Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FF and Chrome browsers Hijacked


  • This topic is locked This topic is locked
14 replies to this topic

#1 wacnstac

wacnstac

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 27 September 2010 - 08:27 PM

Both FF 3.6 and Google Chrome have been hijacked on the computer I'm trying to debug. Forget about IE smile.gif Both go to links which were not the link that was clicked on. Many times it is to goofy landing pages.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Gina at 21:09:37.95 on Mon 09/27/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.308 [GMT -4:00]

AV: ESET Smart Security 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Gina\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.michigan-sportsman.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\gina\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [sdsetup_aff] c:\documents and settings\gina\desktop\sdsetup_aff.exe -min
mRun: [AtiPTA] atiptaxx.exe
mRun: [NWEReboot]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRun: [Photo TurboBackup] c:\program files\filestream\photo turbobackup\pbksche.exe -s
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\little shop of treasures\images\stg_drm.ocx
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135056312940
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\little shop of treasures\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gina\applic~1\mozilla\firefox\profiles\bmwz5u70.default\
FF - prefs.js: browser.startup.homepage - www.michigan-sportsman.com
FF - plugin: c:\documents and settings\gina\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R2 AtiBt829;ATI WDM Bt829 Video;c:\windows\system32\drivers\atinbtxx.sys [2004-8-4 60464]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-8-12 810144]
RUnknown a2injectiondriver;a2injectiondriver; [x]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);c:\windows\system32\drivers\ativxbar.sys [2005-12-19 26624]
S3 musbehco;musbehco;\??\c:\docume~1\gina\locals~1\temp\musbehco.sys --> c:\docume~1\gina\locals~1\temp\musbehco.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-09-28 00:36:51 0 d-----w- c:\program files\Trend Micro
2010-09-27 02:32:58 0 d-----w- c:\program files\Emsisoft Anti-Malware
2010-09-27 00:12:34 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-09-27 00:12:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-09-26 23:47:09 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-09-26 21:13:06 0 d-----w- c:\program files\ESET
2010-09-25 20:58:22 44089904 ----a-w- c:\temp\avira_antivir_personal_en(2).exe
2010-09-25 19:38:13 0 d-----w- c:\docume~1\gina\applic~1\ESET
2010-09-17 02:13:44 185584 ----a-w- c:\documents and settings\gina\_GEAREXT.vol

==================== Find3M ====================

2010-08-04 15:50:36 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-08-03 17:28:36 55256 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2010-01-05 04:23:58 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 21:11:47.68 ===============

Attachments

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 27 September 2010 - 08:36 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:30 PM

Posted 01 October 2010 - 08:11 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 wacnstac

wacnstac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 03 October 2010 - 04:22 PM

Ready and waiting for instructions...........

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:30 PM

Posted 03 October 2010 - 06:53 PM

Please run these two rootkit scans
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 wacnstac

wacnstac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 03 October 2010 - 07:29 PM

Here are the two logs. I did nothing else to the system after completing your instructions. I await further correspondence.

