Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Win32.TDSS.tdl4 \HardDisk0\MBR


  • This topic is locked This topic is locked
10 replies to this topic

#1 junho_lover

junho_lover

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 December 2010 - 12:53 PM

Hi I need help -_- I have tried so much including the fixmbr thing from a WInd. XP cd...nothing helps..well 2 weeks ago about The virus went away after a few scans and the fixmbr thing...BUT IT's BACK!!! ok here is a log from TDSSKiller which swears removes this but...-_- I hope I'm doing this right

2010/12/10 12:52:27.0125 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/12/10 12:52:27.0125 ================================================================================
2010/12/10 12:52:27.0125 SystemInfo:
2010/12/10 12:52:27.0125
2010/12/10 12:52:27.0125 OS Version: 5.1.2600 ServicePack: 2.0
2010/12/10 12:52:27.0125 Product type: Workstation
2010/12/10 12:52:27.0125 ComputerName: JUNHO
2010/12/10 12:52:27.0125 UserName: justin
2010/12/10 12:52:27.0125 Windows directory: C:\WINDOWS
2010/12/10 12:52:27.0125 System windows directory: C:\WINDOWS
2010/12/10 12:52:27.0125 Processor architecture: Intel x86
2010/12/10 12:52:27.0125 Number of processors: 1
2010/12/10 12:52:27.0125 Page size: 0x1000
2010/12/10 12:52:27.0125 Boot type: Normal boot
2010/12/10 12:52:27.0125 ================================================================================
2010/12/10 12:52:28.0781 Initialize success
2010/12/10 12:52:32.0140 ================================================================================
2010/12/10 12:52:32.0140 Scan started
2010/12/10 12:52:32.0140 Mode: Manual;
2010/12/10 12:52:32.0140 ================================================================================
2010/12/10 12:52:34.0828 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/12/10 12:52:34.0937 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/10 12:52:34.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/12/10 12:52:35.0062 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/10 12:52:35.0125 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/12/10 12:52:35.0343 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/12/10 12:52:35.0390 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/10 12:52:35.0421 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/10 12:52:35.0437 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/12/10 12:52:35.0468 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/10 12:52:35.0500 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/10 12:52:35.0625 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/10 12:52:35.0671 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/10 12:52:35.0703 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/10 12:52:35.0734 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/12/10 12:52:35.0765 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/10 12:52:35.0796 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/12/10 12:52:35.0843 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/12/10 12:52:35.0875 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/12/10 12:52:35.0937 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/10 12:52:36.0015 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/10 12:52:36.0171 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/10 12:52:36.0250 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/10 12:52:36.0343 BCM43XX (114234fafec7060392195170e1c4d45e) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/12/10 12:52:36.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/10 12:52:36.0593 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/12/10 12:52:36.0890 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/10 12:52:36.0921 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/10 12:52:37.0015 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/10 12:52:37.0062 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/10 12:52:37.0125 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/10 12:52:37.0250 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/10 12:52:37.0359 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/10 12:52:37.0546 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/10 12:52:37.0593 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/10 12:52:37.0640 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/10 12:52:37.0687 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/10 12:52:37.0750 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/10 12:52:37.0812 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/10 12:52:37.0890 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/10 12:52:38.0046 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/10 12:52:38.0109 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/10 12:52:38.0296 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/10 12:52:38.0359 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/10 12:52:38.0437 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/10 12:52:38.0500 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/10 12:52:38.0593 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
2010/12/10 12:52:38.0828 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys
2010/12/10 12:52:38.0937 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/10 12:52:39.0000 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/10 12:52:39.0046 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/10 12:52:39.0140 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/10 12:52:39.0265 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/12/10 12:52:39.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/10 12:52:39.0468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/10 12:52:39.0515 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/10 12:52:39.0546 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2010/12/10 12:52:39.0609 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys
2010/12/10 12:52:39.0828 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/10 12:52:39.0937 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/10 12:52:39.0968 HSFHWAZL (448c0fd272fe1b80046f4767db21eb8d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/12/10 12:52:40.0031 HSF_DPV (2715a27de9c17bdbaf6d6c79989a7b12) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/12/10 12:52:40.0125 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/10 12:52:40.0203 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/10 12:52:40.0234 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/10 12:52:40.0312 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/10 12:52:40.0484 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/10 12:52:40.0718 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/12/10 12:52:40.0859 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/10 12:52:40.0984 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/12/10 12:52:41.0046 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/10 12:52:41.0171 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/10 12:52:41.0203 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/12/10 12:52:41.0250 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/10 12:52:41.0468 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/10 12:52:41.0578 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/10 12:52:41.0656 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/10 12:52:41.0687 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/10 12:52:41.0765 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/10 12:52:41.0921 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/10 12:52:41.0984 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/10 12:52:42.0046 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/10 12:52:42.0156 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/10 12:52:42.0312 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/10 12:52:42.0375 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/12/10 12:52:42.0453 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/10 12:52:42.0546 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/10 12:52:42.0640 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/10 12:52:42.0734 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/10 12:52:42.0796 MQAC (db07b0088cdfd20c2a22e675120ede34) C:\WINDOWS\system32\drivers\mqac.sys
2010/12/10 12:52:42.0859 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/10 12:52:42.0968 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/10 12:52:43.0125 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/10 12:52:43.0281 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/10 12:52:43.0421 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/10 12:52:43.0531 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/10 12:52:43.0562 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/10 12:52:43.0625 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/10 12:52:43.0703 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/10 12:52:43.0937 NAVENG (9ff1bd6bacebc149813c54c5b861ada4) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060514.008\NAVENG.Sys
2010/12/10 12:52:44.0015 NAVEX15 (579434ed647a1e676228e97ad8c61c77) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060514.008\NavEx15.Sys
2010/12/10 12:52:44.0343 NDIS (aa898f84d2b59129fb92e143a2c73434) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/10 12:52:44.0406 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/10 12:52:44.0500 Ndisuio (eefa1ce63805d2145978621be5c6d955) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/10 12:52:44.0562 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/10 12:52:44.0671 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/10 12:52:44.0812 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/10 12:52:44.0875 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/10 12:52:44.0984 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/10 12:52:45.0062 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/10 12:52:45.0140 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/10 12:52:45.0312 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/10 12:52:45.0468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/10 12:52:45.0562 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/10 12:52:45.0625 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/10 12:52:45.0718 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/10 12:52:45.0828 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/10 12:52:45.0859 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/10 12:52:45.0984 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/10 12:52:46.0140 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/10 12:52:46.0218 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/12/10 12:52:46.0343 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/12/10 12:52:46.0500 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/10 12:52:46.0531 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/10 12:52:46.0625 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/10 12:52:46.0671 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/10 12:52:46.0687 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/10 12:52:46.0812 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/10 12:52:46.0921 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/10 