Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I gots some bots


  • This topic is locked This topic is locked
2 replies to this topic

#1 thefuzzyhulk

thefuzzyhulk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 09 December 2010 - 09:10 AM

Well, about a week ago I received a message from QUEST that my computer has been attacking via a zombie bot. No other info, just that I would be cut off if I couldn't fix it. Norton, combofix, malwarebytes, spybot... all clean as ever. I'm at the point where I'm thinking of doing a fresh install of XP, but have 5+ terabytes of data on WD external hard drives that I can't lose, and am afraid as soon as I clean install and plug them back in I will be back in the same spot.

Here is the email they sent to help

"Please advise your customer that our Security department has detected bot traffic from their computer. A bot is part of a botnet which is a group of computers running a computer application controlled and manipulated only by the owner or the software source. Bots can be party to a DoS or DDoS attack, a spam attack, traffic monitoring, phishing sites, keylogging and Mass Identity Theft, etc.
Most bots are usually installed by a virus, worm or spyware. Please instruct your customer that they will need to scan all their computers and secure their wireless connections. Advise the customer if they do not find anything, then they will need to use another application to scan their computers. If the bot is not removed, they will be shut off again within a week."

Super helpful right?

I went through the prep guide, here is the dss and gmer.
Interestingly, when I got to the firewall, which I assumed was still on, I get the message that "windows can not start the firewall" "can not start ics service". Whoops, that is new, and it's weird because on my network connections is says they are firewalled, except "Local Area Connection on Actiontec PK5000". If I rightclick properties on it I get "an unexpected error has occurred"

Thank you in advance for any help. I will check back to see if there are anymore needed test or whatever.


DDS (Ver_10-12-05.01) - NTFSx86
Run by Administrator at 22:12:51.76 on Wed 12/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.885 [GMT -8:00]

AV: Norton AntiVirus Online *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Desktop\WPAO_en_v1.3_1033.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\java.exe
C:\Documents and Settings\All Users\Application Data\SRI\BotHunter\Snort_BH\bin\snort.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\windows-kb890830-v3.13.exe
m:\356dc690cbc0836eaa188a628cfe\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.1.0.37\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Profiler] c:\program files\saitek\software\ProfilerU.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\utorrent\uTorrent.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290519417781
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290519379312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0n4q68i8.default\
FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\IPSFFPlgn
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0n4q68i8.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0n4q68i8.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0n4q68i8.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Extension: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0n4q68i8.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
FF - Extension: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0n4q68i8.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0n4q68i8.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0n4q68i8.default\extensions\artur.dubovoy@gmail.com

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-22 28552]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1201000.025\SymDS.sys [2010-12-1 339504]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1201000.025\SymEFA.sys [2010-12-1 666672]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-4 33824]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1201000.025\Ironx86.sys [2010-12-1 134704]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.1.0.37\ccSvcHst.exe [2010-12-1 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-1 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20101208.001\IDSXpx86.sys [2010-12-7 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20101208.036\NAVENG.SYS [2010-12-8 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20101208.036\NAVEX15.SYS [2010-12-8 1360248]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
R3 SaiH0004;SaiH0004;c:\windows\system32\drivers\SaiH0004.sys [2009-6-6 182528]
R3 SaiL0004;SaiL0004;c:\windows\system32\drivers\SaiL0004.sys [2009-6-6 15104]
R3 SaiU0004;SaiU0004;c:\windows\system32\drivers\SaiU0004.sys [2009-6-6 27392]
S2 CX88XBAR;Conexant MT-002 Crossbar;c:\windows\system32\drivers\cx88xbar.sys [2010-4-5 9600]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-6-23 14424]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-12-8 206608]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-12-8 206608]
S4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S4 NovacomD;Palm Novacom;c:\program files\palm, inc\novacom\x86\novacomd.exe [2010-1-12 33792]
S4 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]