CODE
2010/10/03 20:16:16.0750    TDSS rootkit removing tool 2.4.3.0 Sep 27 2010 15:28:54
2010/10/03 20:16:16.0750    ================================================================================
2010/10/03 20:16:16.0750    SystemInfo:
2010/10/03 20:16:16.0750    
2010/10/03 20:16:16.0750    OS Version: 5.1.2600 ServicePack: 2.0
2010/10/03 20:16:16.0750    Product type: Workstation
2010/10/03 20:16:16.0750    ComputerName: GINA-Q9DXMNOSEN
2010/10/03 20:16:16.0750    UserName: Gina
2010/10/03 20:16:16.0750    Windows directory: C:\WINDOWS
2010/10/03 20:16:16.0750    System windows directory: C:\WINDOWS
2010/10/03 20:16:16.0750    Processor architecture: Intel x86
2010/10/03 20:16:16.0750    Number of processors: 1
2010/10/03 20:16:16.0750    Page size: 0x1000
2010/10/03 20:16:16.0750    Boot type: Normal boot
2010/10/03 20:16:16.0750    ================================================================================
2010/10/03 20:16:17.0328    Initialize success
2010/10/03 20:16:30.0781    ================================================================================
2010/10/03 20:16:30.0781    Scan started
2010/10/03 20:16:30.0781    Mode: Manual;
2010/10/03 20:16:30.0781    ================================================================================
2010/10/03 20:16:31.0546    ACPI            (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/03 20:16:31.0687    ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/03 20:16:31.0968    aec             (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/10/03 20:16:32.0125    AFD             (f6ba94c98ac369f3ca5fd4dd9a619b57) C:\WINDOWS\System32\drivers\afd.sys
2010/10/03 20:16:32.0140    Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: f6ba94c98ac369f3ca5fd4dd9a619b57, Fake md5: 5ac495f4cb807b2b98ad2ad591e6d92e
2010/10/03 20:16:32.0171    AFD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/03 20:16:32.0656    AmdK7           (680ad1c1bb16239e28d8f33a54a7a3c7) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/10/03 20:16:33.0203    AsyncMac        (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/03 20:16:33.0359    atapi           (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/03 20:16:33.0593    ati2mpaa        (9027ae586ef5f0e6a40175e92917b44c) C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys
2010/10/03 20:16:33.0750    ati2mtaa        (27bab72eae141d0ce39ec65c0fdeb2d6) C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
2010/10/03 20:16:33.0921    AtiBt829        (10417bc5e86c0ae8f0668ccc2b93298d) C:\WINDOWS\system32\DRIVERS\atinbtxx.sys
2010/10/03 20:16:34.0046    ATITUNEP        (c5e545bbb396439bdb618cabc0ed0984) C:\WINDOWS\system32\DRIVERS\atintuxx.sys
2010/10/03 20:16:34.0203    ATIVXSXX        (c9599d2569e85c74a19ec1b9e72469f1) C:\WINDOWS\system32\DRIVERS\ativxbar.sys
2010/10/03 20:16:34.0359    ATIXSAudio      (e6e2935c08b73fa9a5dfe673cf6fd33d) C:\WINDOWS\system32\DRIVERS\atinxsxx.sys
2010/10/03 20:16:34.0500    Atmarpc         (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/03 20:16:34.0656    audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/03 20:16:34.0796    Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/03 20:16:35.0031    cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/03 20:16:35.0203    CCDECODE        (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/03 20:16:35.0406    Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/03 20:16:35.0546    Cdfs            (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/03 20:16:35.0687    Cdrom           (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/03 20:16:36.0359    Disk            (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/03 20:16:36.0562    dmboot          (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/03 20:16:36.0859    dmio            (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/03 20:16:37.0031    dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/03 20:16:37.0203    DMusic          (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/03 20:16:37.0437    drmkaud         (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/03 20:16:37.0593    eamon           (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys
2010/10/03 20:16:37.0765    ehdrv           (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2010/10/03 20:16:37.0984    epfw            (15bfe00f030ea20955117bb0677e9668) C:\WINDOWS\system32\DRIVERS\epfw.sys
2010/10/03 20:16:38.0140    Epfwndis        (52310e0e603d7da79ecca7d764937a91) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
2010/10/03 20:16:38.0234    epfwtdi         (bdde7dd8fcdb1de7e879bb320b0605c0) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
