Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue.SecuritySuite ??


  • This topic is locked This topic is locked
18 replies to this topic

#1 Don90

Don90

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 22 September 2010 - 10:12 AM

First - thank you for this site. Incredibly helpful. And thank you in advance for your time.

According to a Malwarebytes scan, I am infected with Rogue.SecuritySuite, plus other recent scans / removals indicated the following have been present according to the scan log:
Trojan.Ertfor
Rootkit.Agent
Malware.Generic
Malware.Packer.Gen
Trojan.Hiloti.Gen
Malware.Trace
Trojan.Delf
Trojan.Agent

Other symptoms:
- When initially running Internet Explorer, a window will randomly pop up to an advertising site, then when I close it, a smaller window pops up with a kindly message asking if I really want to navigate away from the site. Only alt-F4 closes it.
- Windows Update and Microsoft update are blocked - windows explorer gives message "Internet Explorer cannot display the webpage" when it attempts.
- I get no sound from my speakers - when trying to open Volume Control I get message "There are no active mixer devices available". Reinstalling the Sigmatel High Definition Audio driver from Dell has no effect. No problems show up in Device Manager.
- Just before the Malwarebytes scan which "removed" the SecuritySuite, I discovered a long list of Scheduled Tasks in the Scheduler - I removed them manually from the folder where stored. I did not look at what they referred to, although they all were noted as created by NetScheduleJobAdd. The screen pop-ups when initially using iexplorer continued after their removal.
- When I ran Defogger it did not disable the CD emulator ZTekWare (installed with itunes?); I disabled it in Device Manager.

I have Windows XP Pro with Service Pack 3
I use Windows Internet Explorer 8
I have Siber Systems' RoboForm
I previously had a free version of Panda Cloud Antivirus on my computer, but removed it when it started interfering with something that I can't remember. Had to scrub things from the registry, but Windows still sees some remanent of it, as you will see below.
I have previously used Spybot Search & Destry with Teatimer, but have disabled Teatimer.
I only know enough about all of this to do something stupid.
I do have another post/problem that I enterd in Jan 2010; haven't had time to follow up on that one - that computer no longer in use (although it does have some files on it that I will eventually need). i.e., I didn't go elsewhere for help. This one I do need the help at your soonest convenience, and will follow through.

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Don at 8:46:12.40 on Wed 09/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1491 [GMT -4:00]

AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AcroTray.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Don\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\AcroTray.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with WordPerfect
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\drivers\OCDE.sys [2007-8-25 30480]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-29 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-29 20952]
S0 qaxro;qaxro;c:\windows\system32\drivers\qdre.sys --> c:\windows\system32\drivers\qdre.sys [?]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2009-10-13 114312]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2009-10-30 146952]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2009-10-13 95880]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2009-10-13 101512]

=============== Created Last 30 ================

2010-09-20 04:49:04 0 ----a-w- c:\documents and settings\don\defogger_reenable
2010-09-20 03:22:05 0 d-----w- c:\program files\Dell
2010-09-12 00:10:19 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-06 22:41:52 112 ----a-w- c:\docume~1\alluse~1\applic~1\4vOo3e7d.dat
2010-09-06 15:07:41 0 d-----w- c:\windows\system32\NtmsData
2010-08-29 19:53:45 0 d-----w- c:\docume~1\don\applic~1\Malwarebytes
2010-08-29 19:53:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-29 19:53:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-29 19:53:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-29 19:53:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 21:28:01 786432 ----a-w- c:\windows\system32\drivers\xbkutdnz.sys
2010-08-27 21:27:44 30000 ----a-w- c:\windows\system32\fswfk.dll
2010-08-27 21:27:43 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-08-27 11:03:49 169 ----a-w- c:\windows\wininit.ini
2010-08-27 03:37:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-27 03:23:52 120 ----a-w- c:\windows\Xmufocefuweja.dat
2010-08-27 03:23:52 0 ----a-w- c:\windows\Dyequlazexi.bin
2010-08-27 03:22:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-27 03:22:11 784896 ----a-w- c:\windows\system32\drivers\wtcttemt.sys
2010-08-27 03:22:06 30000 ----a-w- c:\windows\system32\x6jcvhq9b.dll
2010-08-27 03:22:03 30000 ----a-w- c:\windows\system32\x5clj98201.dll
2010-08-27 03:22:03 30000 ----a-w- c:\windows\system32\tk3grg9.dll

==================== Find3M ====================

2010-07-19 09:05:13 100805 ----a-w- c:\windows\fonts\AdobeFnt.lst
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

============= FINISH: 8:47:26.54 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 28 September 2010 - 11:03 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 01 October 2010 - 01:03 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Don90

Don90
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 03 October 2010 - 12:39 PM

I need a little more time - I already sent most of the info which you requested in my first post, in accordance with the site's rules/directions for posting a problem (including attaching the two logs), but I can still run and post it all again in accordance with your wishes, plus the requested Rootkit Unhooker. I can understand why you request no attachments.

