Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Security Engineer Hacks Hotel WiFi, Fined for Exposing Admin Password

Featured Deal: Get 92% off The Complete Cisco Network Certification Training Bundle

Photo

hijack this log

Started by bevinh , Oct 01 2010 02:03 PM

  • This topic is locked This topic is locked
10 replies to this topic

#1 bevinh

bevinh

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:59 AM

Posted 01 October 2010 - 02:03 PM

Here is my log. I've run malwarebytes anti-malware (no longer picking up anything, even in full scan); spyboy search and destroy (destroys avsuite but keeps returning); advanced systemcare; av rootkit. I have both the google re-direct problema nd a new one: internet explorer opens up new spam windows based upon searches i've done earlier in the day. Thanks in advance for any help.

Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 1:38:34 PM, on 10/1/2010
Platform: Windows XP (WinNT 5.1)
MSIE: Internet Explorer v7.0 (7.0.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Arcade\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\program files\dell printers\Additional Color Laser Software\Updater\DLUPDR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\sistray.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AcroIEHelperStub - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: SkypeIEPluginBHO - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSetup] E:\Setup\Setup.exe /start /restart /l:enu
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [DLUPDR] "c:\program files\dell printers\Additional Color Laser Software\Updater\DLUPDR.EXE"
O4 - HKLM\..\Run: [DLQLU] "c:\program files\dell printers\Additional Color Laser Software\Launcher\DLQLU.EXE" /S
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} -
O9 - Extra button: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {07ECB42B-322A-40B9-A8A9-3815AF3C4F60} (ComPort Class) - http://216.150.21.252/Main/acomport.dll
O16 - DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} (RSClientPrint 2005 Class) - https://apps.waddell.com/SalesReporting/Res...OpType=PrintCab
O16 - DPF: {12928086-DCCF-4AEF-BB51-D783699A040C} (Siebel High Interactivity Framework) - https://core.waddell.com/fins/19251/applets...x_HI_Client.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} (RSClientPrint 2005 Class) - https://apps.waddell.com/eSourceNet/Reserve...OpType=PrintCab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - https://core.waddell.com/fins/19251/applets...Integration.cab
O16 - DPF: {8F623BE4-2C55-4095-B1E0-A41B631A49BD} (Siebel High Interactivity Framework) - https://core.waddell.com/fins/19241/applets...x_HI_Client.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {C5D7ABBB-9764-44AA-A63B-AB4BEE6EEDC7} (Siebel Calendar) - https://core.waddell.com/fins/19251/applets...Ax_Calendar.cab
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - crypserv.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

BC AdBot (Login to Remove)

 

#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:59 PM

Posted 06 October 2010 - 05:14 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 bevinh

bevinh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:59 AM

Posted 08 October 2010 - 09:32 AM

Hi, thanks for the reply. I'm ready to fix this!
Bevin

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:59 PM

Posted 08 October 2010 - 07:02 PM

Let's first look for possible causes for the symptoms

Run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Now please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 bevinh

bevinh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:59 AM

Posted 09 October 2010 - 03:18 PM

Thanks. Here are the two logs:

1)
2010/10/09 08:11:34.0656 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/09 08:11:34.0656 ================================================================================
2010/10/09 08:11:34.0656 SystemInfo:
2010/10/09 08:11:34.0656
2010/10/09 08:11:34.0656 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/09 08:11:34.0656 Product type: Workstation
2010/10/09 08:11:34.0656 ComputerName: BEVIN_LAPTOP
2010/10/09 08:11:34.0656 UserName: Bevin
2010/10/09 08:11:34.0656 Windows directory: C:\WINDOWS
2010/10/09 08:11:34.0656 System windows directory: C:\WINDOWS
2010/10/09 08:11:34.0656 Processor architecture: Intel x86
2010/10/09 08:11:34.0656 Number of processors: 1
2010/10/09 08:11:34.0656 Page size: 0x1000
2010/10/09 08:11:34.0656 Boot type: Normal boot
2010/10/09 08:11:34.0656 ================================================================================
2010/10/09 08:11:34.0781 Initialize success
2010/10/09 08:11:37.0218 ================================================================================
2010/10/09 08:11:37.0218 Scan started
2010/10/09 08:11:37.0218 Mode: Manual;
2010/10/09 08:11:37.0218 ================================================================================
2010/10/09 08:11:40.0125 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/09 08:11:40.0343 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/10/09 08:11:40.0718 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/09 08:11:40.0968 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/09 08:11:41.0140 AgereSoftModem (ceffa3db1657293322e0bdea7d99e754) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/10/09 08:11:42.0171 ALCXWDM (5dae13401e4d3b8f132bf5867447d661) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/10/09 08:11:42.0656 AmdK8 (a2d5f093f9cb160c183c77015704f156) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/10/09 08:11:43.0875 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/09 08:11:43.0984 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/09 08:11:44.0359 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/09 08:11:44.0531 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/09 08:11:44.0687 AVG Anti-Rootkit (e8054a423e5d2bdae6062bab6da159c4) C:\WINDOWS\system32\DRIVERS\avgarkt.sys
2010/10/09 08:11:44.0890 AvgArCln (ec08d1625f5c6cf2a57b79eb35186f8c) C:\WINDOWS\system32\DRIVERS\AvgArCln.sys
2010/10/09 08:11:45.0125 BCM43XX (38ca1443660d0f5f06887c6a2e692aeb) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/10/09 08:11:45.0406 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/09 08:11:45.0687 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/09 08:11:45.0921 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/09 08:11:46.0390 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/09 08:11:46.0500 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/09 08:11:46.0593 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/09 08:11:46.0984 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/09 08:11:47.0265 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/09 08:11:48.0203 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/09 08:11:48.0390 DKbFltr (08d30af92c270f2e76787c81589dbad6) C:\WINDOWS\system32\Drivers\DKbFltr.sys
2010/10/09 08:11:48.0578 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/09 08:11:48.0718 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/10/09 08:11:48.0921 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/09 08:11:49.0015 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/09 08:11:49.0328 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/09 08:11:49.0437 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/09 08:11:49.0515 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/09 08:11:49.0593 FilterService (5c329e2ab8dd62310213cbfac0178539) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2010/10/09 08:11:49.0656 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/09 08:11:49.0703 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/09 08:11:49.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/09 08:11:49.0984 FlyUsb (8efa9bfc940d9eb9348d9dafb839fe25) C:\WINDOWS\system32\DRIVERS\FlyUsb.sys
2010/10/09 08:11:50.0187 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/09 08:11:50.0468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/09 08:11:50.0593 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2010/10/09 08:11:50.0843 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/09 08:11:51.0125 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/09 08:11:51.0265 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/09 08:11:51.0765 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/10/09 08:11:52.0015 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/10/09 08:11:52.0218 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/10/09 08:11:52.0328 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/09 08:11:53.0000 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/09 08:11:53.0078 Imapi (a63b39a5267fd8e5c867cc00b665b3af) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/09 08:11:53.0078 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: a63b39a5267fd8e5c867cc00b665b3af, Fake md5: 083a052659f5310dd8b6a6cb05edcf8e
2010/10/09 08:11:53.0109 Imapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/09 08:11:53.0937 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/09 08:11:54.0171 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/09 08:11:54.0265 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/09 08:11:54.0328 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/09 08:11:54.0437 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/09 08:11:54.0515 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/09 08:11:54.0609 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/09 08:11:54.0734 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/09 08:11:54.0796 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/09 08:11:54.0859 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/09 08:11:55.0015 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/09 08:11:55.0531 LVcKap (9a3d4fc6b86e7e36473079ab76ac703d) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
2010/10/09 08:11:55.0906 LVMVDrv (0acbc11f19320af6c19f2e20013d9095) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
2010/10/09 08:11:56.0187 lvpopflt (e8acf6dd83956fb63ceb058d5f51b18a) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
2010/10/09 08:11:56.0468 LVPr2Mon (12866641284ebb41e627bb53c04da959) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2010/10/09 08:11:56.0687 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\drivers\LVUSBSta.sys
