Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection Grabbing Passwords and emails


  • This topic is locked This topic is locked
14 replies to this topic

#1 brianksac

brianksac

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 13 December 2010 - 09:30 PM

Hello and thank you very much for you help.

Nature of the problem:

Starting receiving spam emails to all my email addresses, including test, one-time only used email addresses sent only to myself. Using Mozilla Thunderbird email software. Seems as if something was going through my emails picking out addresses.

Then numerous websites across several different web hosting accounts were hacked. Only this one computer had this login info for so many accounts: either in ftp software, roboform, or personal document with password information.

Received notice from bank of attempted account change.


Computer:

Windows XP, Home Edition, Version 2002, Service Pack 3



Steps to Resolve:

Removed all FTP programs from computer.
Kaspersky Anti-Virus. It is finding nothing.
Malware Bytes Anti-Malware found nothing.
Super Anti-Spyware just came back with tracking cookies.

Have gone through the Preparation Steps for this website.

Everything went fine until the GMER program. I thought my computer was 32-bit. 1st time ran GMER it went a couple hours then said it had been interrupted. Started again and after 6 hours scanning files (lots of files on the computer) the computer froze requiring a hard reboot. Tried to run a couple more times but it quickly freezes the computer.


Copy of DDS.TXT:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 17:42:11.82 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.583 [GMT -8:00]

AV: Kaspersky Anti-Virus *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
svchost.exe
C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdiSdkHelper.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\WINNT\wanmpsvc.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\imapi.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: QFX Software KeyScrambler: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - CKeyScramblerBHO Object
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: SEO ToolBar Lite: {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Hot Key Kbd 9910 Daemon] "c:\winnt\system32\SK9910DM.EXE"
mRun: [GWMDMMSG] "c:\winnt\GWMDMMSG.exe"
mRun: [IgfxTray] "c:\winnt\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\winnt\system32\hkcmd.exe"
mRun: [GWMDMpi] c:\winnt\GWMDMpi.exe
mRun: [Cookie Pal] "c:\program files\cpal\CPBrWtch.exe"
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Identities Editor - file://c:\program files\siber systems\ai roboform\RoboFormComEditIdent.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {45DB34C3-955C-11D3-ABEF-444553540000} - c:\program files\siber systems\ai roboform\RoboFormComEditIdent.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - c:\amicus\amicus50\research\GetTags.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278953572046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137686575015
DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab
DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.3148611111
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {732FD978-12B5-4A29-9837-5F2F4695FE35} = 216.131.95.20,216.131.94.5
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\micros~2\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\micros~2\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\micros~2\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\micros~2\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\progra~1\micros~2\CENetFlt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\progra~1\micros~2\CENetFlt.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\winnt\system32\klogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\n6f6uwzh.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Owner/Desktop/kindsvater.html
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: SeoQuake: {317B5128-0B0B-49b2-B2DB-1E7560E16C74} - %profile%\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
FF - Ext: RankChecker: rankchecker@seobook.com - %profile%\extensions\rankchecker@seobook.com
FF - Ext: Google Global: {B97F57B9-1B42-4aed-9475-0022600C62DC} - %profile%\extensions\{B97F57B9-1B42-4aed-9475-0022600C62DC}
FF - Ext: NoDoFollow: {c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294} - %profile%\extensions\{c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\winnt\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\winnt\system32\drivers\klif.sys [2010-7-11 315408]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\advanced system optimizer 3\ASO3DefragSrv.exe [2010-1-28 238824]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340520]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2010-2-25 109168]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2002-9-20 6736]
R3 KeyScrambler;KeyScrambler;c:\winnt\system32\drivers\keyscrambler.sys [2008-4-8 113896]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\winnt\system32\drivers\klmouflt.sys [2009-10-2 19472]
S0 qrvtni;qrvtni;c:\winnt\system32\drivers\accyt.sys --> c:\winnt\system32\drivers\accyt.sys [?]
S1 aAaAAAA;aAaAAAA;c:\winnt\system32\drivers\aaaaaaa.sys --> c:\winnt\system32\drivers\aAaAAAA.sys [?]
S3 ADASPROT;SYSTWEAKASO;c:\program files\advanced system optimizer 3\adasprot32.sys [2010-1-28 6656]
S3 iscFlash;iscFlash;\??\c:\winnt\system32\drivers\iscflash.sys --> c:\winnt\system32\drivers\iscflash.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S3 TIAu5Bt;Actiontec USB Home DSL Modem Boot Device Service;c:\winnt\system32\drivers\tiau5bt.sys --> c:\winnt\system32\drivers\tiau5bt.sys [?]
S3 TIAU5LN;Actiontec USB Home DSL Modem Service;c:\winnt\system32\drivers\tiau5ln.sys --> c:\winnt\system32\drivers\TIAU5LN.sys [?]