Like you, I'm also very busy.

Thanks for your time.

Don


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 03 October 2010 - 01:00 PM

Hello Don

when ready and have the time send me the reports I asked for and we can start,

Thanks


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Don90

Don90
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 03 October 2010 - 01:41 PM

As requested:
- No other tools run as requested
- problems during fix - nothing yet

- Other symptoms:
1. When initially running Internet Explorer, a window will randomly pop up to an advertising site, then when I close it, a smaller window pops up with a kindly message asking if I really want to navigate away from the site. Only alt-F4 closes it.
2. Windows Update and Microsoft update are blocked - windows explorer gives message "Internet Explorer cannot display the webpage" when it attempts.
3. I get no sound from my speakers - when trying to open Volume Control I get message "There are no active mixer devices available". Reinstalling the Sigmatel High Definition Audio driver from Dell has no effect. No problems show up in Device Manager.
4. Just before the Malwarebytes scan which "removed" the SecuritySuite, I discovered a long list of Scheduled Tasks in the Scheduler - I removed them manually from the folder where stored. I did not look at what they referred to, although they all were noted as created by NetScheduleJobAdd. The screen pop-ups when initially using iexplorer continued after their removal.
5. A flash drive stick which was previously recognized by this computer is no longer recognized - however, it is still recognized by every other non-infected computers. I note in Device Manager that under System Devices, the Microsoft System Management BIOS Driver lists: "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)" No other devices or controllers have warnings or listed problems.
6. Panda Anti-Virus was removed a couple months ago, but remnants remain.

1. DeFogger Log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 13:58 on 03/10/2010 (Don)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-




Logs from DDS:

1. DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Don at 14:00:30.01 on Sun 10/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1471 [GMT -4:00]

AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Don\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10i_ActiveX.exe -update activex
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\AcroTray.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with WordPerfect
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\drivers\OCDE.sys [2007-8-25 30480]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-29 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-29 20952]
S0 qaxro;qaxro;c:\windows\system32\drivers\qdre.sys --> c:\windows\system32\drivers\qdre.sys [?]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2009-10-13 114312]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2009-10-30 146952]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2009-10-13 95880]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2009-10-13 101512]

=============== Created Last 30 ================

2010-09-20 04:49:04 0 ----a-w- c:\documents and settings\don\defogger_reenable
2010-09-20 03:22:05 0 d-----w- c:\program files\Dell
2010-09-12 00:10:19 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-06 22:41:52 112 ----a-w- c:\docume~1\alluse~1\applic~1\4vOo3e7d.dat
2010-09-06 15:07:41 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-08-28 15:03:02 786432 ----a-w- c:\windows\system32\drivers\xbkutdnz.sys
2010-08-27 21:27:44 30000 ----a-w- c:\windows\system32\fswfk.dll
2010-08-27 21:27:43 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-08-27 13:11:48 784896 ----a-w- c:\windows\system32\drivers\wtcttemt.sys
2010-08-27 03:22:06 30000 ----a-w- c:\windows\system32\x6jcvhq9b.dll
2010-08-27 03:22:03 30000 ----a-w- c:\windows\system32\x5clj98201.dll
2010-08-27 03:22:03 30000 ----a-w- c:\windows\system32\tk3grg9.dll
2010-07-19 09:05:13 100805 ----a-w- c:\windows\fonts\AdobeFnt.lst

============= FINISH: 14:01:50.31 ===============


2. Attach.txt :


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/17/2010 1:14:03 PM
System Uptime: 10/3/2010 1:20:53 PM (1 hours ago)

Motherboard: Dell Inc. | | 0WG855
Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | Microprocessor | 2128/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 185.404 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: SCSI\CDROM&VEN_ZTEKWARE&PROD__OCDE&REV_0000\1&2AFD7D61&0&000
Manufacturer: (Standard CD-ROM drives)
Name: ZTekWare OCDE SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_ZTEKWARE&PROD__OCDE&REV_0000\1&2AFD7D61&0&000
Service: cdrom

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Microsoft System Management BIOS Driver
Device ID: ROOT\SYSTEM\0002
Manufacturer: (Standard system devices)
Name: Microsoft System Management BIOS Driver
PNP Device ID: ROOT\SYSTEM\0002
Service: mssmbios