2010/10/03 20:16:38.0390    Fastfat         (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/03 20:16:38.0500    Fdc             (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/03 20:16:38.0625    FETNDIS         (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2010/10/03 20:16:38.0765    Fips            (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/03 20:16:38.0921    Flpydisk        (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/03 20:16:39.0093    FltMgr          (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/03 20:16:39.0234    Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/03 20:16:39.0359    Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/03 20:16:39.0468    GEARAspiWDM     (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/03 20:16:39.0609    Gpc             (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/03 20:16:39.0843    HidUsb          (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/03 20:16:40.0171    HTTP            (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/03 20:16:40.0515    i8042prt        (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/03 20:16:40.0703    Imapi           (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/03 20:16:41.0281    ip6fw           (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/03 20:16:41.0421    IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/03 20:16:41.0625    IpInIp          (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/03 20:16:41.0765    IpNat           (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/03 20:16:41.0937    IPSec           (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/03 20:16:42.0078    IRENUM          (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/03 20:16:42.0281    isapnp          (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/03 20:16:42.0437    Kbdclass        (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/03 20:16:42.0546    kbdhid          (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/03 20:16:42.0750    kmixer          (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/03 20:16:42.0906    KSecDD          (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/03 20:16:43.0250    mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/03 20:16:43.0406    Modem           (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/03 20:16:43.0546    Mouclass        (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/03 20:16:43.0687    mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/03 20:16:43.0843    MountMgr        (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/03 20:16:44.0078    MRxDAV          (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/03 20:16:44.0265    MRxSmb          (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/03 20:16:44.0468    Msfs            (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/03 20:16:44.0578    MSKSSRV         (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/03 20:16:44.0750    MSPCLOCK        (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/03 20:16:44.0906    MSPQM           (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/03 20:16:45.0046    mssmbios        (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/03 20:16:45.0156    MSTEE           (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/03 20:16:45.0312    Mup             (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/03 20:16:45.0625    MVDCODEC        (a6c4bb3897a0b3ac8d175528385408ea) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
2010/10/03 20:16:45.0781    NABTSFEC        (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/03 20:16:45.0984    NDIS            (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/03 20:16:46.0125    NdisIP          (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/03 20:16:46.0296    NdisTapi        (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/03 20:16:46.0453    Ndisuio         (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/03 20:16:46.0593    NdisWan         (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/03 20:16:46.0765    NDProxy         (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/03 20:16:46.0968    NetBIOS         (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/03 20:16:47.0156    NetBT           (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/03 20:16:47.0406    Npfs            (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/03 20:16:47.0562    Ntfs            (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/03 20:16:47.0781    Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/03 20:16:47.0937    NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/03 20:16:48.0093    NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/03 20:16:48.0281    Parport         (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/03 20:16:48.0437    PartMgr         (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/03 20:16:48.0593    ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/03 20:16:48.0734    PCI             (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/03 20:16:49.0078    Pcmcia          (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/03 20:16:49.0750    PptpMiniport    (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/03 20:16:49.0921    Processor       (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/03 20:16:50.0125    PSched          (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/03 20:16:50.0312    Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/03 20:16:50.0453    PxHelp20        (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/03 20:16:51.0062    RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/03 20:16:51.0234    Rasl2tp         (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/03 20:16:51.0406    RasPppoe        (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/03 20:16:51.0531    Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/03 20:16:51.0687    Rdbss           (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/03 20:16:51.0843    RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/03 20:16:52.0062    rdpdr           (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/03 20:16:52.0250    RDPWD           (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/03 20:16:52.0453    redbook         (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/03 20:16:52.0687    rtl8139         (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/10/03 20:16:52.0921    Secdrv          (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/03 20:16:53.0109    serenum         (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/03 20:16:53.0265    Serial          (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/03 20:16:53.0390    Sfloppy         (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/10/03 20:16:53.0640    SLIP            (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/03 20:16:53.0906    splitter        (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/03 20:16:54.0109    sr              (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/03 20:16:54.0296    Srv             (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/03 20:16:54.0531    streamip        (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/03 20:16:54.0656    swenum          (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/03 20:16:54.0828    swmidi          (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/03 20:16:55.0328    sysaudio        (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/03 20:16:55.0515    tbhsd           (6b578ceb3451a5a8401ed971ca43fb9b) C:\WINDOWS\system32\drivers\tbhsd.sys
2010/10/03 20:16:55.0703    Tcpip           (1dbf125862891817f374f407626967f4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/03 20:16:55.0906    TDPIPE          (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/03 20:16:56.0062    TDTCP           (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/03 20:16:56.0218    TermDD          (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/03 20:16:56.0578    uagp35          (49c805d42d75eddc9b6a7130999c9054) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2010/10/03 20:16:56.0765    Udfs            (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/03 20:16:56.0984    Update          (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/03 20:16:57.0171    USBAAPL         (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/03 20:16:57.0296    usbccgp         (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/03 20:16:57.0453    usbehci         (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/03 20:16:57.0640    usbhub          (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/03 20:16:57.0765    usbscan         (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/03 20:16:57.0906    USBSTOR         (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/03 20:16:58.0031    usbuhci         (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/03 20:16:58.0187    VgaSave         (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/03 20:16:58.0328    ViaIde          (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/03 20:16:58.0468    VIAudio         (a6fcca426660d3fc5a5cb7c0623a257b) C:\WINDOWS\system32\drivers\vinyl97.sys
2010/10/03 20:16:58.0656    VolSnap         (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/03 20:16:58.0906    Wanarp          (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/03 20:16:59.0156    wdmaud          (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/03 20:16:59.0500    WpdUsb          (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/10/03 20:16:59.0687    WS2IFSL         (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/03 20:16:59.0859    WSTCODEC        (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/03 20:17:00.0171    ================================================================================
2010/10/03 20:17:00.0171    Scan finished
2010/10/03 20:17:00.0171    ================================================================================
2010/10/03 20:17:00.0250    Detected object count: 1
2010/10/03 20:18:13.0062    AFD             (f6ba94c98ac369f3ca5fd4dd9a619b57) C:\WINDOWS\System32\drivers\afd.sys
2010/10/03 20:18:13.0062    Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: f6ba94c98ac369f3ca5fd4dd9a619b57, Fake md5: 5ac495f4cb807b2b98ad2ad591e6d92e
2010/10/03 20:18:15.0015    Backup copy found, using it..
2010/10/03 20:18:15.0140    C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot
2010/10/03 20:18:15.0140    Rootkit.Win32.TDSS.tdl3(AFD) - User select action: Cure
2010/10/03 20:18:24.0390    Deinitialize success


