Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden iexplore.exe process


  • This topic is locked This topic is locked
8 replies to this topic

#1 wispring

wispring

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 03 September 2010 - 01:51 AM

Picked this thing up the other day, started out by running iexplore in the process list and playing really annoying and loud commercials every few minutes in the background. Malwarebytes picked up a few things and after removing them, that stopped it until I restarted. It was doing it again but this time iexplore.exe did not seem to be running. After loading GMER, I found out that is because it is hidden. Malwarebytes, spybot, avast and adaware aren't picking up anything, now.

Thanks for the help.



DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Rob at 2:06:09.60 on 03/09/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.455 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe 4
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
svchost.exe 4
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Rob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://h18000.www1.hp.com/smbcenter
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [WireLessMouse] c:\program files\mouse driver\StartAutorun.exe MouseDrv.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rob\applic~1\mozilla\firefox\profiles\default.p5n\
FF - prefs.js: browser.startup.homepage - hxxp://calimalco.proboards25.com/
FF - plugin: c:\documents and settings\rob\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2005-7-7 156800]
R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [2003-4-27 8704]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\belkin\belkin wireless network utility\WLService.exe [2008-12-25 49152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-17 24652]
R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [2003-4-27 99360]
S2 BulkUsb;Plustek USB Scanner;c:\windows\system32\drivers\usbscan.sys [2007-4-28 15104]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [2008-12-25 140416]
S3 CA500AI;iQuest Roam Still Image Capture, V1.00;c:\windows\system32\drivers\BulkUsb.sys [2004-9-12 10803]
S3 CA500AV;SiPix iQuest Roam;c:\windows\system32\drivers\ca500av.sys [2004-9-12 146307]
S3 EC168BDA;EC168BDA service;c:\windows\system32\drivers\EC168BDA.sys [2007-10-5 107264]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [2007-8-10 31899]
S3 jgameenp;jgameenp;\??\c:\docume~1\rob\locals~1\temp\jgameenp.sys --> c:\docume~1\rob\locals~1\temp\jgameenp.sys [?]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-7-6 34064]
S3 SNDP202;Dual Mode Camera (8008 VGA);c:\windows\system32\drivers\sndp202.sys [2008-3-17 245120]
S3 SQTECH9160;CAMERA;c:\windows\system32\drivers\Capt9160.sys [2008-3-17 45711]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2005-1-30 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2005-1-30 5248]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-18 607576]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2005-7-7 5248]

=============== Created Last 30 ================

2010-09-03 01:02:41 100 ----a-w- c:\documents and settings\rob\defogger_reenable
2010-08-22 16:29:05 0 d-----w- C:\DS Emu
2010-08-19 21:58:01 218 ----a-w- c:\documents and settings\rob\.recently-used.xbel

==================== Find3M ====================

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-11-17 06:54:09 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 2:07:01.50 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 AM

Posted 04 September 2010 - 05:24 PM

Good evening. smile.gif

I don't see either an anti-virus program or a third-party firewall installed - how long has this been the case?

So long, and thanks for all the fish.

 

 


#3 wispring

wispring
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 04 September 2010 - 06:15 PM

Couple of days. Uninstalled avast, it didn't detect anything anyway and its better than having to disable it every time I wanted to scan with one of the tools. Never did use a 3rd party firewall on this machine, don't have the resources for it.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 AM

Posted 05 September 2010 - 01:31 PM

Good evening. smile.gif

if you are putting the PC online you need an active AV or your machine is just going to be a slime magnet. if you aren't keen on avast, there are other free AVs of which the following are just two:

AVG Free Edition: Available here.
AntiVir Personal Edition Classic : Available here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#5 wispring

wispring
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 05 September 2010 - 07:15 PM

Just finished running combofix. It certainly reported detecting a few things, and I'll attach the log to this post. I'm not sure to the status of the infection though, as I was using GMER to check if the hidden instance of iexplore.exe was running. GMER now crashes every time on it's initial scan.

Combofix did find and attempt repair of an infected master boot record and at least one rootkit.

ComboFix 10-09-04.06 - Rob 06/09/2010 0:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.493 [GMT 1:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rob\Recent\Thumbs.db
c:\windows\daemon.dll
c:\windows\system32\11014418.dll
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\inf
c:\windows\system32\kernel1.exe
c:\windows\system32\RGSS100J.dllback

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.