==== System Restore Points ===================

RP1: 8/28/2010 11:03:46 AM - System Checkpoint
RP2: 8/28/2010 11:08:53 AM - After ERDNT from 8-22-10_1342
RP3: 8/29/2010 4:55:39 PM - System Checkpoint
RP4: 8/29/2010 5:22:07 PM - After ERUNT & Malwareb run
RP5: 9/4/2010 7:14:36 PM - System Checkpoint
RP6: 9/6/2010 10:58:00 AM - Installed U3Launcher
RP7: 9/6/2010 11:05:07 AM - Removed U3Launcher
RP8: 9/6/2010 11:17:30 AM - Installed U3Launcher
RP9: 9/6/2010 11:19:54 AM - Removed U3Launcher
RP10: 9/6/2010 11:20:42 AM - Installed U3Launcher
RP11: 9/6/2010 11:21:45 AM - Removed U3Launcher
RP12: 9/6/2010 11:27:22 AM - Installed U3Launcher
RP13: 9/6/2010 11:27:32 AM - Removed U3Launcher
RP14: 9/6/2010 12:22:05 PM - Labor Day
RP15: 9/11/2010 7:15:43 PM - System Checkpoint
RP16: 9/11/2010 8:09:29 PM - Restore Operation
RP17: 9/11/2010 11:52:22 PM - After SysRest to 8-29 and MBAM install and Erunt
RP18: 9/13/2010 12:16:39 AM - System Checkpoint
RP19: 9/16/2010 10:49:50 AM - System Checkpoint
RP20: 9/18/2010 2:54:04 PM - System Checkpoint
RP21: 9/19/2010 4:06:20 PM - System Checkpoint
RP22: 9/19/2010 11:12:43 PM - After MWBytes-pre driver updates
RP23: 9/19/2010 11:19:12 PM - Installed SigmaTel Audio
RP24: 9/19/2010 11:22:04 PM - Installed Chipset Software Installer
RP25: 9/20/2010 12:27:38 AM - Configured SigmaTel Audio
RP26: 9/25/2010 10:32:08 AM - System Checkpoint
RP27: 9/26/2010 12:09:52 PM - System Checkpoint
RP28: 9/27/2010 5:46:58 PM - System Checkpoint
RP29: 9/30/2010 9:04:11 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint
Acrobat.com
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
AI RoboForm
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Bonjour
CamStudio
Compatibility Pack for the 2007 Office system
Corel Paint Shop Pro 9
Dell Driver Reset Tool
EPSON Copy Utility
EPSON PERF 3170Guide
EPSON Photo Print
Epson Print CD
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
ERUNT 1.1j
GoodSync
Google Earth
Google Update Helper
GPL Ghostscript 8.64
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Print Diagnostic Utility
Intel® Matrix Storage Manager
Intel® PRO Network Connections 11.2.1.69
iPod for Windows 2005-03-23
iTunes
Java™ 6 Update 17
LAME v3.98.2 for Audacity
Malwarebytes' Anti-Malware
Mega Man Effect
MGTEK dopisp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MobileMe Control Panel
Mozilla Firefox (3.6)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
Napster
Napster Burn Engine
Napster Download Manager
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OpD2d
Original CD Emulator Personal Edition
PDFill PDF Editor with FREE Writer and Free Tools
Pepakura Designer 3
Pepakura Viewer 3
PixiePack Codec Pack
PowerDVD
Presto! BizCard 4.1 Eng
Project64 1.6
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
ScanToWeb
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Segoe UI
SigmaTel Audio
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Manager
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
WordPerfect Office X3
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

9/28/2010 6:44:42 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PSINKNC
9/28/2010 6:44:38 AM, error: Service Control Manager [7000] - The PSINProc service failed to start due to the following error: A device attached to the system is not functioning.
9/28/2010 6:44:38 AM, error: Service Control Manager [7000] - The PSINFile service failed to start due to the following error: A device attached to the system is not functioning.
9/28/2010 6:44:38 AM, error: Service Control Manager [7000] - The PSINAflt service failed to start due to the following error: No more data is available.
9/28/2010 6:44:38 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.
9/26/2010 11:42:47 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 001676D3F807 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================



RKUnHooker Report.txt :


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF9D9000 C:\WINDOWS\System32\nv4_disp.dll 3919872 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 82.68 )
0xB98C1000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3584000 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 82.68 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAEFAC000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xA9EA9000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 749568 bytes
0xBA66C000 iaStor.sys 749568 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xBA56B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAEDC9000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9748000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAEED4000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA8C7C000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA878B000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB986D000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 262144 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0xB97A6000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xBA779000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA8D4B000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xBA53E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAEE39000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9821000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAEEAC000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xBA723000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAEE86000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAEF88000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9849000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB97FE000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAEE64000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134528 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xBA634000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xBA749000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBA524000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xBA654000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xBA60B000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB97E7000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB98AD000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAEF2D000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBA5F8000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF9C7000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBA622000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xBA768000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB97D6000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA938000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB046A000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA948000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBA9B8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA8E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA958000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA8C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA978000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB043A000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA928000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA8B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA968000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA8A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBAAA8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA998000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA8D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xAB729000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA918000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xA87FC000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xBA988000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB044A000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA6F48000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA8F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB045A000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB0561000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBABF0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB1457000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBAB30000 OCDE.sys 28672 bytes (ZTekWare., OCDE SCSI miniport)
0xAA27D000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xBABF8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBAC18000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB144F000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBABE8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB0571000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBAB40000 C:\WINDOWS\System32\drivers\aspi32.sys 20480 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xB0569000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBAB28000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBAC08000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBAC10000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBAC00000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xAA6DD000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xAAE0D000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA4D7000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xACE1A000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBACB8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAA63E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAAE15000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB2B1A000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xAAE09000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBAD68000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB2B12000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBAE34000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBADAC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBADA8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBAE36000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBAE66000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBADAA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBAEE2000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xAA62D000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xAF80B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
!!!!!!!!!!!Hidden driver: 0x892C6AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x893E3458 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xBA66C000 WARNING: suspicious driver modification [iaStor.sys::0x892C6AEA]
0xBAC18000 WARNING: Virus alike driver modification [kbdclass.sys], 24576 bytes