=============== Created Last 30 ================

2010-12-09 05:07:03 -------- d-----w- c:\documents and settings\administrator\.bh_gui
2010-12-09 05:06:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\SRI
2010-12-09 05:04:41 -------- d-----w- c:\program files\WinPcap
2010-12-09 05:02:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-12-09 04:58:25 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-12-09 04:13:13 -------- d-----w- c:\program files\Safer Networking
2010-12-05 21:40:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-12-05 17:45:30 -------- d-----w- c:\windows\Bejeweled 3
2010-12-05 17:45:30 -------- d-----w- c:\program files\Bejeweled 3
2010-12-04 06:01:37 839680 ----a-w- c:\windows\Seahorse.scr
2010-12-04 06:01:37 28672 ----a-w- c:\windows\SNVerifyDLL.dll
2010-12-04 06:01:37 282624 ----a-w- c:\windows\system32\Seahorse.ocx
2010-12-04 06:01:36 -------- d-----w- c:\program files\Formosoft
2010-12-02 00:30:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-02 00:30:01 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-02 00:30:01 -------- d-----w- c:\program files\Symantec
2010-12-02 00:30:01 -------- d-----w- c:\program files\common files\Symantec Shared
2010-12-01 03:19:20 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\WMA-MP3.com
2010-12-01 03:18:50 -------- d-----w- c:\program files\WMA-MP3.com
2010-11-29 12:09:35 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-11-28 02:46:50 -------- d-----w- c:\program files\Alien Skin
2010-11-25 02:45:51 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2010-11-25 01:58:10 -------- d-----w- c:\windows\ie8updates
2010-11-25 01:57:54 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-25 01:57:54 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-25 01:57:54 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-25 01:57:54 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-25 01:57:54 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-25 01:57:54 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-11-25 01:57:54 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-25 01:57:21 -------- dc-h--w- c:\windows\ie8
2010-11-23 16:23:59 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-23 15:32:59 -------- d-----w- c:\program files\MSXML 4.0
2010-11-23 15:30:17 297984 -c----w- c:\windows\system32\dllcache\msctf.dll
2010-11-23 15:16:13 -------- d-----w- c:\windows\ServicePackFiles
2010-11-23 15:13:21 -------- d-----w- c:\program files\MSXML 6.0
2010-11-23 14:55:45 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll
2010-11-23 14:55:03 285696 -c----w- c:\windows\system32\dllcache\atmfd.dll
2010-11-23 14:54:52 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-11-23 14:54:52 1315840 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-11-23 14:51:55 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-11-23 14:51:16 85504 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-11-23 14:50:56 457216 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-23 14:50:49 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-11-23 14:50:32 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-11-23 14:50:23 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2010-11-23 14:50:18 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-11-23 14:50:18 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2010-11-23 14:50:18 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-11-23 14:50:18 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll
2010-11-23 14:50:18 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-11-23 14:50:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-11-23 14:50:11 1291776 -c----w- c:\windows\system32\dllcache\quartz.dll
2010-11-23 14:50:02 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2010-11-23 14:49:56 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-11-23 14:49:48 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-11-23 14:49:48 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-11-23 14:48:21 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-11-23 14:48:12 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-11-23 14:48:03 69632 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-11-23 14:48:03 112128 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-11-23 14:46:40 92544 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2010-11-23 14:46:40 59392 -c----w- c:\windows\system32\dllcache\wdigest.dll
2010-11-23 14:46:40 408064 -c----w- c:\windows\system32\dllcache\netlogon.dll
2010-11-23 14:46:40 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2010-11-23 14:46:39 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2010-11-23 14:45:26 247326 -c----w- c:\windows\system32\dllcache\strmdll.dll
2010-11-23 14:45:19 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-11-23 14:44:28 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-11-23 14:42:36 134144 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2010-11-23 14:42:30 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2010-11-23 14:42:23 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2010-11-23 14:42:23 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2010-11-23 14:42:17 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2010-11-23 14:42:12 290816 -c----w- c:\windows\system32\dllcache\rhttpaa.dll
2010-11-23 14:42:11 677888 -c----w- c:\windows\system32\dllcache\mstsc.exe
2010-11-23 14:42:11 53248 -c----w- c:\windows\system32\dllcache\tsgqec.dll
2010-11-23 14:42:11 2067968 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-11-23 14:42:11 136192 -c----w- c:\windows\system32\dllcache\aaclient.dll
2010-11-23 14:39:55 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2010-11-23 14:38:57 8460800 -c----w- c:\windows\system32\dllcache\shell32.dll
2010-11-23 14:38:30 168448 -c----w- c:\windows\system32\dllcache\schannel.dll
2010-11-23 14:38:14 284160 -c----w- c:\windows\system32\dllcache\gdi32.dll
2010-11-23 14:37:58 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-11-23 14:37:50 339456 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-11-23 14:33:51 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-11-23 14:33:46 253952 -c----w- c:\windows\system32\dllcache\es.dll
2010-11-23 14:33:39 74240 -c----w- c:\windows\system32\dllcache\mscms.dll
2010-11-23 14:33:28 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2010-11-23 14:33:28 420352 -c--a-w- c:\windows\system32\dllcache\vbscript.dll
2010-11-23 14:33:20 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll
2010-11-23 14:33:20 226880 -c----w- c:\windows\system32\dllcache\tcpip6.sys
2010-11-23 14:33:20 138368 -c----w- c:\windows\system32\dllcache\afd.sys
2010-11-23 14:33:20 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-11-23 14:33:19 147968 -c----w- c:\windows\system32\dllcache\dnsapi.dll
2010-11-23 14:32:31 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-11-23 14:32:31 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-11-23 14:32:26 203008 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-11-23 13:37:43 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-23 13:37:43 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-11-23 04:20:51 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-23 04:20:47 -------- d-----w- c:\program files\Panda Security
2010-11-21 04:06:13 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Electronic Arts
2010-11-21 03:00:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Electronic Arts
2010-11-21 03:00:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\EA Core
2010-11-21 00:57:42 -------- d-----w- c:\program files\EA Play
2010-11-18 03:16:49 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Activision