CODE
MBRCheck, version 1.2.3
2010, AD

Command-line:            
Windows Version:        Windows XP Professional
Windows Information:        Service Pack 2 (build 2600)
Logical Drives Mask:        0x0000003c

Kernel Drivers (total 122):
  0x804D7000 \WINDOWS\system32\ntoskrnl.exe
  0x806EC000 \WINDOWS\system32\hal.dll
  0xF836E000 \WINDOWS\system32\KDCOM.DLL
  0xF827E000 \WINDOWS\system32\BOOTVID.dll
  0xF7E3B000 klmdb.sys
  0xF7E0D000 ACPI.sys
  0xF8370000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
  0xF7DFC000 pci.sys
  0xF7E6E000 isapnp.sys
  0xF8372000 viaide.sys
  0xF80EE000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
  0xF7E7E000 MountMgr.sys
  0xF7DDD000 ftdisk.sys
  0xF8374000 dmload.sys
  0xF7DB7000 dmio.sys
  0xF80F6000 PartMgr.sys
  0xF7E8E000 VolSnap.sys
  0xF7D9F000 atapi.sys
  0xF7E9E000 disk.sys
  0xF7EAE000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
  0xF7D7F000 fltmgr.sys
  0xF7D6D000 sr.sys
  0xF7EBE000 PxHelp20.sys
  0xF7D56000 KSecDD.sys
  0xF7CC9000 Ntfs.sys
  0xF7C9C000 NDIS.sys
  0xF7ECE000 uagp35.sys
  0xF7C81000 Mup.sys
  0xF809E000 \SystemRoot\System32\DRIVERS\amdk7.sys
  0xF770A000 \SystemRoot\System32\DRIVERS\ati2mtaa.sys
  0xF76F6000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
  0xF81A6000 \SystemRoot\system32\DRIVERS\RTL8139.SYS
  0xF80AE000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xF80BE000 \SystemRoot\System32\DRIVERS\cdrom.sys
  0xF80CE000 \SystemRoot\System32\DRIVERS\redbook.sys
  0xF76D3000 \SystemRoot\System32\DRIVERS\ks.sys
  0xF80DE000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
  0xF81AE000 \SystemRoot\System32\DRIVERS\usbuhci.sys
  0xF76B0000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
  0xF81B6000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xF767E000 \SystemRoot\system32\drivers\vinyl97.sys
  0xF765A000 \SystemRoot\system32\drivers\portcls.sys
  0xF7EFE000 \SystemRoot\system32\drivers\drmk.sys
  0xF81BE000 \SystemRoot\System32\DRIVERS\fdc.sys
  0xF7F0E000 \SystemRoot\System32\DRIVERS\serial.sys
  0xF8322000 \SystemRoot\System32\DRIVERS\serenum.sys
  0xF7646000 \SystemRoot\System32\DRIVERS\parport.sys
  0xF7F1E000 \SystemRoot\System32\DRIVERS\i8042prt.sys
  0xF81C6000 \SystemRoot\System32\DRIVERS\kbdclass.sys
  0xF7F2E000 \SystemRoot\system32\DRIVERS\Epfwndis.sys
  0xF8326000 \SystemRoot\system32\drivers\tbhsd.sys
  0xF85AE000 \SystemRoot\System32\DRIVERS\audstub.sys
  0xF7F3E000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
  0xF832A000 \SystemRoot\System32\DRIVERS\ndistapi.sys
  0xF75F5000 \SystemRoot\System32\DRIVERS\ndiswan.sys
  0xF7F4E000 \SystemRoot\System32\DRIVERS\raspppoe.sys
  0xF7F5E000 \SystemRoot\System32\DRIVERS\raspptp.sys
  0xF81CE000 \SystemRoot\System32\DRIVERS\TDI.SYS
  0xF7544000 \SystemRoot\System32\DRIVERS\psched.sys
  0xF7F6E000 \SystemRoot\System32\DRIVERS\msgpc.sys
  0xF81D6000 \SystemRoot\System32\DRIVERS\ptilink.sys
  0xF81DE000 \SystemRoot\System32\DRIVERS\raspti.sys
  0xF7513000 \SystemRoot\System32\DRIVERS\rdpdr.sys
  0xF7F8E000 \SystemRoot\System32\DRIVERS\termdd.sys
  0xF81E6000 \SystemRoot\System32\DRIVERS\mouclass.sys
  0xF838A000 \SystemRoot\System32\DRIVERS\swenum.sys
  0xF74DF000 \SystemRoot\System32\DRIVERS\update.sys
  0xF8346000 \SystemRoot\System32\DRIVERS\mssmbios.sys
  0xF7FAE000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xF7FCE000 \SystemRoot\System32\DRIVERS\usbhub.sys
  0xF83A2000 \SystemRoot\System32\DRIVERS\USBD.SYS
  0xF83AC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xF858C000 \SystemRoot\System32\Drivers\Null.SYS
  0xF83AE000 \SystemRoot\System32\Drivers\Beep.SYS
  0xF5450000 \SystemRoot\system32\DRIVERS\ehdrv.sys
  0xF822E000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xF8236000 \SystemRoot\System32\drivers\vga.sys