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 03 October 2010 - 01:59 PM

Greetings

One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please read

What this virus does do.
QUOTE
Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.


What the virus can do.
QUOTE
Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.


This "could" allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
    In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Don90

Don90
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 03 October 2010 - 03:53 PM

At the beginning of running ComboFix, the program twice requested that I disable the Panda Anti-Virus; I can't disable it further than I already have. Got message that I was "proceeding at my own risk."

It did install the recovery console.

Microsoft and windows Update still do not work.

Microsoft Update yelds grey window stating:
Error loading C:\WINDOWS\System32\muweb.dll
The specified module could not be found.

Windows Update yields:
Internet Explorer cannot display the webpage

Here is the log:

ComboFix 10-10-02.02 - Don 10/03/2010 16:07:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1687 [GMT -4:00]
Running from: c:\documents and settings\Don\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\system32\fswfk.dll
c:\windows\system32\tk3grg9.dll
c:\windows\system32\x5clj98201.dll
c:\windows\system32\x6jcvhq9b.dll

c:\windows\system32\drivers\mnmdd.sys . . . is infected!! . . . Failed to find a valid replacement.
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-09-20 03:22 . 2010-09-20 03:22 -------- d-----w- c:\program files\Dell
2010-09-20 02:08 . 2010-09-20 02:08 -------- d-----w- c:\documents and settings\Don\Application Data\U3
2010-09-19 18:43 . 2010-09-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2010-09-12 00:10 . 2010-09-12 00:10 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-12 00:07 . 2010-09-12 00:07 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2010-09-12 00:07 . 2010-09-12 00:07 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-09-11 22:42 . 2010-09-11 22:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-10 20:02 . 2010-09-10 20:02 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2010-09-06 15:07 . 2010-09-06 15:08 -------- d-----w- c:\windows\system32\NtmsData
2010-09-05 19:09 . 2010-09-12 00:09 -------- d-----w- c:\documents and settings\Greg\Application Data\.minecraft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 19:47 . 2010-08-27 03:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-20 03:23 . 2009-12-04 02:27 -------- d-----w- c:\program files\Intel
2010-09-20 03:18 . 2009-12-04 02:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-19 18:43 . 2010-07-18 01:18 -------- d-----w- c:\program files\Siber Systems
2010-09-12 16:08 . 2010-07-18 01:18 -------- d-----w- c:\documents and settings\Don\Application Data\GoodSync
2010-09-12 00:09 . 2010-01-31 16:12 -------- d-----w- c:\program files\QuickTime
2010-09-11 23:30 . 2010-09-06 22:41 112 ----a-w- c:\documents and settings\All Users\Application Data\4vOo3e7d.dat
2010-09-06 16:20 . 2010-07-30 16:54 -------- d-----w- c:\documents and settings\Janet\Application Data\GoodSync
2010-08-29 22:05 . 2010-01-17 20:06 -------- d-----w- c:\documents and settings\Don\Application Data\Roxio
2010-08-29 20:29 . 2010-08-27 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-29 19:53 . 2010-08-29 19:53 -------- d-----w- c:\documents and settings\Don\Application Data\Malwarebytes
2010-08-29 19:53 . 2010-08-29 19:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-29 19:53 . 2010-08-29 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-28 15:03 . 2010-08-27 21:28 786432 ----a-w- c:\windows\system32\drivers\xbkutdnz.sys
2010-08-27 21:27 . 2010-08-27 21:27 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-08-27 13:11 . 2010-08-27 03:22 784896 ----a-w- c:\windows\system32\drivers\wtcttemt.sys
2010-08-27 03:23 . 2010-08-27 03:23 120 ----a-w- c:\windows\Xmufocefuweja.dat
2010-08-27 03:23 . 2010-08-27 03:23 0 ----a-w- c:\windows\Dyequlazexi.bin
2010-08-25 12:31 . 2010-06-01 18:38 -------- d-----w- c:\documents and settings\Janet\Application Data\EPSON
2010-08-24 13:42 . 2010-01-18 02:27 -------- d-----w- c:\documents and settings\Don\Application Data\Corel
2010-08-24 12:52 . 2010-01-17 18:31 79072 ----a-w- c:\documents and settings\Don\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-30 16:55 . 2010-04-19 17:02 79072 ----a-w- c:\documents and settings\Janet\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-19 23:34 . 2010-01-18 23:33 79072 ----a-w- c:\documents and settings\Greg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-18 02:15 . 2010-07-18 02:15 507 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-18 02:15 . 2010-07-18 02:15 65536 ----a-r- c:\documents and settings\Don\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2010-07-18 02:15 . 2010-07-18 02:15 10134 ----a-r- c:\documents and settings\Don\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe
.

