C} = 208.67.222.222
FF - ProfilePath - c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - component: c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Tifosia\Application Data\Mozilla\Firefox\Profiles\lyjz4ki1.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: e:\programs\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-15 18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A455878]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f58cb8
\Driver\atapi -> 0x8a455878
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5128)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\nvwddi.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\launch4j-tmp\android-notifier-desktop.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
e:\programs\Diskeeper\DkService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
e:\programs\CDBurnerXP\NMSAccessU.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
e:\programs\ICW\bin\sshd.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\dllhost.exe
e:\programs\Skype\Plugin Manager\skypePM.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2010-09-15  18:59:13 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-15 17:59
ComboFix2.txt  2010-09-14 21:16

Pre-Run: 4,578,308,096 bytes free
Post-Run: 4,556,374,016 bytes free

- - End Of File - - A4D3544CBED57231E3DE74ED4A720D90










CODE
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:            
Windows Version:        Windows XP Professional
Windows Information:        Service Pack 3 (build 2600)
Logical Drives Mask:        0x0300007c

Kernel Drivers (total 169):
  0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
  0x806D0000 \WINDOWS\system32\hal.dll
  0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
  0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
  0xB9F80000 d346bus.sys
  0xB9F52000 ACPI.sys
  0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xB9F41000 pci.sys
  0xBA0A8000 isapnp.sys
  0xBA0B8000 ohci1394.sys
  0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
  0xBA670000 pciide.sys
  0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xBA0D8000 MountMgr.sys
  0xB9F22000 ftdisk.sys
  0xBA5AC000 dmload.sys
  0xB9EFC000 dmio.sys
  0xBA330000 PartMgr.sys
  0xBA0E8000 VolSnap.sys
  0xB9EE4000          
  0xB9ECB000 nvata.sys
  0xBA5AE000 d346prt.sys
  0xB9EB3000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
  0xBA0F8000 disk.sys
  0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xB9E93000 fltmgr.sys
  0xB9E81000 sr.sys
  0xBA118000 PxHelp20.sys
  0xB9E6A000 KSecDD.sys
  0xB9E57000 WudfPf.sys
  0xB9DCA000 Ntfs.sys
  0xB9D9D000 NDIS.sys
  0xB9D1A000 timntr.sys
  0xBA128000 Combo-Fix.sys
  0xB9CFD000 Teefer.sys
  0xB9C11000 tdrpm140.sys
  0xBA5B0000 speedfan.sys
  0xB9BF1000 snman380.sys
  0xBA138000 sbp2port.sys
  0xB9BD7000 Mup.sys
  0xBA671000 giveio.sys
  0xB91BA000 \SystemRoot\system32\DRIVERS\AmdK8.sys
  0xBA438000 \SystemRoot\system32\DRIVERS\usbohci.sys
  0xB8AE8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xBA440000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xB91AA000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xB919A000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xB918A000 \SystemRoot\system32\DRIVERS\redbook.sys
  0xB8AC5000 \SystemRoot\system32\DRIVERS\ks.sys
  0xB8A45000 \SystemRoot\system32\drivers\ctaud2k.sys
  0xB8A21000 \SystemRoot\system32\drivers\portcls.sys
  0xB917A000 \SystemRoot\system32\drivers\drmk.sys
  0xB89ED000 \SystemRoot\system32\drivers\ctoss2k.sys
  0xBA448000 \SystemRoot\system32\drivers\ctprxy2k.sys
  0xB916A000 \SystemRoot\system32\DRIVERS\nic1394.sys
  0xB89B6000 \SystemRoot\system32\DRIVERS\yk51x86.sys
  0xB9A83000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
  0xB896B000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
  0xB8934000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
  0xB8336000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
  0xB8322000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xBA450000 \SystemRoot\system32\DRIVERS\fdc.sys
  0xB915A000 \SystemRoot\system32\DRIVERS\serial.sys
  0xB9A7F000 \SystemRoot\system32\DRIVERS\serenum.sys
  0xBA458000 \SystemRoot\system32\DRIVERS\irsir.sys
  0xB9A7B000 \SystemRoot\system32\DRIVERS\irenum.sys
  0xB914A000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xBA468000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xB8255000 \SystemRoot\system32\DRIVERS\btkrnl.sys
  0xBA5DE000 \SystemRoot\system32\DRIVERS\maxivista.sys
  0xBA7F2000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xBA470000 \SystemRoot\system32\DRIVERS\rasirda.sys