  0xF83B0000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xF83B2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xF823E000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xF8246000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xF82FE000 \SystemRoot\System32\DRIVERS\rasacd.sys
  0xF541D000 \SystemRoot\System32\DRIVERS\ipsec.sys
  0xF53C5000 \SystemRoot\System32\DRIVERS\tcpip.sys
  0xF53B3000 \SystemRoot\system32\DRIVERS\epfwtdi.sys
  0xF538B000 \SystemRoot\System32\DRIVERS\netbt.sys
  0xF5369000 \SystemRoot\System32\drivers\afd.sys
  0xF5348000 \SystemRoot\System32\DRIVERS\ipnat.sys
  0xF7FEE000 \SystemRoot\System32\DRIVERS\wanarp.sys
  0xF7FFE000 \SystemRoot\System32\DRIVERS\netbios.sys
  0xF531D000 \SystemRoot\System32\DRIVERS\rdbss.sys
  0xF52AE000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
  0xF801E000 \SystemRoot\System32\Drivers\Fips.SYS
  0xF803E000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xF825E000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
  0xF74CB000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0xF804E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0xF74C7000 \SystemRoot\System32\DRIVERS\mouhid.sys
  0xF51CE000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xF83C0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xF8352000 \SystemRoot\System32\drivers\Dxapi.sys
  0xF8276000 \SystemRoot\System32\watchdog.sys
  0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
  0xF84E1000 \SystemRoot\System32\drivers\dxgthk.sys
  0xF5493000 \SystemRoot\system32\DRIVERS\atinmdxx.sys
  0xF807E000 \SystemRoot\system32\DRIVERS\STREAM.SYS
  0xF8116000 \SystemRoot\system32\DRIVERS\atinxsxx.sys
  0xF808E000 \SystemRoot\system32\DRIVERS\atinbtxx.sys
  0xF811E000 \SystemRoot\system32\DRIVERS\atintuxx.sys
  0xBF9D5000 \SystemRoot\System32\ati2dvaa.dll
  0xF3FE7000 \SystemRoot\system32\DRIVERS\eamon.sys
  0xF3F9D000 \SystemRoot\system32\DRIVERS\epfw.sys
  0xF40CA000 \SystemRoot\System32\DRIVERS\ndisuio.sys
  0xF3E08000 \SystemRoot\System32\DRIVERS\mrxdav.sys
  0xF842A000 \SystemRoot\System32\Drivers\ParVdm.SYS
  0xF3CD7000 \SystemRoot\System32\Drivers\HTTP.sys
  0xF3C5D000 \SystemRoot\System32\DRIVERS\srv.sys
  0xF3B30000 \SystemRoot\system32\drivers\wdmaud.sys
  0xF3D78000 \SystemRoot\system32\drivers\sysaudio.sys
  0xF33F7000 \SystemRoot\system32\drivers\kmixer.sys
  0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 32):
       0 System Idle Process
       4 System
     636 C:\WINDOWS\system32\smss.exe
     724 csrss.exe
     752 C:\WINDOWS\system32\winlogon.exe
     796 C:\WINDOWS\system32\services.exe
     808 C:\WINDOWS\system32\lsass.exe
     964 C:\WINDOWS\system32\svchost.exe
    1040 svchost.exe
    1132 C:\WINDOWS\system32\svchost.exe
    1188 svchost.exe
    1240 svchost.exe
    1516 C:\WINDOWS\system32\spoolsv.exe
    1636 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1668 C:\Program Files\Bonjour\mDNSResponder.exe
    1704 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    1900 C:\WINDOWS\system32\svchost.exe
    1976 wdfmgr.exe
     476 C:\WINDOWS\explorer.exe
    1096 C:\Program Files\Canon\CAL\CALMAIN.exe
    1104 C:\WINDOWS\system32\atiptaxx.exe
    1116 C:\Program Files\iTunes\iTunesHelper.exe
    1160 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    1180 C:\Program Files\ESET\ESET Smart Security\egui.exe
    1228 C:\Program Files\Messenger\msmsgs.exe
    1300 C:\WINDOWS\system32\ctfmon.exe
    1432 C:\Documents and Settings\Gina\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    1388 C:\Program Files\iPod\bin\iPodService.exe
    1680 C:\WINDOWS\system32\wscntfy.exe
    1888 alg.exe
    2656 C:\WINDOWS\system32\wuauclt.exe
    2860 C:\Documents and Settings\Gina\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00  (NTFS)