2010-08-22 16:29 . 2010-08-22 18:53 -------- d-----w- C:\DS Emu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 23:05 . 2008-02-06 03:56 -------- d-----w- c:\documents and settings\Rob\Application Data\.purple
2010-08-31 17:07 . 2010-03-29 11:51 -------- d-----w- c:\program files\uTorrent
2010-08-20 23:59 . 2010-03-29 11:50 -------- d-----w- c:\documents and settings\Rob\Application Data\uTorrent
2010-08-19 19:44 . 2010-04-21 12:20 -------- d-----w- c:\program files\JDownloader
2010-08-14 01:36 . 2008-02-06 17:20 -------- d-----w- c:\documents and settings\Rob\Application Data\gtk-2.0
2010-08-09 18:07 . 2007-09-14 03:25 -------- d-----w- c:\program files\Messenger Plus! Live
2010-07-27 17:16 . 2007-12-28 07:04 -------- d-----w- c:\program files\Truck Dismount
2010-07-27 14:11 . 2010-07-27 14:11 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
2010-07-27 14:11 . 2010-07-27 14:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 14:11 . 2010-07-27 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-19 07:43 . 2004-09-12 20:05 -------- d-----w- c:\documents and settings\Rob\Application Data\AdobeUM
2006-05-03 09:06 . 2008-02-14 09:16 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-11-17 06:54 . 2007-09-26 07:27 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-02-14 09:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-11-11 22:34 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-03 20:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2003-04-23 . E52B3B3F78C9AE85806CE49DCDD80C18 . 87296 . . [5.1.2600.1211] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-01-31 . 3C33F5479520844A186C2D43ECFFD477 . 87040 . . [5.1.2600.1164] . . c:\windows\$NtUninstallQ817472$\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtUninstallq812415$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 339968]
"WireLessMouse"="c:\program files\Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Action Manager 32.lnk.disabled]
backup=c:\windows\pss\Action Manager 32.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 02:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-22 20:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
2001-12-14 21:01 32768 ----a-w- c:\program files\Compaq\Easy Access Button Support\STARTEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-03-12 21:43 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 17:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 15:39 5244216 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 23:56 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 16:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-12-06 21:31 36975 ----a-w- c:\program files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-06-29 00:50 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" -lang 1033
"ViewMgr"=c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [07/07/2005 7:37 PM 156800]
R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [27/04/2003 12:39 PM 8704]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [25/12/2008 3:44 AM 49152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [17/02/2008 2:10 AM 24652]
R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [27/04/2003 11:43 AM 99360]
S2 BulkUsb;Plustek USB Scanner;c:\windows\system32\drivers\usbscan.sys [28/04/2007 12:29 AM 15104]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [25/12/2008 3:44 AM 140416]
S3 CA500AI;iQuest Roam Still Image Capture, V1.00;c:\windows\system32\drivers\BulkUsb.sys [12/09/2004 8:43 PM 10803]
S3 CA500AV;SiPix iQuest Roam;c:\windows\system32\drivers\ca500av.sys [12/09/2004 8:43 PM 146307]
S3 EC168BDA;EC168BDA service;c:\windows\system32\drivers\EC168BDA.sys [05/10/2007 1:29 PM 107264]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [10/08/2007 8:44 AM 31899]
S3 jgameenp;jgameenp;\??\c:\docume~1\Rob\LOCALS~1\Temp\jgameenp.sys --> c:\docume~1\Rob\LOCALS~1\Temp\jgameenp.sys [?]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/07/2009 7:47 AM 34064]
S3 SNDP202;Dual Mode Camera (8008 VGA);c:\windows\system32\drivers\sndp202.sys [17/03/2008 5:11 PM 245120]
S3 SQTECH9160;CAMERA;c:\windows\system32\drivers\Capt9160.sys [17/03/2008 1:21 PM 45711]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [30/01/2005 5:14 PM 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [30/01/2005 5:14 PM 5248]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [07/07/2005 7:37 PM 5248]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [01/09/2007 5:19 AM 685816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://h18000.www1.hp.com/smbcenter
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\default.p5n\
FF - prefs.js: browser.startup.homepage - hxxp://calimalco.proboards25.com/
FF - plugin: c:\documents and settings\Rob\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Anti-Blaxx Manager - c:\program files\Anti-Blaxx\Anti-Blaxx.exe
MSConfigStartUp-DannyHost - c:\windows\system32\DannyHost.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\System32\NeroCheck.exe
AddRemove-Azureus - c:\program files\Azureus\Uninstall.exe
AddRemove-Final Fantasy VII XP Patch - c:\program files\Square Soft
AddRemove-Myst for Windows 95 - c:\program files\Myst\DeIsL1.isu
AddRemove-SShockDeinstallKey - c:\sshock2\SShocku.log
AddRemove-ThiefGoldDeinstallKey - c:\thiefg\thiefalphaIIu.log