==================== Find3M ====================

2010-11-08 09:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-09-22 17:45:11 253952 ----a-w- c:\windows\system32\_Valve001.dll
2010-09-17 19:30:09 9728 ----a-w- c:\windows\system32\rnaph.dll

============= FINISH: 22:13:48.43 ===============



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-09 05:51:49
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\0000007b HDT722525DLA380 rev.V44OA99A
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwgorkob.sys


---- System - GMER 1.0.15 ----

SSDT 8A1D9BF8 ZwAlertResumeThread
SSDT 89C04740 ZwAlertThread
SSDT 8A45F6F8 ZwAllocateVirtualMemory
SSDT 8A434908 ZwAssignProcessToJobObject
SSDT 8A056AE0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB0331720]
SSDT 8A04EB88 ZwCreateMutant
SSDT 8A3883A0 ZwCreateSymbolicLinkObject
SSDT 8A00E050 ZwCreateThread
SSDT 8A434940 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB03319A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB0331F00]
SSDT 8A50AE08 ZwDuplicateObject
SSDT spfx.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spfx.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT 89F7E2B0 ZwFreeVirtualMemory
SSDT 89F85008 ZwImpersonateAnonymousToken
SSDT 8A10E5E8 ZwImpersonateThread
SSDT 89FA0008 ZwLoadDriver
SSDT 8A06DD38 ZwMapViewOfSection
SSDT 89E5E008 ZwOpenEvent
SSDT spfx.sys ZwOpenKey [0xB9EA70C0]
SSDT 89FAA848 ZwOpenProcess
SSDT 8A1DB128 ZwOpenProcessToken
SSDT 89F83E28 ZwOpenSection
SSDT 89E33270 ZwOpenThread
SSDT 8A0C3CA0 ZwProtectVirtualMemory
SSDT spfx.sys ZwQueryKey [0xB9EC610A]
SSDT spfx.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT 89C05780 ZwResumeThread
SSDT 89F9B078 ZwSetContextThread
SSDT 89F9F008 ZwSetInformationProcess
SSDT 8A13E6E0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB0332150]
SSDT 89F83E60 ZwSuspendProcess
SSDT 89FF0E78 ZwSuspendThread
SSDT 89FB02D8 ZwTerminateProcess
SSDT 89FA3008 ZwTerminateThread
SSDT 89F7D1F0 ZwUnmapViewOfSection
SSDT 8A526480 ZwWriteVirtualMemory