------- Sigcheck -------

[-] 2008-04-14 . DCB1D90C6C7333F7F15E02943CA1E949 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 6A72DBA98119F94A646B7DEECEF23E12 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-09-19 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-11 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-07-03 976832]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AcroTray.exe [2001-10-11 82026]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 20:00 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\drivers\OCDE.sys [8/25/2007 6:27 PM 30480]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/29/2010 3:53 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/29/2010 3:53 PM 20952]
S0 qaxro;qaxro;c:\windows\system32\drivers\qdre.sys --> c:\windows\system32\drivers\qdre.sys [?]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [10/13/2009 4:50 PM 114312]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [10/30/2009 5:18 PM 146952]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [10/13/2009 4:50 PM 95880]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [10/13/2009 4:50 PM 101512]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-16 23:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with WordPerfect
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Audacity_is1 - h:\audacityold\Audacity\unins000.exe
AddRemove-CamStudio - c:\program files\CamStudio\uninstall.exe
AddRemove-LAME for Audacity_is1 - g:\stuff\unins000.exe
AddRemove-Mozilla Firefox (3.6) - g:\uninstall\helper.exe
AddRemove-pepakura_designer3en - f:\designer\epuninst.exe
AddRemove-pepakura_viewer3en - f:\documents\Downloads\viewer\epuninst.exe
AddRemove-{C4860702-8F8F-4858-938E-0F941C4A46C4}_is1 - h:\documents\Downloads\Mega Man Effect\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 16:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x892CFEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\iaStor -> iaStor.sys @ 0xba674f80
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xba553bb0
PacketIndicateHandler -> NDIS.sys @ 0xba560a21
SendHandler -> NDIS.sys @ 0xba53e87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-03 16:23:05
ComboFix-quarantined-files.txt 2010-10-03 20:23

Pre-Run: 198,889,156,608 bytes free
Post-Run: 200,294,727,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 74B50DD849E673B3B0CF498EF9DABE02

#9 Don90

Don90
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 03 October 2010 - 03:56 PM

I'm also still getting the redirect popup to to "consumernews.org"


don

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 03 October 2010 - 05:44 PM

Hello


tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
CODE
:filefind
mnmdd.sys
winlogon.exe
explorer.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Let me have these two logs please


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Don90

Don90
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 05 October 2010 - 07:46 AM

TDS Log:

2010/10/05 08:03:29.0015 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/05 08:03:29.0015 ================================================================================
2010/10/05 08:03:29.0015 SystemInfo:
2010/10/05 08:03:29.0015
2010/10/05 08:03:29.0015 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/05 08:03:29.0015 Product type: Workstation
2010/10/05 08:03:29.0015 ComputerName: DAD-2
2010/10/05 08:03:29.0015 UserName: Don
2010/10/05 08:03:29.0015 Windows directory: C:\WINDOWS
2010/10/05 08:03:29.0015 System windows directory: C:\WINDOWS
2010/10/05 08:03:29.0015 Processor architecture: Intel x86
2010/10/05 08:03:29.0015 Number of processors: 2
2010/10/05 08:03:29.0015 Page size: 0x1000
2010/10/05 08:03:29.0015 Boot type: Normal boot
2010/10/05 08:03:29.0015 ================================================================================
2010/10/05 08:03:29.0265 Initialize success
2010/10/05 08:03:45.0625 ================================================================================
2010/10/05 08:03:45.0625 Scan started
2010/10/05 08:03:45.0625 Mode: Manual;
2010/10/05 08:03:45.0625 ================================================================================
2010/10/05 08:03:45.0828 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/05 08:03:45.0843 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/05 08:03:45.0843 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/05 08:03:45.0875 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/05 08:03:45.0921 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/05 08:03:45.0953 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/05 08:03:45.0968 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/05 08:03:45.0984 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/05 08:03:45.0984 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/05 08:03:46.0000 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/05 08:03:46.0015 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/05 08:03:46.0031 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/05 08:03:46.0031 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/05 08:03:46.0046 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/05 08:03:46.0078 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/05 08:03:46.0093 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/05 08:03:46.0109 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/05 08:03:46.0109 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/05 08:03:46.0156 Aspi32 (4984e50ea8a399b66a9545708595fb75) C:\WINDOWS\system32\drivers\aspi32.sys
2010/10/05 08:03:46.0171 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/05 08:03:46.0187 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/05 08:03:46.0203 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/05 08:03:46.0234 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/05 08:03:46.0281 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/05 08:03:46.0375 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/05 08:03:46.0375 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/05 08:03:46.0390 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/05 08:03:46.0421 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/05 08:03:46.0453 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/05 08:03:46.0468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/05 08:03:46.0500 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/05 08:03:46.0515 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/05 08:03:46.0531 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/05 08:03:46.0546 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/05 08:03:46.0578 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/05 08:03:46.0609 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/05 08:03:46.0625 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/05 08:03:46.0640 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/05 08:03:46.0687 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/05 08:03:46.0703 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/05 08:03:46.0734 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/05 08:03:46.0781 e1express (d0e8dd3f56bd8488995f67b80ff51461) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/10/05 08:03:46.0812 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/05 08:03:46.0843 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/05 08:03:46.0859 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/05 08:03:46.0859 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/05 08:03:46.0890 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/05 08:03:46.0906 Fs_Rec (8f3361910af61ce2da2343d679b8e5e2) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/05 08:03:46.0921 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/05 08:03:46.0953 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/05 08:03:46.0968 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/05 08:03:46.0984 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/05 08:03:47.0000 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/05 08:03:47.0015 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/05 08:03:47.0062 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/05 08:03:47.0109 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/05 08:03:47.0125 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/05 08:03:47.0171 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\drivers\iaStor.sys
2010/10/05 08:03:47.0187 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/05 08:03:47.0203 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/05 08:03:47.0203 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/05 08:03:47.0234 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/05 08:03:47.0234 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/05 08:03:47.0265 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/05 08:03:47.0265 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/05 08:03:47.0281 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/05 08:03:47.0296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/05 08:03:47.0312 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/05 08:03:47.0343 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/05 08:03:47.0375 Kbdclass (168c8daa9e4884f0300c3b7c999af829) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/05 08:03:47.0375 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 168c8daa9e4884f0300c3b7c999af829, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2010/10/05 08:03:47.0375 Kbdclass - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/05 08:03:47.0390 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/05 08:03:47.0421 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/05 08:03:47.0453 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/05 08:03:47.0500 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys
2010/10/05 08:03:47.0531 mnmdd (d96fb691a2e73464d13f3c7b655d014e) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/05 08:03:47.0546 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/05 08:03:47.0578 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/05 08:03:47.0593 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/05 08:03:47.0609 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/05 08:03:47.0640 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/05 08:03:47.0640 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/05 08:03:47.0687 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/05 08:03:47.0703 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/05 08:03:47.0734 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/05 08:03:47.0750 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/05 08:03:47.0765 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/05 08:03:47.0796 mssmbios (8908435d1dcb57bbddd1b9bf60e73d21) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/05 08:03:47.0796 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/05 08:03:47.0828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/05 08:03:47.0843 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/05 08:03:47.0859 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/05 08:03:47.0859 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/05 08:03:47.0875 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/05 08:03:47.0890 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/05 08:03:47.0906 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/05 08:03:47.0937 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/05 08:03:47.0984 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/05 08:03:48.0031 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/05 08:03:48.0140 nv (449220e13e94b64ebfdc788e97ec9222) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/05 08:03:48.0265 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/05 08:03:48.0281 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/05 08:03:48.0312 OCDE (735c6df58bc99fc9ea41b1b4d2ff3eea) C:\WINDOWS\system32\Drivers\OCDE.sys
2010/10/05 08:03:48.0343 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/05 08:03:48.0343 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/05 08:03:48.0359 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/05 08:03:48.0390 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/05 08:03:48.0406 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/05 08:03:48.0421 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/05 08:03:48.0468 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/05 08:03:48.0468 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/05 08:03:48.0515 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/05 08:03:48.0531 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/05 08:03:48.0578 PSINAflt (7574fdcfa19fee74422a71974ee4a04f) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys
2010/10/05 08:03:48.0578 PSINFile (d1c988a6a0c7a47da519ac7a9b66d3e3) C:\WINDOWS\system32\DRIVERS\PSINFile.sys
2010/10/05 08:03:48.0593 PSINKNC (e4865a29928a020f1409e89d6ef3b036) C:\WINDOWS\system32\DRIVERS\psinknc.sys
2010/10/05 08:03:48.0609 PSINProc (40cb720799f7746732f623a66f491648) C:\WINDOWS\system32\DRIVERS\PSINProc.sys
2010/10/05 08:03:48.0625 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/05 08:03:48.0640 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/05 08:03:48.0656 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/05 08:03:48.0671 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/05 08:03:48.0687 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/05 08:03:48.0687 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/05 08:03:48.0703 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/05 08:03:48.0734 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/05 08:03:48.0750 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/05 08:03:48.0750 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/05 08:03:48.0765 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/05 08:03:48.0796 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/05 08:03:48.0812 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/05 08:03:48.0828 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/05 08:03:48.0843 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/05 08:03:48.0859 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/05 08:03:48.0890 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/05 08:03:48.0921 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/10/05 08:03:48.0937 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/05 08:03:48.0968 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/05 08:03:48.0984 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/05 08:03:49.0015 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/05 08:03:49.0046 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/05 08:03:49.0078 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/05 08:03:49.0140 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/05 08:03:49.0171 swenum (8a234e3c2a459f1e630eee68267de262) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/05 08:03:49.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/05 08:03:49.0218 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/05 08:03:49.0234 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/05 08:03:49.0234 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/05 08:03:49.0250 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/05 08:03:49.0296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/05 08:03:49.0328 tbhsd (4d46f63f7ddc2442941d63327c360b90) C:\WINDOWS\system32\drivers\tbhsd.sys
2010/10/05 08:03:49.0359 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/05 08:03:49.0375 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/05 08:03:49.0390 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/05 08:03:49.0406 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/05 08:03:49.0421 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/05 08:03:49.0437 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/05 08:03:49.0468 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/05 08:03:49.0484 Update (76f2b82b6b9405948dc9ab2986cf04ef) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/05 08:03:49.0500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/05 08:03:49.0546 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/05 08:03:49.0562 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/05 08:03:49.0593 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/05 08:03:49.0609 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/05 08:03:49.0640 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/05 08:03:49.0656 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/05 08:03:49.0687 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/05 08:03:49.0718 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/05 08:03:49.0734 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/05 08:03:49.0750 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/05 08:03:49.0781 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/05 08:03:49.0828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/05 08:03:49.0875 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/10/05 08:03:49.0906 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/05 08:03:49.0906 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/05 08:03:49.0937 ================================================================================
2010/10/05 08:03:49.0937 Scan finished
2010/10/05 08:03:49.0937 ================================================================================
2010/10/05 08:03:49.0953 Detected object count: 1
2010/10/05 08:04:20.0265 Kbdclass (168c8daa9e4884f0300c3b7c999af829) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/05 08:04:20.0265 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 168c8daa9e4884f0300c3b7c999af829, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2010/10/05 08:04:21.0062 Backup copy found, using it..
2010/10/05 08:04:21.0062 C:\WINDOWS\system32\DRIVERS\kbdclass.sys - will be cured after reboot
2010/10/05 08:04:21.0062 Rootkit.Win32.TDSS.tdl3(Kbdclass) - User select action: Cure
2010/10/05 08:04:30.0828 Deinitialize success