12:52:46.0953 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/10 12:52:47.0031 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/10 12:52:47.0062 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/10 12:52:47.0093 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/10 12:52:47.0140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/10 12:52:47.0203 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/10 12:52:47.0234 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/10 12:52:47.0265 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/10 12:52:47.0343 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/10 12:52:47.0437 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/10 12:52:47.0656 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/10 12:52:47.0750 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/10 12:52:47.0875 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/10 12:52:48.0031 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2010/12/10 12:52:48.0078 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2010/12/10 12:52:48.0171 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2010/12/10 12:52:48.0296 RMCAST (35e81b908ae4e97fc7bdf4607c516ff4) C:\WINDOWS\system32\drivers\RMCast.sys
2010/12/10 12:52:48.0359 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/10 12:52:48.0515 SAVRT (21ba125b956a513f85f6ab1dd603f917) c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS
2010/12/10 12:52:48.0546 SAVRTPEL (0f8e1c05fc1298f8e7cea935429f66ff) c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
2010/12/10 12:52:48.0703 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/12/10 12:52:48.0812 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/10 12:52:48.0968 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/10 12:52:49.0015 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/10 12:52:49.0156 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/10 12:52:49.0187 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/12/10 12:52:49.0296 SPBBCDrv (16aa4657806e3ea423d7e9286e763016) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/12/10 12:52:49.0437 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/10 12:52:49.0640 sptd (87b5595eb1c623ff5887e36a35e51ba2) C:\WINDOWS\system32\Drivers\sptd.sys
2010/12/10 12:52:49.0656 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 87b5595eb1c623ff5887e36a35e51ba2
2010/12/10 12:52:49.0656 sptd - detected Locked file (1)
2010/12/10 12:52:49.0796 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/10 12:52:49.0875 Srv (553007ecce7f6565bbe645beb66d3b69) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/10 12:52:49.0984 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/10 12:52:50.0125 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/10 12:52:50.0218 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/10 12:52:50.0234 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/10 12:52:50.0343 SymEvent (6db4cfcabd55c05649104f2384f2a10f) C:\Program Files\Symantec\SYMEVENT.SYS
2010/12/10 12:52:50.0453 SYMIDSCO (76dcba76caa80365e6d5792afaa2adb5) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys
2010/12/10 12:52:50.0562 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
2010/12/10 12:52:50.0718 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/10 12:52:50.0781 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/10 12:52:50.0843 SynTP (369d0626687a968182a9db40fe8a0905) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/12/10 12:52:50.0921 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/10 12:52:51.0171 Tcpip (583e063fdc888ca30d05c2724b0d7ef4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/10 12:52:51.0296 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/10 12:52:51.0359 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/10 12:52:51.0437 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/10 12:52:51.0531 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/10 12:52:51.0578 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/10 12:52:51.0656 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/10 12:52:51.0703 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/10 12:52:51.0750 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/10 12:52:51.0781 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/10 12:52:51.0859 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/10 12:52:51.0968 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/10 12:52:52.0109 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/12/10 12:52:52.0203 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/10 12:52:52.0250 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/10 12:52:52.0328 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/10 12:52:52.0437 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2010/12/10 12:52:52.0625 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/10 12:52:52.0812 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/10 12:52:52.0921 winachsf (7fe372b1ab60736cc67e8eb6f1fb1f5b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/10 12:52:53.0078 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/10 12:52:53.0437 \HardDisk0 - detected Rootkit.Win32.BackBoot.gen (1)
2010/12/10 12:52:53.0453 ================================================================================
2010/12/10 12:52:53.0453 Scan finished
2010/12/10 12:52:53.0453 ================================================================================
2010/12/10 12:52:53.0468 Detected object count: 2
2010/12/10 12:53:01.0093 Locked file(sptd) - User select action: Skip
2010/12/10 12:53:01.0093 Rootkit.Win32.BackBoot.gen(\HardDisk0) - User select action: Skip