INT 0x63 ? 8A55CBF8
INT 0x73 ? 8A55CBF8
INT 0x82 ? 8A5CBBF8
INT 0xA4 ? 8A0A7F00

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D34 805045A0 4 Bytes CALL 02DA568A
? spfx.sys The system cannot find the file specified. !
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB79F2380, 0x2FF527, 0xE8000020]
.text USBPORT.SYS!DllUnload B79D280C 5 Bytes JMP 8A0A74E0
.text a0ds77ff.SYS B78B8386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a0ds77ff.SYS B78B83AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a0ds77ff.SYS B78B83C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a0ds77ff.SYS B78B83C9 1 Byte [30]
.text a0ds77ff.SYS B78B83C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xB409D280, 0x7B1C, 0xE8000020]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xAF6B5F00, 0x24000, 0x48000000]
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[764] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 00E22946
.text C:\WINDOWS\eHome\ehRecvr.exe[1160] WS2_32.dll!send 71AB428A 5 Bytes JMP 0074B028
.text C:\WINDOWS\eHome\ehRecvr.exe[1160] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 0074B33D
.text C:\WINDOWS\eHome\ehRecvr.exe[1160] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0074B109
.text C:\WINDOWS\eHome\ehRecvr.exe[1160] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0074B1DC
.text C:\WINDOWS\eHome\ehRecvr.exe[1160] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0074B48B
.text C:\WINDOWS\eHome\ehSched.exe[1240] WS2_32.dll!send 71AB428A 5 Bytes JMP 0082B028
.text C:\WINDOWS\eHome\ehSched.exe[1240] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 0082B33D
.text C:\WINDOWS\eHome\ehSched.exe[1240] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0082B109
.text C:\WINDOWS\eHome\ehSched.exe[1240] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0082B1DC
.text C:\WINDOWS\eHome\ehSched.exe[1240] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0082B48B
.text C:\Program[1272] WS2_32.dll!send 71AB428A 5 Bytes JMP 0093B028
.text C:\Program[1272] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 0093B33D
.text C:\Program[1272] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0093B109
.text C:\Program[1272] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0093B1DC
.text C:\Program[1272] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0093B48B
.text C:\Documents and Settings\Administrator\Desktop\WPAO_en_v1.3_1033.exe[1348] WS2_32.dll!send 71AB428A 5 Bytes JMP 00AFB028
.text C:\Documents and Settings\Administrator\Desktop\WPAO_en_v1.3_1033.exe[1348] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00AFB33D
.text C:\Documents and Settings\Administrator\Desktop\WPAO_en_v1.3_1033.exe[1348] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00AFB109
.text C:\Documents and Settings\Administrator\Desktop\WPAO_en_v1.3_1033.exe[1348] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00AFB1DC
.text C:\Documents and Settings\Administrator\Desktop\WPAO_en_v1.3_1033.exe[1348] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00AFB48B
.text C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe[1364] ws2_32.dll!send 71AB428A 5 Bytes JMP 0232B028
.text C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe[1364] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 0232B33D
.text C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe[1364] ws2_32.dll!recv 71AB615A 5 Bytes JMP 0232B109
.text C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe[1364] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 0232B1DC
.text C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe[1364] ws2_32.dll!closesocket 71AB9639 5 Bytes JMP 0232B48B
.text C:\WINDOWS\system32\wdfmgr.exe[1776] WS2_32.dll!send 71AB428A 5 Bytes JMP 0092B028
.text C:\WINDOWS\system32\wdfmgr.exe[1776] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 0092B33D
.text C:\WINDOWS\system32\wdfmgr.exe[1776] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0092B109
.text C:\WINDOWS\system32\wdfmgr.exe[1776] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0092B1DC
.text C:\WINDOWS\system32\wdfmgr.exe[1776] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0092B48B
.text C:\WINDOWS\Explorer.EXE[1872] USER32.dll!DisplayExitWindowsWarnings 7E459EE1 5 Bytes JMP 01172758