2010/10/09 08:11:56.0937 LVUVC (922be6770499220dc27b529ca236815a) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2010/10/09 08:11:57.0187 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/09 08:11:57.0312 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/09 08:11:57.0359 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/09 08:11:57.0562 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/09 08:11:57.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/09 08:11:58.0406 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/09 08:11:58.0578 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/09 08:11:58.0968 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/09 08:11:59.0281 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/09 08:11:59.0500 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/09 08:11:59.0718 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/09 08:11:59.0828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/09 08:12:00.0046 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/09 08:12:00.0328 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/09 08:12:00.0546 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/09 08:12:00.0875 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/09 08:12:01.0109 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/09 08:12:01.0375 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/09 08:12:01.0671 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/09 08:12:01.0921 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/09 08:12:02.0203 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/09 08:12:02.0515 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/09 08:12:02.0796 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/09 08:12:04.0328 NetworkX (598d2f0176b169118f025f3ed6444d16) C:\WINDOWS\system32\ckldrv.sys
2010/10/09 08:12:04.0609 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/09 08:12:04.0890 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/09 08:12:05.0109 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2010/10/09 08:12:05.0296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/09 08:12:05.0515 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/09 08:12:05.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/09 08:12:06.0156 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/09 08:12:06.0406 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/09 08:12:06.0656 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/09 08:12:06.0906 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/09 08:12:07.0359 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/09 08:12:07.0640 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/09 08:12:09.0546 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2010/10/09 08:12:09.0828 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/09 08:12:10.0046 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/09 08:12:10.0187 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/09 08:12:11.0593 RapportKELL (c2bc60d0125ae35953e02cff6519496b) C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
2010/10/09 08:12:11.0734 RapportPG (2a2f3150f6f82158147b9ab00077f136) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
2010/10/09 08:12:11.0937 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/09 08:12:12.0250 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/09 08:12:12.0500 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/09 08:12:12.0703 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/09 08:12:12.0984 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/09 08:12:13.0250 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/09 08:12:13.0562 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/09 08:12:13.0875 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/09 08:12:14.0171 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/09 08:12:14.0515 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/09 08:12:14.0781 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/10/09 08:12:15.0062 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/09 08:12:15.0500 SiS315 (8b3cdb4b1453b3a2e6e7300aabe50d0e) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
2010/10/09 08:12:15.0671 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
2010/10/09 08:12:15.0890 SiSkp (87a5176a3762b1341619ce63152c1da9) C:\WINDOWS\system32\DRIVERS\srvkp.sys
2010/10/09 08:12:16.0031 SISNICXP (47f39481bc8941e0d51601a85691448d) C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
2010/10/09 08:12:16.0218 slabbus (444186c720885429a2354095c1938143) C:\WINDOWS\system32\DRIVERS\slabbus.sys
2010/10/09 08:12:16.0406 slabser (ed71f8c82ef11c0da1c57be021a2fdc9) C:\WINDOWS\system32\DRIVERS\slabser.sys
2010/10/09 08:12:16.0578 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/09 08:12:17.0046 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/09 08:12:17.0281 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/09 08:12:17.0546 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/09 08:12:17.0734 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/09 08:12:17.0968 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/09 08:12:18.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/09 08:12:19.0390 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/09 08:12:19.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/09 08:12:19.0890 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/09 08:12:20.0125 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/09 08:12:20.0375 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/09 08:12:20.0937 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/09 08:12:21.0296 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/09 08:12:21.0421 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/09 08:12:21.0671 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/10/09 08:12:21.0890 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/09 08:12:21.0968 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/09 08:12:22.0218 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/09 08:12:22.0484 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/09 08:12:22.0750 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/09 08:12:22.0953 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/09 08:12:23.0203 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/09 08:12:23.0328 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/10/09 08:12:23.0609 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/09 08:12:24.0140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/09 08:12:24.0375 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/09 08:12:24.0890 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/09 08:12:25.0421 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/09 08:12:25.0671 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/09 08:12:25.0859 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/09 08:12:26.0078 ================================================================================
2010/10/09 08:12:26.0078 Scan finished
2010/10/09 08:12:26.0078 ================================================================================
2010/10/09 08:12:26.0125 Detected object count: 1
2010/10/09 08:12:34.0093 Imapi (a63b39a5267fd8e5c867cc00b665b3af) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/09 08:12:34.0093 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: a63b39a5267fd8e5c867cc00b665b3af, Fake md5: 083a052659f5310dd8b6a6cb05edcf8e
2010/10/09 08:12:38.0218 Backup copy found, using it..
2010/10/09 08:12:38.0359 C:\WINDOWS\system32\DRIVERS\imapi.sys - will be cured after reboot
2010/10/09 08:12:38.0359 Rootkit.Win32.TDSS.tdl3(Imapi) - User select action: Cure
2010/10/09 08:12:41.0328 Deinitialize success