  0xBA478000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xB913A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xB9AFB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xB823E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xB912A000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xBA248000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xB822D000 \SystemRoot\system32\DRIVERS\psched.sys
  0xB8C05000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xBA480000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xBA488000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xBA490000 \SystemRoot\system32\DRIVERS\hamachi.sys
  0xB81FD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
  0xB8BF5000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xBA5E0000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xB819F000 \SystemRoot\system32\DRIVERS\update.sys
  0xB9AE7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xB8BE5000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xB5032000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xB5595000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xB2D35000 \SystemRoot\system32\drivers\hap16v2k.sys
  0xB2C2B000 \SystemRoot\system32\drivers\ha10kx2k.sys
  0xB2BFC000 \SystemRoot\system32\drivers\emupia2k.sys
  0xB2BD3000 \SystemRoot\system32\drivers\ctsfm2k.sys
  0xB2B37000 \SystemRoot\system32\drivers\ctac32k.sys
  0xAD60A000 \SystemRoot\System32\drivers\COMMONFX.SYS
  0xAD57F000 \SystemRoot\System32\drivers\CTAUDFX.SYS
  0xAD4F1000 \SystemRoot\System32\drivers\CTSBLFX.SYS
  0xAE635000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
  0xBA61E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xAE4AA000 \SystemRoot\System32\Drivers\Null.SYS
  0xBA620000 \SystemRoot\System32\Drivers\Beep.SYS
  0xAEA10000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xAEA08000 \SystemRoot\System32\drivers\vga.sys
  0xBA622000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xBA624000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xAEA00000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xAE9F8000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xB4E11000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xAB37B000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xAB322000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xADDBB000 \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
  0xAB2FC000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xADDAB000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xAB2D4000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xAB2B2000 \SystemRoot\System32\drivers\afd.sys
  0xADD9B000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xAB27F000 \SystemRoot\System32\drivers\truecrypt.sys
  0xAB254000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xAE155000 \SystemRoot\System32\Drivers\PQNTDrv.SYS
  0xAB1E4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xB4C86000 \SystemRoot\System32\Drivers\ISODisk.SYS
  0xADD7B000 \SystemRoot\system32\DRIVERS\arp1394.sys
  0xADD6B000 \SystemRoot\System32\Drivers\Fips.SYS
  0xAE9E8000 \SystemRoot\System32\Drivers\BTHUSB.sys
  0xAB1A1000 \SystemRoot\System32\Drivers\bthport.sys
  0xAE613000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0xB4C5A000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0xB4D12000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0xAE60B000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
  0xB4C56000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0xB4CB2000 \SystemRoot\system32\DRIVERS\rfcomm.sys
  0xAE603000 \SystemRoot\system32\DRIVERS\BthEnum.sys
  0xAB188000 \SystemRoot\system32\DRIVERS\bthpan.sys
  0xAE5FB000 \SystemRoot\system32\DRIVERS\hidbth.sys
  0xB4517000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xB8183000 \SystemRoot\System32\drivers\Dxapi.sys
  0xB4E4F000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xBA7A5000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF012000 \SystemRoot\System32\nv4_disp.dll
  0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
  0xB77A9000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
  0xAAE99000 \SystemRoot\system32\DRIVERS\irda.sys
  0xAAEFF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xAAEDF000 \SystemRoot\SYSTEM32\Drivers\wg3n.sys
  0xAAE65000 \SystemRoot\SYSTEM32\Drivers\wg4n.sys
  0xAAE95000 \SystemRoot\SYSTEM32\Drivers\wg5n.sys
  0xAAE81000 \SystemRoot\SYSTEM32\Drivers\wg6n.sys
  0xAAD6C000 \SystemRoot\system32\drivers\wdmaud.sys
  0xB77D9000 \SystemRoot\system32\drivers\sysaudio.sys
  0xBA390000 \SystemRoot\System32\Drivers\TDTCP.SYS
  0xAAB63000 \SystemRoot\System32\Drivers\RDPWD.SYS
  0xAA8FB000 \SystemRoot\System32\Drivers\Fastfat.SYS
  0xAA73E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xAE9F0000 \??\C:\WINDOWS\system32\drivers\btserial.sys