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 10 December 2010 - 01:05 PM

Hello junho_lover ,

Posted Image

Let's try this a different way then. :)


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to junho.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 junho_lover

junho_lover
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 December 2010 - 01:32 PM

ComboFix 10-12-09.04 - justin 12/10/2010 13:23:16.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.162 [GMT -5:00]
Running from: c:\documents and settings\justin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\justin\LOCALS~1\Temp\SAS9.tmp
c:\documents and settings\justin\Local Settings\Temp\SAS9.tmp

.
((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-10 16:10 . 2010-12-10 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-10 15:42 . 2010-12-10 15:42 -------- d-----w- c:\documents and settings\justin\Application Data\Malwarebytes
2010-12-10 15:10 . 2010-12-10 15:10 388608 ----a-w- c:\windows\system32\CF31586.exe
2010-12-10 13:46 . 2010-12-10 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-12-08 00:50 . 2010-12-08 01:07 -------- d-----w- c:\documents and settings\justin\Local Settings\Application Data\WMTools Downloaded Files
2010-12-05 16:40 . 2010-12-05 16:40 -------- d-----w- c:\windows\Sun
2010-12-02 22:17 . 2010-12-02 22:17 -------- d-----w- c:\documents and settings\justin\Local Settings\Application Data\Identities
2010-12-02 00:18 . 2010-12-02 00:18 -------- d-----w- c:\program files\Alcohol Soft
2010-11-29 22:54 . 2010-12-01 19:35 -------- d-----w- c:\documents and settings\justin\Application Data\Toolbar4
2010-11-29 21:04 . 2010-11-29 21:04 -------- d-----w- c:\documents and settings\justin\Application Data\EAC
2010-11-29 21:04 . 2010-11-29 21:11 -------- d-----w- c:\documents and settings\justin\Application Data\AccurateRip
2010-11-29 21:04 . 2010-11-29 21:04 -------- d-----w- c:\program files\Exact Audio Copy
2010-11-25 01:26 . 2010-11-25 01:26 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-11-25 01:19 . 2010-11-25 01:19 420920 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-24 22:24 . 2010-11-24 22:40 -------- d-----w- C:\temp
2010-11-24 18:35 . 2010-11-24 19:46 -------- d-----w- c:\program files\nLite
2010-11-24 16:24 . 2010-11-25 01:57 -------- d-----w- c:\documents and settings\justin\Application Data\DAEMON Tools Lite
2010-11-24 16:24 . 2010-11-24 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-11-23 13:21 . 2006-03-15 20:00 57856 ----a-w- c:\windows\system32\spoolsv.exe
2010-11-23 13:21 . 2006-03-15 20:00 57856 ----a-w- c:\windows\system32\dllcache\spoolsv.exe
2010-11-23 03:15 . 2010-11-23 03:15 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-20 21:41 . 2010-11-23 03:14 -------- d-----w- c:\program files\eMule
2010-11-20 17:14 . 2010-11-23 03:14 -------- d-----w- c:\program files\Project64 1.6
2010-11-12 23:33 . 2010-11-12 23:59 -------- d-----w- c:\documents and settings\justin\Application Data\CUE Tools
2010-11-12 23:33 . 2010-11-12 23:33 -------- d-----w- c:\documents and settings\justin\Application Data\CUERipper
2010-11-12 22:06 . 2010-11-12 22:07 -------- d-----w- c:\program files\FrostWire
2010-11-10 21:03 . 2010-12-10 17:22 -------- d-----w- c:\documents and settings\justin\Application Data\FrostWire
2010-11-10 19:55 . 2010-11-10 19:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-10 19:55 . 2010-11-10 19:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-11-10 19:55 . 2010-11-10 19:55 411368 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-10 14:53 . 2010-10-27 00:23 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-27 07:56 . 2010-10-27 07:52 510840 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-10-27 01:22 . 2010-10-27 01:22 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-10-27 01:22 . 2010-10-27 01:22 47360 ----a-w- c:\documents and settings\justin\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-12-10_15.24.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-10 17:19 . 2010-12-10 17:19 16384 c:\windows\temp\Perflib_Perfdata_520.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2010-08-20 33120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"MsmqIntCert"="mqrt.dll" [2006-03-16 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\junho\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\justin\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2010-8-17 114688]
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/24/2010 8:19 PM 420920]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - SymEvent
*Deregistered* - symlcbrd
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 13:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???@???????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82333555]<<
c:\docume~1\justin\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x823397b0]; MOV EAX, [0x8233982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EDF3C] -> \Device\Harddisk0\DR0[0x823CEAB8]
3 CLASSPNP[0xF84D605B] -> ntkrnlpa!IofCallDriver[0x804EDF3C] -> \Device\00000088[0x8231D508]
5 ACPI[0xF8228620] -> ntkrnlpa!IofCallDriver[0x804EDF3C] -> [0x823134E0]
\Driver\atapi[0x8231B410] -> IRP_MJ_CREATE -> 0x82333555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8233339B
\Driver\atapi -> 0x823a71f8
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-12-10 13:31:34
ComboFix-quarantined-files.txt 2010-12-10 18:31
ComboFix2.txt 2010-12-10 15:26

Pre-Run: 50,694,582,272 bytes free
Post-Run: 50,919,043,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 54BC7FD774769D60F414AADF1442B702


That's what I got

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 10 December 2010 - 01:40 PM

Hello,

Delete the version of TDSSKiller you have now and get a fresh one to run. The log you posted was from last month, and I know TDSSKiller has been updated since.