2)
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 119):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7B7E000 \WINDOWS\system32\KDCOM.DLL
0xF7A8E000 \WINDOWS\system32\BOOTVID.dll
0xF756B000 klmdb.sys
0xF753D000 ACPI.sys
0xF7B80000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF752C000 pci.sys
0xF767E000 isapnp.sys
0xF7B82000 avgarkt.sys
0xF7A92000 compbatt.sys
0xF7A96000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C46000 pciide.sys
0xF78FE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF750E000 pcmcia.sys
0xF768E000 MountMgr.sys
0xF74EF000 ftdisk.sys
0xF7B84000 dmload.sys
0xF74C9000 dmio.sys
0xF7A9A000 ACPIEC.sys
0xF7C47000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7906000 PartMgr.sys
0xF769E000 VolSnap.sys
0xF74B1000 atapi.sys
0xF76AE000 disk.sys
0xF76BE000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7491000 fltmgr.sys
0xF747F000 sr.sys
0xF745B000 Fastfat.sys
0xF7444000 KSecDD.sys
0xF7417000 NDIS.sys
0xF76CE000 SISAGPX.sys
0xF73FD000 Mup.sys
0xF76FE000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7351000 \SystemRoot\system32\DRIVERS\sisgrp.sys
0xF733D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF770E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF791E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7926000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF771E000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF772E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF773E000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF731A000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7B86000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0xF792E000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF71E3000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7936000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6F86000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF6F62000 \SystemRoot\system32\drivers\portcls.sys
0xF775E000 \SystemRoot\system32\drivers\drmk.sys
0xF793E000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6F3E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7946000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF794E000 \SystemRoot\system32\DRIVERS\sisnicxp.sys
0xF6EE3000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF7B36000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7CB0000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77BE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B3A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6ECC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF77CE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF77DE000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7956000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6EBB000 \SystemRoot\system32\DRIVERS\psched.sys
0xF77EE000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF795E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7966000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6E8B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF77FE000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B94000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6E2D000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B52000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF780E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF785E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B98000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B9A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CD4000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B9C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7CD5000 \SystemRoot\System32\DRIVERS\AvgArCln.sys
0xF79AE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF79B6000 \SystemRoot\System32\drivers\vga.sys
0xF7B9E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BA0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79BE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79C6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF73CD000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB5605000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB55AC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB5584000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB5562000 \SystemRoot\System32\drivers\afd.sys
0xF786E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF73C9000 \SystemRoot\system32\DRIVERS\srvkp.sys
0xB5537000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB550F000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xF787E000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
0xF79CE000 \SystemRoot\system32\ckldrv.sys
0xB54E9000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB5479000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF788E000 \SystemRoot\System32\Drivers\Fips.SYS
0xF789E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF78BE000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6E25000 \SystemRoot\System32\drivers\Dxapi.sys
0xF79D6000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D0D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB5329000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB4FF4000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB4E5D000 \SystemRoot\system32\DRIVERS\srv.sys
0xF79E6000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB4AA2000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xF7A16000 \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys
0xB49C5000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4DBD000 \SystemRoot\system32\drivers\sysaudio.sys
0xB443B000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0xB4410000
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
612 C:\WINDOWS\system32\SMSS.EXE
676 C:\WINDOWS\system32\CSRSS.EXE
700 C:\WINDOWS\system32\WINLOGON.EXE
744 C:\WINDOWS\system32\SERVICES.EXE
756 C:\WINDOWS\system32\LSASS.EXE
904 C:\WINDOWS\system32\SVCHOST.EXE
948 C:\WINDOWS\system32\SVCHOST.EXE
1076 C:\WINDOWS\system32\SVCHOST.EXE
1132 C:\WINDOWS\system32\SVCHOST.EXE
1248 C:\WINDOWS\system32\SVCHOST.EXE
1492 C:\WINDOWS\system32\SPOOLSV.EXE
1960 C:\WINDOWS\system32\SVCHOST.EXE
1992 C:\WINDOWS\system32\ASTSRV.EXE
2012 C:\Program Files\Bonjour\mDNSResponder.exe
2032 C:\WINDOWS\system32\Crypserv.exe
176 C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
308 C:\WINDOWS\system32\NLSSRV32.EXE
416 C:\Program Files\Common Files\supportsoft\BIN\sprtlisten.exe
512 C:\WINDOWS\system32\SVCHOST.EXE
384 C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
1748 C:\WINDOWS\system32\ALG.EXE
1608 C:\Program Files\Trusteer\Rapport\BIN\RapportMgmtService.exe
296 C:\WINDOWS\system32\wscntfy.exe
2044 C:\WINDOWS\EXPLORER.EXE
1220 C:\Program Files\Trusteer\Rapport\BIN\RapportService.exe
2024 C:\WINDOWS\system32\WBEM\wmiprvse.exe
2436 C:\Program Files\Internet Explorer\IEXPLORE.EXE
2656 C:\WINDOWS\system32\WUAUCLT.EXE
2712 C:\WINDOWS\system32\ctfmon.exe
2752 C:\WINDOWS\AGRSMMSG.exe
2760 C:\WINDOWS\system32\Rundll32.exe
2772 C:\WINDOWS\system32\Keyhook.exe
2872 C:\Program Files\Arcade\PCMService.exe
2876 C:\Acer\Empowering Technology\eRecovery\Monitor.exe
2896 C:\WINDOWS\SOUNDMAN.EXE
3000 C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
3096 C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE
3216 C:\Program Files\IObit\Advanced SystemCare 3\AWC.EXE
3336 C:\WINDOWS\system32\sistray.exe
472 C:\Documents and Settings\Bevin\Local Settings\Temporary Internet Files\Content.IE5\ZSY2EITG\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`bb47fc00 (FAT32)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000009`9f174000 (FAT32)