  0xAA467000 \SystemRoot\System32\Drivers\HTTP.sys
  0xAEC53000 \SystemRoot\System32\Drivers\MaxiAcom.SYS
  0xAA2F8000 \SystemRoot\system32\DRIVERS\srv.sys
  0xBA3B0000 \??\C:\DOCUME~1\ATCAPO~1\LOCALS~1\Temp\mbr.sys
  0xADD8B000 \SystemRoot\system32\DRIVERS\DKRtWrt.sys
  0xAE5D3000 \??\C:\WINDOWS\nvoclock.sys
  0xBA420000 \??\C:\ComboFix\catchme.sys
  0xB5206000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
  0xAA2E8000 \SystemRoot\system32\DRIVERS\kbdhid.sys
  0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 65):
       0 System Idle Process
       4 System
    1192 C:\WINDOWS\system32\smss.exe
    1464 csrss.exe
    1488 C:\WINDOWS\system32\winlogon.exe
    1548 C:\WINDOWS\system32\services.exe
    1560 C:\WINDOWS\system32\lsass.exe
    1744 C:\WINDOWS\system32\svchost.exe
    1792 svchost.exe
     748 C:\Program Files\Windows Defender\MsMpEng.exe
     788 C:\WINDOWS\system32\svchost.exe
     820 C:\WINDOWS\system32\svchost.exe
    1044 C:\Program Files\Sygate\SPF\Smc.exe
    1500 svchost.exe
    1960 svchost.exe
     636 C:\WINDOWS\system32\spoolsv.exe
     692 C:\Program Files\Creative\Shared Files\CTAudSvc.exe
     552 C:\WINDOWS\ehome\ehtray.exe
     596 C:\WINDOWS\ehome\ehmsas.exe
     892 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
     888 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
     960 C:\WINDOWS\system32\rundll32.exe
     976 C:\WINDOWS\system32\rundll32.exe
    1104 C:\Program Files\Windows Defender\MSASCui.exe
    2116 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2172 E:\PROGRAMS\Skype\Phone\Skype.exe
    2400 C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
    2508 E:\PROGRAMS\Gmote\GmoteServer.exe
    2584 svchost.exe
    2656 C:\Program Files\Java\jre6\launch4j-tmp\android-notifier-desktop.exe
    2712 C:\Program Files\Samurize\Client.exe
    2736 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    2716 C:\Program Files\Java\jre6\bin\javaw.exe
    2748 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    2772 C:\Program Files\Bonjour\mDNSResponder.exe
    2840 svchost.exe
    2876 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    3320 E:\PROGRAMS\Diskeeper\DkService.exe
    4052 C:\WINDOWS\ehome\ehRecvr.exe
    4076 C:\WINDOWS\ehome\ehSched.exe
    2124 E:\PROGRAMS\Hamachi\hamachi.exe
    2268 C:\WINDOWS\system32\svchost.exe
    2320 C:\Program Files\Java\jre6\bin\jqs.exe
    2872 E:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
    1348 C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    3480 C:\WINDOWS\system32\nvsvc32.exe
    3620 E:\PROGRAMS\ICW\Bin\cygrunsrv.exe
    3908 C:\WINDOWS\system32\PnkBstrA.exe
    1752 svchost.exe
    2680 E:\PROGRAMS\TightVNC\WinVNC.exe
     500 mcrdsvc.exe
    1400 E:\PROGRAMS\ICW\Bin\sshd.exe
    3140 wmpnetwk.exe
    1224 C:\WINDOWS\system32\dllhost.exe
    2448 E:\PROGRAMS\Hamachi\hamachi.exe
    3600 wmiprvse.exe
    3300 alg.exe
    5416 E:\PROGRAMS\Skype\Plugin Manager\skypePM.exe
    3828 C:\WINDOWS\system32\wuauclt.exe
    5128 C:\WINDOWS\explorer.exe
    5652 C:\Program Files\Mozilla Firefox\firefox.exe
    5252 C:\WINDOWS\system32\notepad.exe
    4104 E:\PROGRAMS\Opera\opera.exe
    4412 wmiprvse.exe
    3104 C:\Documents and Settings\Tifosia\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000e`6843c400  (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000004`a3e96e00  (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00  (NTFS)
\\.\Y: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00  (NTFS)
\\.\Z: --> \\.\PhysicalDrive0 at offset 0x00000003`a9e07200  (NTFS)

PhysicalDrive0 Model Number: ST3250823A, Rev: 3.02    
PhysicalDrive1 Model Number: SAMSUNGHD154UI, Rev: 1AG01118
PhysicalDrive2 Model Number: SAMSUNGHD154UI, Rev: 1AG01118

      Size  Device Name          MBR Status
  --------------------------------------------
    232 GB  \\.\PhysicalDrive0   Legit MBR code detected
            SHA1: 2DD8773F0E284F5D919A8874031AC953CDC7123E
   1397 GB  \\.\PhysicalDrive1   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
   1397 GB  \\.\PhysicalDrive2   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!










#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 15 September 2010 - 07:16 PM

QUOTE
I believe that the atapi file has not been modified maliciously, but by the virtual CD drive tool Daemon tools, I still think this is a false positive.


Yes, that looks right. The Combofix log shows the MBR kernel is okay but that a modification has happened.


Can you run Gmer for me

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 18 September 2010 - 07:28 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 19 September 2010 - 07:05 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users