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 00:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83961BC0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7572fc3
\Driver\ACPI -> ACPI.sys @ 0xf74adcb8
\Driver\atapi -> 0x83961bc0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4174
ParseProcedure -> ntoskrnl.exe @ 0x8057c799
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4174
ParseProcedure -> ntoskrnl.exe @ 0x8057c799
NDIS: Broadcom NetXtreme Gigabit Ethernet for hp -> SendCompleteHandler -> NDIS.sys @ 0xf735dba0
PacketIndicateHandler -> NDIS.sys @ 0xf736ab21
SendHandler -> NDIS.sys @ 0xf734887b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 9 !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Mouse Driver\MouseDrv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-09-06 00:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-05 23:54

Pre-Run: 2,471,931,904 bytes free
Post-Run: 2,680,836,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (bootscreen)" /fastdetect /NoExecute=OptIn /KERNEL=kernel1.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 3F13863FE4AEA8F21DFE83067312202B

Attached Files


Edited by Noviciate, 07 September 2010 - 01:58 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 AM

Posted 07 September 2010 - 01:59 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.

So long, and thanks for all the fish.

 

 


#7 wispring

wispring
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 08 September 2010 - 01:14 AM

Here you go:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FD000 \WINDOWS\system32\hal.dll
0xF7A2E000 \WINDOWS\system32\KDCOM.DLL
0xF793E000 \WINDOWS\system32\BOOTVID.dll
0xF74E6000 d346bus.sys
0xF74D5000 pci.sys
0xF752E000 isapnp.sys
0xF74A7000 ACPI.sys
0xF7A30000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7942000 stwlfbus.sys
0xF7A32000 intelide.sys
0xF77AE000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF753E000 MountMgr.sys
0xF7488000 ftdisk.sys
0xF7A34000 dmload.sys
0xF7462000 dmio.sys
0xF77B6000 PartMgr.sys
0xF754E000 VolSnap.sys
0xF744A000
0xF755E000 disk.sys
0xF756E000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF742B000 fltmgr.sys
0xF7419000 sr.sys
0xF757E000 PxHelp20.sys
0xF7402000 KSecDD.sys
0xF7375000 Ntfs.sys
0xF7348000 NDIS.sys
0xF732D000 Mup.sys
0xF758E000 agp440.sys
0xF759E000 \SystemRoot\System32\DRIVERS\ATITool.sys
0xF66D2000 \SystemRoot\System32\DRIVERS\ati2mtag.sys
0xF66BE000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF77FE000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF669B000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7806000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF6671000 \SystemRoot\System32\DRIVERS\b57xp32.sys
0xF780E000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7816000 \SystemRoot\System32\DRIVERS\eaps2kbd.sys
0xF781E000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF665D000 \SystemRoot\System32\DRIVERS\parport.sys
0xF75BE000 \SystemRoot\System32\DRIVERS\serial.sys
0xF79EA000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF7826000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF75CE000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF79EE000 \SystemRoot\system32\drivers\pfc.sys
0xF75DE000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF75EE000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF663A000 \SystemRoot\System32\DRIVERS\ks.sys
0xF782E000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF65AC000 \SystemRoot\system32\drivers\smwdm.sys
0xF6588000 \SystemRoot\system32\drivers\portcls.sys
0xF769E000 \SystemRoot\system32\drivers\drmk.sys
0xF6570000 \SystemRoot\system32\drivers\aeaudio.sys
0xF75FE000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF7B8E000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF760E000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF79FA000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF6559000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF761E000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF762E000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7836000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF6548000 \SystemRoot\System32\DRIVERS\psched.sys
0xF763E000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF783E000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7846000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF6517000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF764E000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7A92000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF64E3000 \SystemRoot\System32\DRIVERS\update.sys
0xF64CA000 \SystemRoot\System32\DRIVERS\st3wolf.sys
0xF64B2000 \SystemRoot\System32\DRIVERS\SCSIPORT.SYS