SystemLook 04.09.10 by jpshortstuff
Log created at 08:10 on 05/10/2010 by Don
Administrator - Elevation successful

========== filefind ==========

Searching for "mnmdd.sys"
C:\WINDOWS\system32\drivers\mnmdd.sys --a---- 4224 bytes [16:16 25/04/2008] [12:00 14/04/2008] D96FB691A2E73464D13F3C7B655D014E

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [16:16 25/04/2008] [12:00 14/04/2008] DCB1D90C6C7333F7F15E02943CA1E949

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] 6A72DBA98119F94A646B7DEECEF23E12

-= EOF =-

Don

#12 Don90

Don90
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 05 October 2010 - 07:49 AM

Windows update now working, but internet explorer shuts down on its own after a couple minutes.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 06 October 2010 - 11:51 PM



Very sorry for not responding sooner Real life got in the way sad.gif


update combofix

I would like you to download an updated virsion of combofix.
    Delete the version of combofix you have now on your desktop and download a new one from here

    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Don90

Don90
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 07 October 2010 - 07:06 AM

ComboFix 10-10-06.02 - Don 10/07/2010 7:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1614 [GMT -4:00]
Running from: c:\documents and settings\Don\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-07 11:50 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-09-20 03:22 . 2010-09-20 03:22 -------- d-----w- c:\program files\Dell
2010-09-20 02:08 . 2010-09-20 02:08 -------- d-----w- c:\documents and settings\Don\Application Data\U3
2010-09-19 18:43 . 2010-09-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2010-09-12 00:10 . 2010-09-12 00:10 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-12 00:07 . 2010-09-12 00:07 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2010-09-12 00:07 . 2010-09-12 00:07 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-09-11 22:42 . 2010-09-11 22:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-10 20:02 . 2010-09-10 20:02 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 12:05 . 2008-04-14 00:09 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-10-03 20:52 . 2010-08-27 03:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-20 03:23 . 2009-12-04 02:27 -------- d-----w- c:\program files\Intel
2010-09-20 03:18 . 2009-12-04 02:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-19 18:43 . 2010-07-18 01:18 -------- d-----w- c:\program files\Siber Systems
2010-09-12 16:08 . 2010-07-18 01:18 -------- d-----w- c:\documents and settings\Don\Application Data\GoodSync
2010-09-12 00:09 . 2010-09-05 19:09 -------- d-----w- c:\documents and settings\Greg\Application Data\.minecraft
2010-09-12 00:09 . 2010-01-31 16:12 -------- d-----w- c:\program files\QuickTime
2010-09-11 23:30 . 2010-09-06 22:41 112 ----a-w- c:\documents and settings\All Users\Application Data\4vOo3e7d.dat
2010-09-06 16:20 . 2010-07-30 16:54 -------- d-----w- c:\documents and settings\Janet\Application Data\GoodSync
2010-08-29 22:05 . 2010-01-17 20:06 -------- d-----w- c:\documents and settings\Don\Application Data\Roxio
2010-08-29 20:29 . 2010-08-27 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-29 19:53 . 2010-08-29 19:53 -------- d-----w- c:\documents and settings\Don\Application Data\Malwarebytes
2010-08-29 19:53 . 2010-08-29 19:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-29 19:53 . 2010-08-29 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-28 15:03 . 2010-08-27 21:28 786432 ----a-w- c:\windows\system32\drivers\xbkutdnz.sys
2010-08-27 21:27 . 2010-08-27 21:27 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-08-27 13:11 . 2010-08-27 03:22 784896 ----a-w- c:\windows\system32\drivers\wtcttemt.sys
2010-08-27 03:23 . 2010-08-27 03:23 120 ----a-w- c:\windows\Xmufocefuweja.dat
2010-08-27 03:23 . 2010-08-27 03:23 0 ----a-w- c:\windows\Dyequlazexi.bin
2010-08-25 12:31 . 2010-06-01 18:38 -------- d-----w- c:\documents and settings\Janet\Application Data\EPSON
2010-08-24 13:42 . 2010-01-18 02:27 -------- d-----w- c:\documents and settings\Don\Application Data\Corel
2010-08-24 12:52 . 2010-01-17 18:31 79072 ----a-w- c:\documents and settings\Don\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-30 16:55 . 2010-04-19 17:02 79072 ----a-w- c:\documents and settings\Janet\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-19 23:34 . 2010-01-18 23:33 79072 ----a-w- c:\documents and settings\Greg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-18 02:15 . 2010-07-18 02:15 507 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-18 02:15 . 2010-07-18 02:15 65536 ----a-r- c:\documents and settings\Don\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2010-07-18 02:15 . 2010-07-18 02:15 10134 ----a-r- c:\documents and settings\Don\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe
.

------- Sigcheck -------

[-] 2008-04-14 . DCB1D90C6C7333F7F15E02943CA1E949 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 6A72DBA98119F94A646B7DEECEF23E12 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-10-03_20.20.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-07 11:49 . 2010-10-07 11:49 16384 c:\windows\Temp\Perflib_Perfdata_600.dat
- 2010-01-18 01:38 . 2010-08-22 17:52 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2010-10-05 12:37 . 2010-10-05 12:37 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2010-08-22 17:48 . 2010-08-22 17:48 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-01-18 01:38 . 2010-08-22 17:52 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-01-18 01:38 . 2010-10-05 12:38 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-06-28 20:01 . 2010-06-28 20:01 7677952 c:\windows\Installer\1d3f1e.msp
+ 2010-06-29 02:53 . 2010-06-29 02:53 6819840 c:\windows\Installer\1d3f0b.msp
+ 2010-07-26 21:02 . 2010-07-26 21:02 5519360 c:\windows\Installer\1d3ef8.msp
+ 2010-07-11 00:14 . 2010-07-11 00:14 2850816 c:\windows\Installer\1d3ee5.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-09-19 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-11 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-07-03 976832]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AcroTray.exe [2001-10-11 82026]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 20:00 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\drivers\OCDE.sys [8/25/2007 6:27 PM 30480]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/29/2010 3:53 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/29/2010 3:53 PM 20952]
S0 qaxro;qaxro;c:\windows\system32\drivers\qdre.sys --> c:\windows\system32\drivers\qdre.sys [?]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [10/13/2009 4:50 PM 114312]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [10/30/2009 5:18 PM 146952]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [10/13/2009 4:50 PM 95880]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [10/13/2009 4:50 PM 101512]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-16 23:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with WordPerfect
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-10-07 08:02:50
ComboFix-quarantined-files.txt 2010-10-07 12:02
ComboFix2.txt 2010-10-03 20:23

Pre-Run: 200,009,756,672 bytes free
Post-Run: 200,007,507,968 bytes free

- - End Of File - - 6663693022731BE6C88DC2CA20020411


Time of response from you has been fine! Thanks for your help!!!
Don

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:49 PM

Posted 07 October 2010 - 11:08 AM

Hello

You don't have any replacments for those infected files, lets try the simple way to fix this first and hope for the best.

I want you to do a system restore to before you got infected if you don't know how to do this thenplease let me know

After you have done the system restore I want you to rerun combofix for me.


Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users