=============== Created Last 30 ================

2011-05-14 02:05:57 -------- d-----w- c:\program files\WS_FTP Pro
2010-12-13 04:19:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-13 04:19:52 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-12-13 04:19:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-13 03:36:18 -------- d-----w- c:\program files\ESET
2010-12-13 02:37:13 -------- d-----w- C:\ComboFix2
2010-12-04 04:59:16 89088 ----a-w- c:\winnt\MBR.exe

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\winnt\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\winnt\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\winnt\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\winnt\system32\mfc40u.dll
2010-09-15 17:04:03 48 ----a-w- c:\winnt\wpd99.drv

============= FINISH: 17:45:43.40 ===============

Attached Files


Edited by brianksac, 13 December 2010 - 09:35 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 AM

Posted 22 December 2010 - 09:57 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 brianksac

brianksac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 22 December 2010 - 10:14 PM

Thank you for responding.

"I'm here" - here in California so you know the time differential. Have to leave in about an hour to get family from the airport. Otherwise, you have my full attention.

Since posting the logs on the 13th that computer has had its Internet connection disabled, except for a couple seconds where I had to get a couple emails off of it. otherwise, the computer has not been used.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 AM

Posted 23 December 2010 - 05:02 AM

Right, let's look for a rootkit behind this.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Also

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 brianksac

brianksac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 23 December 2010 - 12:20 PM

report.txt from TDSSKiller:

2010/12/23 09:06:11.0750 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/23 09:06:11.0750 ================================================================================
2010/12/23 09:06:11.0750 SystemInfo:
2010/12/23 09:06:11.0750
2010/12/23 09:06:11.0750 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/23 09:06:11.0750 Product type: Workstation
2010/12/23 09:06:11.0750 ComputerName: SHERI
2010/12/23 09:06:11.0750 UserName: Owner
2010/12/23 09:06:11.0750 Windows directory: C:\WINNT
2010/12/23 09:06:11.0750 System windows directory: C:\WINNT
2010/12/23 09:06:11.0750 Processor architecture: Intel x86
2010/12/23 09:06:11.0750 Number of processors: 1
2010/12/23 09:06:11.0750 Page size: 0x1000
2010/12/23 09:06:11.0750 Boot type: Normal boot
2010/12/23 09:06:11.0750 ================================================================================
2010/12/23 09:06:12.0500 Initialize success
2010/12/23 09:06:17.0890 ================================================================================
2010/12/23 09:06:17.0890 Scan started
2010/12/23 09:06:17.0890 Mode: Manual;
2010/12/23 09:06:17.0890 ================================================================================
2010/12/23 09:06:20.0671 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINNT\system32\drivers\ac97intc.sys
2010/12/23 09:06:21.0406 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINNT\system32\DRIVERS\ACPI.sys
2010/12/23 09:06:22.0234 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINNT\system32\drivers\ACPIEC.sys
2010/12/23 09:06:22.0656 ADASPROT (e9b047e166480f67fb6d50b3eec8bd35) C:\Program Files\Advanced System Optimizer 3\adasprot32.sys
2010/12/23 09:06:23.0390 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINNT\system32\DRIVERS\adpu160m.sys
2010/12/23 09:06:23.0984 aec (8bed39e3c35d6a489438b8141717a557) C:\WINNT\system32\drivers\aec.sys
2010/12/23 09:06:24.0500 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINNT\System32\drivers\afd.sys
2010/12/23 09:06:24.0968 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINNT\system32\DRIVERS\agp440.sys
2010/12/23 09:06:28.0250 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINNT\system32\DRIVERS\asyncmac.sys
2010/12/23 09:06:28.0750 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINNT\system32\DRIVERS\atapi.sys
2010/12/23 09:06:29.0546 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINNT\system32\DRIVERS\atmarpc.sys
2010/12/23 09:06:29.0843 ATWPKT2 (dc1db2c8cc59bed857f9182b36395150) C:\Program Files\America Online 8.0\ATWPKT2.SYS
2010/12/23 09:06:30.0515 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINNT\system32\DRIVERS\audstub.sys
2010/12/23 09:06:31.0250 BCMModem (2d39d498108c4810ef8cc1103a2a5b73) C:\WINNT\system32\DRIVERS\BCMDM.sys
2010/12/23 09:06:32.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINNT\system32\drivers\Beep.sys
2010/12/23 09:06:32.0750 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINNT\system32\drivers\cbidf2k.sys
2010/12/23 09:06:33.0562 CdaC15BA (69419792390122eefd84e598d896715b) C:\WINNT\System32\drivers\CdaC15BA.SYS
2010/12/23 09:06:34.0046 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINNT\system32\drivers\Cdaudio.sys
2010/12/23 09:06:34.0531 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINNT\system32\drivers\Cdfs.sys
2010/12/23 09:06:35.0062 Cdr4_xp (c1762eb422119f2cf4a32ef72dc2815f) C:\WINNT\system32\drivers\Cdr4_xp.sys
2010/12/23 09:06:35.0578 Cdralw2k (8dc7e0c2c409cb3f3b7fa45fc7ea852a) C:\WINNT\system32\drivers\Cdralw2k.sys
2010/12/23 09:06:36.0078 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINNT\system32\DRIVERS\cdrom.sys
2010/12/23 09:06:36.0671 cdudf_xp (a664412d09991120e103a6ad9f22ffc8) C:\WINNT\system32\drivers\cdudf_xp.sys
2010/12/23 09:06:39.0312 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINNT\system32\DRIVERS\disk.sys
2010/12/23 09:06:40.0421 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINNT\system32\drivers\dmboot.sys
2010/12/23 09:06:41.0421 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINNT\system32\drivers\dmio.sys
2010/12/23 09:06:41.0875 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINNT\system32\drivers\dmload.sys
2010/12/23 09:06:42.0296 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINNT\system32\drivers\DMusic.sys
2010/12/23 09:06:42.0812 dot4 (68c18840c6f021cea6a6f3ee9260ea64) C:\WINNT\system32\DRIVERS\hppadt40.sys
2010/12/23 09:06:43.0312 Dot4Print (41a1497d4f295c0c8013c5adf161c99a) C:\WINNT\system32\DRIVERS\hppaprt0.sys
2010/12/23 09:06:43.0765 dot4usb (30e014dd2105d60e46b061cf407785d2) C:\WINNT\system32\DRIVERS\hppausb0.sys
2010/12/23 09:06:44.0609 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINNT\system32\drivers\drmkaud.sys