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 junho_lover

junho_lover
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 December 2010 - 01:49 PM

Ok so here is what I got after restarting and what not

2010/12/10 13:47:39.0968 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/10 13:47:39.0968 ================================================================================
2010/12/10 13:47:39.0968 SystemInfo:
2010/12/10 13:47:39.0968
2010/12/10 13:47:39.0968 OS Version: 5.1.2600 ServicePack: 2.0
2010/12/10 13:47:39.0984 Product type: Workstation
2010/12/10 13:47:39.0984 ComputerName: JUNHO
2010/12/10 13:47:39.0984 UserName: justin
2010/12/10 13:47:39.0984 Windows directory: C:\WINDOWS
2010/12/10 13:47:39.0984 System windows directory: C:\WINDOWS
2010/12/10 13:47:39.0984 Processor architecture: Intel x86
2010/12/10 13:47:39.0984 Number of processors: 1
2010/12/10 13:47:39.0984 Page size: 0x1000
2010/12/10 13:47:39.0984 Boot type: Normal boot
2010/12/10 13:47:39.0984 ================================================================================
2010/12/10 13:47:41.0187 Initialize success
2010/12/10 13:48:08.0968 ================================================================================
2010/12/10 13:48:08.0968 Scan started
2010/12/10 13:48:08.0968 Mode: Manual;
2010/12/10 13:48:08.0968 ================================================================================
2010/12/10 13:48:09.0656 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/12/10 13:48:09.0765 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/10 13:48:09.0812 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/12/10 13:48:09.0890 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/10 13:48:09.0937 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/12/10 13:48:10.0015 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/12/10 13:48:10.0203 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/10 13:48:10.0234 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/10 13:48:10.0265 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/12/10 13:48:10.0281 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/10 13:48:10.0312 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/10 13:48:10.0406 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/10 13:48:10.0484 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/10 13:48:10.0500 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/10 13:48:10.0531 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/12/10 13:48:10.0562 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/10 13:48:10.0578 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/12/10 13:48:10.0640 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/12/10 13:48:10.0656 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/12/10 13:48:10.0718 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/10 13:48:10.0843 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/10 13:48:10.0937 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/10 13:48:11.0015 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/10 13:48:11.0171 BCM43XX (114234fafec7060392195170e1c4d45e) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/12/10 13:48:11.0218 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/10 13:48:11.0250 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/12/10 13:48:11.0390 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/10 13:48:11.0421 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/10 13:48:11.0437 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/10 13:48:11.0500 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/10 13:48:11.0531 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/10 13:48:11.0671 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/10 13:48:11.0843 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/10 13:48:11.0875 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/10 13:48:11.0921 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/10 13:48:12.0000 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/10 13:48:12.0031 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/10 13:48:12.0062 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/10 13:48:12.0140 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/10 13:48:12.0203 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/10 13:48:12.0437 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/10 13:48:12.0546 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/10 13:48:12.0656 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/10 13:48:12.0687 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/10 13:48:12.0718 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/10 13:48:12.0796 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/10 13:48:12.0859 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
2010/12/10 13:48:12.0953 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys
2010/12/10 13:48:13.0062 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/10 13:48:13.0156 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/10 13:48:13.0203 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/10 13:48:13.0296 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/10 13:48:13.0390 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/12/10 13:48:13.0437 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/10 13:48:13.0546 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/10 13:48:13.0671 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/10 13:48:13.0718 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2010/12/10 13:48:13.0828 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys
2010/12/10 13:48:13.0968 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/10 13:48:14.0015 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/10 13:48:14.0093 HSFHWAZL (448c0fd272fe1b80046f4767db21eb8d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/12/10 13:48:14.0171 HSF_DPV (2715a27de9c17bdbaf6d6c79989a7b12) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/12/10 13:48:14.0343 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/10 13:48:14.0421 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/10 13:48:14.0437 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/10 13:48:14.0515 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/10 13:48:14.0656 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/10 13:48:14.0843 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/12/10 13:48:15.0031 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/10 13:48:15.0140 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/12/10 13:48:15.0187 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/10 13:48:15.0250 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/10 13:48:15.0281 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/12/10 13:48:15.0312 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/10 13:48:15.0328 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/10 13:48:15.0406 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/10 13:48:15.0500 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/10 13:48:15.0625 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/10 13:48:15.0718 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/10 13:48:15.0859 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/10 13:48:15.0906 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/10 13:48:15.0968 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/10 13:48:16.0046 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/10 13:48:16.0281 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/10 13:48:16.0328 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/12/10 13:48:16.0406 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/10 13:48:16.0453 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/10 13:48:16.0562 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/10 13:48:16.0625 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/10 13:48:16.0734 MQAC (db07b0088cdfd20c2a22e675120ede34) C:\WINDOWS\system32\drivers\mqac.sys