PhysicalDrive0 Model Number: Maxtor6E040L0, Rev: NAR61HA0
PhysicalDrive1 Model Number: Maxtor6Y080P0, Rev: YAR41BW0

      Size  Device Name          MBR Status
  --------------------------------------------
     38 GB  \\.\PhysicalDrive0   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
     76 GB  \\.\PhysicalDrive1   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Edited by wacnstac, 03 October 2010 - 07:30 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:30 PM

Posted 03 October 2010 - 07:38 PM

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 wacnstac

wacnstac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 03 October 2010 - 09:40 PM

CODE
ComboFix 10-10-03.01 - Gina 10/03/2010  22:13:28.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.703.435 [GMT -4:00]
Running from: c:\documents and settings\Gina\Desktop\comfix.exe
AV: ESET Smart Security 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2010-09-04 to 2010-10-04  )))))))))))))))))))))))))))))))
.

2010-09-28 00:36 . 2010-09-28 00:36    388096    ----a-r-    c:\documents and settings\Gina\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-28 00:36 . 2010-09-28 00:36    --------    d-----w-    c:\program files\Trend Micro
2010-09-27 00:12 . 2010-09-28 00:50    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-26 23:47 . 2010-09-26 23:47    --------    d-----w-    c:\documents and settings\All Users\Application Data\PC Tools
2010-09-26 21:13 . 2010-09-26 21:13    --------    d-----w-    c:\program files\ESET
2010-09-26 21:13 . 2010-09-26 21:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\ESET
2010-09-25 20:58 . 2010-09-25 20:59    44089904    ----a-w-    c:\temp\avira_antivir_personal_en(2).exe
2010-09-25 19:38 . 2010-09-25 19:38    --------    d-----w-    c:\documents and settings\Gina\Local Settings\Application Data\ESET
2010-09-25 19:38 . 2010-09-25 19:38    --------    d-----w-    c:\documents and settings\Gina\Application Data\ESET
2010-09-25 19:38 . 2010-09-25 19:38    --------    d-----w-    c:\documents and settings\LocalService\Local Settings\Application Data\ESET

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-04 00:19 . 2001-08-23 15:00    138496    ----a-w-    c:\windows\system32\drivers\afd.sys
2010-10-01 20:01 . 2008-08-18 12:51    --------    d-----w-    c:\documents and settings\All Users\Application Data\Google Updater
2010-09-26 18:56 . 2007-10-06 00:46    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-09-25 16:03 . 2005-12-25 14:16    --------    d-----w-    c:\program files\Common Files\InstallShield
2010-09-25 16:02 . 2005-12-25 14:18    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-08-09 15:15 . 2007-05-16 11:47    22688257    ----a-w-    c:\windows\Internet Logs\tvDebug.zip
2010-08-04 15:50 . 2010-08-04 15:50    140752    ----a-w-    c:\windows\system32\drivers\eamon.sys
2010-08-03 17:28 . 2010-08-03 17:28    55256    ----a-w-    c:\windows\system32\drivers\epfwtdi.sys
2010-07-29 17:31 . 2010-07-29 17:31    32608    ----a-w-    c:\windows\system32\drivers\epfwndis.sys
2010-07-29 17:31 . 2010-07-29 17:31    134512    ----a-w-    c:\windows\system32\drivers\epfw.sys
2010-07-29 17:31 . 2010-07-29 17:31    115008    ----a-w-    c:\windows\system32\drivers\ehdrv.sys
2005-12-20 17:03 . 2005-12-20 17:03    45056    ----a-w-    c:\program files\mozilla firefox\plugins\UPD62INT.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Gina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2001-09-27 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50    155648    ----a-w-    c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07    49263    ----a-w-    c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
2005-09-30 20:38    1212505    ----a-w-    c:\program files\tunebite\tunebite.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]
R2 AtiBt829;ATI WDM Bt829 Video;c:\windows\system32\drivers\atinbtxx.sys [8/4/2004 1:29 AM 60464]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144]
S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);c:\windows\system32\drivers\ativxbar.sys [12/19/2005 7:43 PM 26624]
S3 musbehco;musbehco;\??\c:\docume~1\Gina\LOCALS~1\Temp\musbehco.sys --> c:\docume~1\Gina\LOCALS~1\Temp\musbehco.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-10-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-23 13:45]