PhysicalDrive0 Model Number: HTS421280H9AT00, Rev: HA3OA70S

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 6A37CCD118436B688B51F6BD4C2B47A895EBDF7F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:59 PM

Posted 09 October 2010 - 04:10 PM

Please run Combofix, this is a powerful program so please read the instructions carefully

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 bevinh

bevinh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:59 AM

Posted 09 October 2010 - 08:08 PM

ComboFix 10-10-09.03 - Bevin 10/09/2010 19:54:31.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.160 [GMT -5:00]
Running from: c:\documents and settings\Bevin\Desktop\comfix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bevin\g2mdlhlpx.exe
c:\documents and settings\Bevin\GoToAssistDownloadHelper.exe
c:\program files\Shared
c:\windows\system\oeminfo.ini
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\BSTIeprintctl1.dll
c:\windows\Uninstall.ini

.
((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-09 13:19 . 2010-10-09 13:19 -------- d-----w- c:\documents and settings\Default User\Application Data\Trusteer
2010-10-06 15:16 . 2010-10-06 15:16 -------- d-----w- c:\documents and settings\Bevin\Local Settings\Application Data\EISI
2010-10-06 15:16 . 2010-10-06 15:16 -------- d-----w- c:\documents and settings\Bevin\Application Data\EISI
2010-10-06 14:59 . 2010-05-12 20:12 4210688 ----a-w- c:\windows\system32\cdintf400.dll
2010-10-05 18:39 . 2010-10-05 18:39 -------- d-----w- C:\FOUND.000
2010-09-20 18:49 . 2009-05-21 15:00 139365 ----a-w- c:\windows\system32\dlpscbsL.DLL
2010-09-20 18:47 . 2009-05-22 05:00 139367 ------w- c:\windows\system32\dlxbszil.dll
2010-09-20 17:07 . 2010-09-20 17:07 -------- d-----w- c:\program files\Moleskinsoft Clone Remover 3.8
2010-09-20 16:05 . 2005-04-04 04:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2010-09-20 16:05 . 2005-04-04 04:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2010-09-20 16:05 . 2005-04-04 04:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2010-09-20 16:05 . 2005-04-04 03:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2010-09-20 16:05 . 2005-04-04 04:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2010-09-20 16:05 . 2010-09-20 16:05 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2010-09-20 16:05 . 2010-09-20 16:05 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2010-09-14 16:38 . 2010-09-14 16:38 -------- d-----w- c:\program files\IObit
2010-09-14 16:38 . 2010-09-14 16:38 -------- d-----w- c:\documents and settings\Bevin\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 05:50 . 2010-01-30 05:50 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-30 05:50 . 2010-01-30 05:50 185216 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-30 05:50 . 2010-01-30 05:50 99200 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-08-10 2349776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"SiSPower"="SiSPower.dll" [2005-02-26 49152]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-10-12 315392]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2009-07-16 406840]
"DLUPDR"="c:\program files\dell printers\Additional Color Laser Software\Updater\DLUPDR.EXE" [2009-07-16 243008]
"DLQLU"="c:\program files\dell printers\Additional Color Laser Software\Launcher\DLQLU.EXE" [2009-10-16 816368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-1-4 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