.text C:\WINDOWS\Explorer.EXE[1872] WS2_32.dll!send 71AB428A 5 Bytes JMP 0154B028
.text C:\WINDOWS\Explorer.EXE[1872] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 0154B33D
.text C:\WINDOWS\Explorer.EXE[1872] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0154B109
.text C:\WINDOWS\Explorer.EXE[1872] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0154B1DC
.text C:\WINDOWS\Explorer.EXE[1872] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0154B48B
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2080] WS2_32.dll!send 71AB428A 5 Bytes JMP 0396B028
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2080] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 0396B33D
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2080] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0396B109
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2080] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0396B1DC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2080] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0396B48B
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2080] USER32.dll!TrackPopupMenu 7E46526E 5 Bytes JMP 10405CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\system32\dllhost.exe[2428] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C9B028
.text C:\WINDOWS\system32\dllhost.exe[2428] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00C9B33D
.text C:\WINDOWS\system32\dllhost.exe[2428] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00C9B109
.text C:\WINDOWS\system32\dllhost.exe[2428] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00C9B1DC
.text C:\WINDOWS\system32\dllhost.exe[2428] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C9B48B
.text C:\WINDOWS\System32\alg.exe[2964] WS2_32.dll!send 71AB428A 5 Bytes JMP 008CB028
.text C:\WINDOWS\System32\alg.exe[2964] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 008CB33D
.text C:\WINDOWS\System32\alg.exe[2964] WS2_32.dll!recv 71AB615A 5 Bytes JMP 008CB109
.text C:\WINDOWS\System32\alg.exe[2964] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 008CB1DC
.text C:\WINDOWS\System32\alg.exe[2964] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 008CB48B
.text C:\Program Files\Mozilla Firefox\firefox.exe[3056] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0322003A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5C91F8
Device \FileSystem\Fastfat \FatCdrom 89EC0500
Device \Driver\usbstor \Device\0000008e 89E66500
Device \Driver\usbstor \Device\0000009b 89E66500
Device \Driver\usbstor \Device\0000008f 89E66500

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBPDO-0 8A0A6500
Device \Driver\usbehci \Device\USBPDO-1 8A0BF500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A55D1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A55D1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A55D1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A55D1F8

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5CC1F8
Device \Driver\sptd \Device\2002881040 spfx.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5CC1F8
Device \Driver\Cdrom \Device\CdRom0 8A0981F8
Device \Driver\PCI_PNP9790 \Device\00000059 spfx.sys
Device \Driver\Cdrom \Device\CdRom1 8A0981F8
Device \Driver\atapi \Device\Ide\IdePort0 8A5CB1F8
Device \Driver\atapi \Device\Ide\IdePort1 8A5CB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 8A5CB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-6 8A5CB1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5CC1F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A5CC1F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8A5CC1F8
Device \Driver\Ftdisk \Device\HarddiskVolume6 8A5CC1F8
Device \Driver\usbstor \Device\00000090 89E66500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A07E1F8
Device \Driver\usbstor \Device\00000091 89E66500
Device \Driver\usbstor \Device\00000084 89E66500
Device \Driver\usbstor \Device\00000092 89E66500
Device \Driver\NetBT \Device\NetbiosSmb 8A07E1F8
Device \Driver\usbstor \Device\00000093 89E66500
Device \Driver\usbstor \Device\00000086 89E66500
Device \Driver\usbstor \Device\00000094 89E66500
Device \Driver\usbstor \Device\00000088 89E66500