2010/12/10 13:48:16.0859 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/10 13:48:16.0906 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/10 13:48:17.0062 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/10 13:48:17.0171 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/10 13:48:17.0265 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/10 13:48:17.0296 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/10 13:48:17.0328 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/10 13:48:17.0375 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/10 13:48:17.0500 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/10 13:48:17.0625 NDIS (aa898f84d2b59129fb92e143a2c73434) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/10 13:48:17.0734 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/10 13:48:17.0828 Ndisuio (eefa1ce63805d2145978621be5c6d955) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/10 13:48:17.0921 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/10 13:48:18.0000 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/10 13:48:18.0062 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/10 13:48:18.0156 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/10 13:48:18.0296 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/10 13:48:18.0359 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/10 13:48:18.0500 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/10 13:48:18.0593 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/10 13:48:18.0640 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/10 13:48:18.0656 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/10 13:48:18.0734 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/10 13:48:18.0843 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/10 13:48:18.0890 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/10 13:48:19.0000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/10 13:48:19.0125 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/10 13:48:19.0218 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/10 13:48:19.0281 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/12/10 13:48:19.0390 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/12/10 13:48:19.0656 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/10 13:48:19.0687 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/10 13:48:19.0796 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/10 13:48:19.0843 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/10 13:48:19.0875 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/10 13:48:19.0953 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/10 13:48:20.0046 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/10 13:48:20.0203 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/10 13:48:20.0281 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/10 13:48:20.0312 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/10 13:48:20.0343 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/10 13:48:20.0390 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/10 13:48:20.0437 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/10 13:48:20.0484 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/10 13:48:20.0515 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/10 13:48:20.0593 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/10 13:48:20.0640 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/10 13:48:20.0671 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/10 13:48:20.0750 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/10 13:48:20.0906 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/10 13:48:21.0109 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2010/12/10 13:48:21.0156 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2010/12/10 13:48:21.0203 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2010/12/10 13:48:21.0281 RMCAST (35e81b908ae4e97fc7bdf4607c516ff4) C:\WINDOWS\system32\drivers\RMCast.sys
2010/12/10 13:48:21.0343 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/10 13:48:21.0421 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/12/10 13:48:21.0453 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/10 13:48:21.0531 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/10 13:48:21.0578 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/10 13:48:21.0703 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/10 13:48:21.0734 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/12/10 13:48:21.0890 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/10 13:48:22.0015 sptd (87b5595eb1c623ff5887e36a35e51ba2) C:\WINDOWS\system32\Drivers\sptd.sys
2010/12/10 13:48:22.0015 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 87b5595eb1c623ff5887e36a35e51ba2
2010/12/10 13:48:22.0031 sptd - detected Locked file (1)
2010/12/10 13:48:22.0093 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/10 13:48:22.0156 Srv (553007ecce7f6565bbe645beb66d3b69) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/10 13:48:22.0218 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/10 13:48:22.0296 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/10 13:48:22.0343 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/10 13:48:22.0468 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/10 13:48:22.0500 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/10 13:48:22.0531 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/10 13:48:22.0593 SynTP (369d0626687a968182a9db40fe8a0905) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/12/10 13:48:22.0640 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/10 13:48:22.0781 Tcpip (583e063fdc888ca30d05c2724b0d7ef4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/10 13:48:22.0984 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/10 13:48:23.0015 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/10 13:48:23.0046 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/10 13:48:23.0140 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/10 13:48:23.0203 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/10 13:48:23.0250 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/10 13:48:23.0296 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/10 13:48:23.0359 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/10 13:48:23.0406 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/10 13:48:23.0468 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/10 13:48:23.0500 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/10 13:48:23.0593 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/12/10 13:48:23.0859 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/10 13:48:23.0906 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/10 13:48:23.0968 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/10 13:48:24.0093 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2010/12/10 13:48:24.0218 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/10 13:48:24.0328 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/10 13:48:24.0546 winachsf (7fe372b1ab60736cc67e8eb6f1fb1f5b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/10 13:48:24.0671 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/10 13:48:25.0000 ================================================================================
2010/12/10 13:48:25.0000 Scan finished
2010/12/10 13:48:25.0000 ================================================================================
2010/12/10 13:48:25.0015 Detected object count: 1
2010/12/10 13:48:27.0515 Locked file(sptd) - User select action: Skip