2010-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-920026266-839522115-1003Core.job
- c:\documents and settings\Gina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-01 23:51]

2010-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-920026266-839522115-1003UA.job
- c:\documents and settings\Gina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-01 23:51]

2010-09-01 c:\windows\Tasks\regular backup.job
- c:\windows\system32\ntbackup.exe [2001-08-23 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.michigan-sportsman.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Gina\Application Data\Mozilla\Firefox\Profiles\bmwz5u70.default\
FF - prefs.js: browser.startup.homepage - www.michigan-sportsman.com
FF - plugin: c:\documents and settings\Gina\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-sdsetup_aff - c:\documents and settings\Gina\Desktop\sdsetup_aff.exe
HKLM-Run-NWEReboot - (no file)
HKU-Default-Run-Photo TurboBackup - c:\program files\FileStream\Photo TurboBackup\pbksche.exe
SafeBoot-klmdb.sys
MSConfigStartUp-Photo TurboBackup - c:\program files\FileStream\Photo TurboBackup\pbksche.exe
AddRemove-AOL Toolbar 5.0 - c:\program files\AOL\AOL Toolbar 5.0\uninstall.exe


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(268)
c:\windows\system32\msi.dll
.
Completion time: 2010-10-03  22:35:40
ComboFix-quarantined-files.txt  2010-10-04 02:35

Pre-Run: 20,743,118,848 bytes free
Post-Run: 21,424,189,440 bytes free

- - End Of File - - 8754E8B716C7FFF9D4B9C5303CE3CFFA


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:30 PM

Posted 04 October 2010 - 03:33 PM

Please rerun Combofix to remove the bad driver, as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\docume~1\Gina\LOCALS~1\Temp\musbehco.sys

Driver::
musbehco


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 wacnstac

wacnstac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 04 October 2010 - 06:20 PM

ComboFix.txt is attached.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:30 PM

Posted 04 October 2010 - 07:35 PM

Okay, that's better. smile.gif


Please run MBAM next

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then the ESET online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Finally, let me know how the redirect issue is?
Posted Image
m0le is a proud member of UNITE

#11 wacnstac

wacnstac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 05 October 2010 - 05:01 PM

Results of MBAM

CODE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4744

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/4/2010 11:25:42 PM
mbam-log-2010-10-04 (23-25-42).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 188056
Time elapsed: 1 hour(s), 20 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Eset was already installed and updated on this computer. It would not let me copy the whole log. Here is the only thing that it found:
CODE
C:\System Volume Information\_restore{BAF8EC64-9664-40C0-9FE8-5FBEA2898BD4}\RP1661\A0111076.exe - probably a variant of Win32/Agent.HZHBURL trojan - cleaned by deleting - quarantined [1]


#12 wacnstac

wacnstac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 05 October 2010 - 05:09 PM

Oh and knock on wood,..... the hijack problem does seem to be solved.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:30 PM

Posted 05 October 2010 - 07:25 PM

Yep, it should be. The reason?...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le


Posted Image
m0le is a proud member of UNITE

#14 wacnstac

wacnstac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 05 October 2010 - 08:00 PM

Thank you very, very much.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:30 PM

Posted 10 October 2010 - 07:56 PM

thumbup2.gif

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users