0xF7A16000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF765E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76AE000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7A94000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7856000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF7A96000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C2D000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A9A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF6FF4000 \SystemRoot\system32\drivers\EAWDMFD.sys
0xF7866000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF786E000 \SystemRoot\System32\drivers\vga.sys
0xF7A9C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A9E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7876000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF787E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6FEC000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xBA315000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xBA2BD000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xBA295000 \SystemRoot\System32\DRIVERS\netbt.sys
0xBA274000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF79D6000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xBA22A000 \SystemRoot\System32\drivers\afd.sys
0xF76EE000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF79DA000 \??\C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe
0xF7886000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xBA1FF000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xBA168000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF771E000 \SystemRoot\System32\Drivers\Fips.SYS
0xF772E000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF774E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA150000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AA4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBAFE8000 \SystemRoot\System32\drivers\Dxapi.sys
0xF789E000 \SystemRoot\System32\watchdog.sys
0xBF9C2000 \SystemRoot\System32\drivers\dxg.sys
0xF7C43000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D4000 \SystemRoot\System32\ati2dvag.dll
0xBFA27000 \SystemRoot\System32\ati2cqag.dll
0xBFAC0000 \SystemRoot\System32\atikvmag.dll
0xBFB43000 \SystemRoot\System32\atiok3x2.dll
0xBFB8E000 \SystemRoot\System32\ati3duag.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB8038000 \SystemRoot\System32\DRIVERS\AegisP.sys
0xB8034000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xB7C4B000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7AE4000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB7BFA000 \SystemRoot\System32\DRIVERS\atksgt.sys
0xB7E78000 \SystemRoot\System32\Drivers\DgiVecp.sys
0xF78EE000 \SystemRoot\System32\DRIVERS\lirsgt.sys
0xB7AB8000 \SystemRoot\System32\DRIVERS\srv.sys
0xF78F6000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xB789B000 \SystemRoot\system32\drivers\wdmaud.sys
0xB79F8000 \SystemRoot\system32\drivers\sysaudio.sys
0xB73F5000 \SystemRoot\System32\Drivers\HTTP.sys
0xB753A000 \??\C:\WINDOWS\system32\GTNDIS5.SYS
0xB6F9D000 \SystemRoot\system32\drivers\kmixer.sys
0xF788E000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xB799C000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xB72F5000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xB77B0000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xB8070000 \SystemRoot\System32\DRIVERS\kbdhid.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 29):
0 System Idle Process
4 System
712 C:\WINDOWS\system32\smss.exe
760 csrss.exe
792 C:\WINDOWS\system32\winlogon.exe
836 C:\WINDOWS\system32\services.exe
848 C:\WINDOWS\system32\lsass.exe
1048 C:\WINDOWS\system32\svchost.exe
1124 svchost.exe
1220 C:\WINDOWS\system32\svchost.exe
1244 C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
1328 svchost.exe
1432 svchost.exe
1632 C:\WINDOWS\system32\spoolsv.exe
1920 C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
1936 C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
1988 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
576 C:\WINDOWS\system32\svchost.exe
652 wdfmgr.exe
1500 C:\WINDOWS\explorer.exe
2032 C:\WINDOWS\system32\wscntfy.exe
148 C:\Program Files\Mozilla Firefox\firefox.exe
564 C:\Program Files\Mozilla Firefox\plugin-container.exe
2252 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
1820 C:\Program Files\Pidgin\pidgin.exe
3156 C:\Program Files\Windows Live\Contacts\wlcomm.exe
1568 C:\WINDOWS\system32\wisptis.exe
1596 C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
3568 C:\Documents and Settings\Rob\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD400BB-22HEA1, Rev: 14.03G14

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 AM

Posted 08 September 2010 - 01:38 PM

Good evening. smile.gif

Looks good. I think one last scan, just to double check, and that should be that.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:55 AM

Posted 14 September 2010 - 02:49 PM

As there has been no response for more than five days, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users