It says it found no threats but I remember this happened before and it came back

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 10 December 2010 - 02:24 PM

Thanks....so now please run ComboFix again. I want to see if anything has changed in it. Keep an eye on the system and let me know how it does. :thumbup2:

Thank you!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 junho_lover

junho_lover
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 December 2010 - 02:47 PM

THIS cam up before the log O_o no Idea why

http://i52.tinypic.com/2s00qix.png

ComboFix 10-12-09.04 - justin 12/10/2010 14:34:28.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.212 [GMT -5:00]
Running from: c:\documents and settings\justin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-10 16:10 . 2010-12-10 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-10 15:42 . 2010-12-10 15:42 -------- d-----w- c:\documents and settings\justin\Application Data\Malwarebytes
2010-12-10 15:10 . 2010-12-10 15:10 388608 ----a-w- c:\windows\system32\CF31586.exe
2010-12-10 13:46 . 2010-12-10 13:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-12-08 00:50 . 2010-12-08 01:07 -------- d-----w- c:\documents and settings\justin\Local Settings\Application Data\WMTools Downloaded Files
2010-12-05 16:40 . 2010-12-05 16:40 -------- d-----w- c:\windows\Sun
2010-12-02 22:17 . 2010-12-02 22:17 -------- d-----w- c:\documents and settings\justin\Local Settings\Application Data\Identities
2010-12-02 00:18 . 2010-12-02 00:18 -------- d-----w- c:\program files\Alcohol Soft
2010-11-29 22:54 . 2010-12-01 19:35 -------- d-----w- c:\documents and settings\justin\Application Data\Toolbar4
2010-11-29 21:04 . 2010-11-29 21:04 -------- d-----w- c:\documents and settings\justin\Application Data\EAC
2010-11-29 21:04 . 2010-11-29 21:11 -------- d-----w- c:\documents and settings\justin\Application Data\AccurateRip
2010-11-29 21:04 . 2010-11-29 21:04 -------- d-----w- c:\program files\Exact Audio Copy
2010-11-25 01:26 . 2010-11-25 01:26 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-11-25 01:19 . 2010-11-25 01:19 420920 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-24 22:24 . 2010-11-24 22:40 -------- d-----w- C:\temp
2010-11-24 18:35 . 2010-11-24 19:46 -------- d-----w- c:\program files\nLite
2010-11-24 16:24 . 2010-11-25 01:57 -------- d-----w- c:\documents and settings\justin\Application Data\DAEMON Tools Lite
2010-11-24 16:24 . 2010-11-24 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-11-23 13:21 . 2006-03-15 20:00 57856 ----a-w- c:\windows\system32\spoolsv.exe
2010-11-23 13:21 . 2006-03-15 20:00 57856 ----a-w- c:\windows\system32\dllcache\spoolsv.exe
2010-11-23 03:15 . 2010-11-23 03:15 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-20 21:41 . 2010-11-23 03:14 -------- d-----w- c:\program files\eMule
2010-11-20 17:14 . 2010-11-23 03:14 -------- d-----w- c:\program files\Project64 1.6
2010-11-12 23:33 . 2010-11-12 23:59 -------- d-----w- c:\documents and settings\justin\Application Data\CUE Tools
2010-11-12 23:33 . 2010-11-12 23:33 -------- d-----w- c:\documents and settings\justin\Application Data\CUERipper
2010-11-12 22:06 . 2010-11-12 22:07 -------- d-----w- c:\program files\FrostWire
2010-11-10 21:03 . 2010-12-10 18:46 -------- d-----w- c:\documents and settings\justin\Application Data\FrostWire