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbstor \Device\00000089 89E66500

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbstor \Device\00000098 89E66500
Device \Driver\usbstor \Device\00000099 89E66500
Device \Driver\usbohci \Device\USBFDO-0 8A0A6500
Device \Driver\nvata \Device\NvAta0 8A55C1F8
Device \Driver\usbehci \Device\USBFDO-1 8A0BF500
Device \Driver\NetBT \Device\NetBT_Tcpip_{95DB08E4-7A69-40AE-AB51-FF956540685C} 8A07E1F8
Device \Driver\nvata \Device\0000007b 8A55C1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89F861F8
Device \Driver\nvata \Device\NvAta1 8A55C1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89F861F8
Device \Driver\Ftdisk \Device\FtControl 8A5CC1F8
Device \Driver\usbstor \Device\0000008a 89E66500
Device \Driver\usbstor \Device\0000008b 89E66500
Device \Driver\usbstor \Device\0000008c 89E66500
Device \Driver\a0ds77ff \Device\Scsi\a0ds77ff1 8A07B1F8
Device \Driver\usbstor \Device\0000008d 89E66500
Device \Driver\usbstor \Device\0000009a 89E66500
Device \FileSystem\Fastfat \Fat 89EC0500

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89E87500
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Program [1272] 0x00400000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0x95 0xA4 0x2B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8B 0xD4 0xAF 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE8 0x1A 0x11 0x68 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x1B 0x13 0xA9 0x62 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0x95 0xA4 0x2B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8B 0xD4 0xAF 0xBB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE8 0x1A 0x11 0x68 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x1B 0x13 0xA9 0x62 ...

---- EOF - GMER 1.0.15 ----

Edited by thefuzzyhulk, 09 December 2010 - 09:15 AM.


BC AdBot (Login to Remove)

 


#2 thefuzzyhulk

thefuzzyhulk
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 12 December 2010 - 10:20 PM

Found it, it was boot.mebroot. Had to do this in case it helps anyone else.

1. Start the computer using Windows Recovery Console:
- Insert the Windows XP CD-ROM into the CD-ROM drive.
- Restart the computer from the CD-ROM drive.
- Press R to start the Recovery Console when the “Welcome to Setup” screen appears.
- Select the installation that you want to access from the Recovery Console.
- Enter the administrator password and press Enter.
- Type “fixmbr” command and press Enter:
(Following the onscreen instructions to restore the Master Boot Record)

2. Exit by typing “Exit” and press enter when done. The computer will now restart automatically.

3. Temporarily Disable System Restore (For WinXP only)
- On the Desktop, Right Click on My Computer
- Select the System Restore Tab
- Mark the “Turn Off System Restore” to disable and UnMark to Enable
- Click Apply on the Bottom of the Dialog Box to save the settings.
- A message “This deletes all existing restore points” will appear, click Yes to disable.
- Click OK.
Note: System Restore must be enabled after cleaning process.

4. Update the virus definitions.

5. Reboot computer in SafeMode
- During BootUp (just before Windows Start) process Press F8 continuously until selection appears
- Use Arrow Up+Down to select SafeMode on the selections menu.

6. Run a full system scan and clean/delete all infected file(s)

#3 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:04:52 PM

Posted 16 December 2010 - 08:30 AM

Hi thefuzzyhulk,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

We appreciate you letting us know how you resolved the problem!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users