2009-07-16 23:20 406840 ----a-w- c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\System Evaluation Tool\\SysEval6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqpsapp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Bevin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Bevin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [9/8/2006 2:50 PM 226616]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [12/16/2009 10:11 AM 65856]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R4 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [10/3/2010 11:54 PM 34792]
R4 RapportPG;RapportPG;\??\c:\program files\Trusteer\Rapport\bin\RapportPG.sys --> c:\program files\Trusteer\Rapport\bin\RapportPG.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2008 10:50 AM 18560]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 12:00 PM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INT15.SYS
*NewlyCreated* - KLMDB
*NewlyCreated* - RAPPORTCERBERUS_19917
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = https://esuite.waddell.com/
uInternet Settings,ProxyOverride = <local>
DPF: {07ECB42B-322A-40B9-A8A9-3815AF3C4F60} - hxxp://216.150.21.252/Main/acomport.dll
DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxps://apps.waddell.com/SalesReporting/Reserved.ReportViewerWebControl.axd?ReportSession=pjhc4g45nbnby2jaj3jhcs2k&ControlID=be9ac54c05e34ef9a08a43d51ef5163c&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {12928086-DCCF-4AEF-BB51-D783699A040C} - hxxps://core.waddell.com/fins/19251/applets/SiebelAx_HI_Client.cab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://apps.waddell.com/eSourceNet/Reserved.ReportViewerWebControl.axd?ReportSession=jdqbnn55nciewdnbvx4ppb55&ControlID=79427e09abe345bf8175bf5149dec00a&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxps://core.waddell.com/fins/19251/applets/SiebelAx_Desktop_Integration.cab
DPF: {8F623BE4-2C55-4095-B1E0-A41B631A49BD} - hxxps://core.waddell.com/fins/19241/applets/SiebelAx_HI_Client.cab
DPF: {C5D7ABBB-9764-44AA-A63B-AB4BEE6EEDC7} - hxxps://core.waddell.com/fins/19251/applets/SiebelAx_Calendar.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-LogitechSetup - e:\setup\Setup.exe
SafeBoot-klmdb.sys
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Bevin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3258303756-2578115595-4164636359-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-10-09 20:06:47
ComboFix-quarantined-files.txt 2010-10-10 01:06

Pre-Run: 2,344,976,384 bytes free
Post-Run: 3,393,650,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 79A56792E0015B74AFC947F51B92A3BE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:59 PM

Posted 09 October 2010 - 08:34 PM

Let's continue the clean up


Run ESET
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Please tell me which browser(s) you are using and how the redirections are at the moment.
Posted Image
m0le is a proud member of UNITE

#9 bevinh

bevinh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:59 AM

Posted 11 October 2010 - 09:41 AM

Thanks again for all your help. The log is posted below. I am using Window IE 7.0.5730.13
The redirects and popups seem to have been eliminated. Wow.

C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\12\4f76de0c-6142bc28 multiple threats deleted - quarantined
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1011\A0201381.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:59 PM

Posted 11 October 2010 - 01:34 PM

Job's a good 'un thumbup2.gif

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it bevinh, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:59 PM

Posted 16 October 2010 - 05:09 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·