2010-11-10 19:55 . 2010-11-10 19:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-10 19:55 . 2010-11-10 19:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-11-10 19:55 . 2010-11-10 19:55 411368 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-10 14:53 . 2010-10-27 00:23 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-27 07:56 . 2010-10-27 07:52 510840 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-10-27 01:22 . 2010-10-27 01:22 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-10-27 01:22 . 2010-10-27 01:22 47360 ----a-w- c:\documents and settings\justin\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-12-10_15.24.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-10 18:45 . 2010-12-10 18:45 16384 c:\windows\temp\Perflib_Perfdata_264.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2010-08-20 33120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"MsmqIntCert"="mqrt.dll" [2006-03-16 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\junho\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\justin\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2010-8-17 114688]
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/24/2010 8:19 PM 420920]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 14:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???XW??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x827DF1F8]<<
c:\docume~1\justin\LOCALS~1\Temp\catchme.sys
_asm { MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX; PUSH 0x827df008; MOV EAX, 0xf83f3c34; CALL EAX; }
1 ntkrnlpa!IofCallDriver[0x804EDF3C] -> \Device\Harddisk0\DR0[0x82765030]
3 CLASSPNP[0xF864905B] -> ntkrnlpa!IofCallDriver[0x804EDF3C] -> \Device\00000080[0x82745E80]
5 ACPI[0xF839B620] -> ntkrnlpa!IofCallDriver[0x804EDF3C] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8277A7F8]
\Driver\atapi[0x82761268] -> IRP_MJ_CREATE -> 0x827DF1F8
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi -> 0x827df1f8
user != kernel MBR !!!
Warning: possible MBR rootkit infection !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(248)
c:\progra~1\MICROS~4\OFFICE11\MCPS.DLL
.
Completion time: 2010-12-10 14:42:33
ComboFix-quarantined-files.txt 2010-12-10 19:42
ComboFix2.txt 2010-12-10 18:31
ComboFix3.txt 2010-12-10 15:26

Pre-Run: 50,889,895,936 bytes free
Post-Run: 50,895,368,192 bytes free

- - End Of File - - F8DD13914D2FCA2D22B9BCCFD37E0A4B

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 10 December 2010 - 03:09 PM

That file mentioned is from ComboFix.

Have you run MBAM? Is it clean? Also, you mentioned having gone through this before.....was this on your own? Or did someone help you somewhere else?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 junho_lover

junho_lover
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 December 2010 - 03:15 PM

It was on my own no one helped me. I did have MBAM from earlier today but deleted it because it didn't help me. :/ My computer so far is running normal by the way but I'm guessing the problem isn't yet fixed?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 11 December 2010 - 11:01 AM

Hello,

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 18 December 2010 - 03:56 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users