2010/12/23 09:06:45.0406 dvd_2K (f5a93af20fc1cecd85cb7d64453015e5) C:\WINNT\system32\drivers\dvd_2K.sys
2010/12/23 09:06:45.0968 E100B (fe9cb643a034285031502d3369e5a869) C:\WINNT\system32\DRIVERS\e100b325.sys
2010/12/23 09:06:46.0593 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINNT\system32\DRIVERS\el90xbc5.sys
2010/12/23 09:06:47.0250 Fastfat (38d332a6d56af32635675f132548343e) C:\WINNT\system32\drivers\Fastfat.sys
2010/12/23 09:06:47.0921 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINNT\system32\DRIVERS\fdc.sys
2010/12/23 09:06:48.0421 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINNT\system32\drivers\Fips.sys
2010/12/23 09:06:48.0812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINNT\system32\DRIVERS\flpydisk.sys
2010/12/23 09:06:49.0281 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINNT\system32\drivers\fltmgr.sys
2010/12/23 09:06:49.0750 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINNT\system32\drivers\Fs_Rec.sys
2010/12/23 09:06:50.0187 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINNT\system32\DRIVERS\ftdisk.sys
2010/12/23 09:06:50.0671 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINNT\system32\DRIVERS\GEARAspiWDM.sys
2010/12/23 09:06:51.0078 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINNT\system32\DRIVERS\msgpc.sys
2010/12/23 09:06:51.0906 GTWModem (2b34e4aacb5734bfd663c803335b11ea) C:\WINNT\system32\DRIVERS\GWMDM.sys
2010/12/23 09:06:52.0796 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINNT\system32\DRIVERS\hidusb.sys
2010/12/23 09:06:54.0218 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINNT\system32\Drivers\HTTP.sys
2010/12/23 09:06:55.0750 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINNT\system32\DRIVERS\i8042prt.sys
2010/12/23 09:06:56.0578 ialm (737da0be27652c4482ac5cde099bfce9) C:\WINNT\system32\DRIVERS\ialmnt5.sys
2010/12/23 09:06:57.0421 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINNT\system32\DRIVERS\imapi.sys
2010/12/23 09:06:58.0218 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINNT\system32\DRIVERS\intelide.sys
2010/12/23 09:06:58.0687 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINNT\system32\DRIVERS\intelppm.sys
2010/12/23 09:06:59.0140 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINNT\system32\drivers\ip6fw.sys
2010/12/23 09:06:59.0718 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
2010/12/23 09:07:00.0265 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINNT\system32\DRIVERS\ipinip.sys
2010/12/23 09:07:00.0890 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINNT\system32\DRIVERS\ipnat.sys
2010/12/23 09:07:01.0593 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINNT\system32\DRIVERS\ipsec.sys
2010/12/23 09:07:02.0171 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINNT\system32\DRIVERS\irenum.sys
2010/12/23 09:07:02.0750 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINNT\system32\DRIVERS\isapnp.sys
2010/12/23 09:07:03.0593 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINNT\system32\DRIVERS\kbdclass.sys
2010/12/23 09:07:04.0109 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINNT\system32\DRIVERS\kbdhid.sys
2010/12/23 09:07:04.0593 KeyScrambler (2fcdff8a230ae5e992239594cf0286a0) C:\WINNT\system32\drivers\keyscrambler.sys
2010/12/23 09:07:05.0218 kl1 (ce3958f58547454884e97bda78cd7040) C:\WINNT\system32\drivers\kl1.sys
2010/12/23 09:07:05.0781 klbg (53eedab3f0511321ac3ae8bc968b158c) C:\WINNT\system32\drivers\klbg.sys
2010/12/23 09:07:06.0390 KLIF (439c778700fce23f2852535d6fa5996d) C:\WINNT\system32\DRIVERS\klif.sys
2010/12/23 09:07:07.0156 klim5 (fbdc2034b58d2135d25fe99eb8b747c3) C:\WINNT\system32\DRIVERS\klim5.sys
2010/12/23 09:07:07.0687 klmouflt (1f351c4ba53bfe58a1ca5fcdd11e1f81) C:\WINNT\system32\DRIVERS\klmouflt.sys
2010/12/23 09:07:08.0296 kmixer (692bcf44383d056aed41b045a323d378) C:\WINNT\system32\drivers\kmixer.sys
2010/12/23 09:07:08.0921 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINNT\system32\drivers\KSecDD.sys
2010/12/23 09:07:10.0218 mmc_2K (c2d1d3d62b22e81297c589bca7de5e66) C:\WINNT\system32\drivers\mmc_2K.sys
2010/12/23 09:07:10.0765 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINNT\system32\drivers\mnmdd.sys
2010/12/23 09:07:11.0140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINNT\system32\drivers\Modem.sys
2010/12/23 09:07:11.0656 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINNT\system32\drivers\MODEMCSA.sys
2010/12/23 09:07:12.0093 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINNT\system32\DRIVERS\mouclass.sys
2010/12/23 09:07:12.0640 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINNT\system32\DRIVERS\mouhid.sys
2010/12/23 09:07:13.0109 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINNT\system32\drivers\MountMgr.sys
2010/12/23 09:07:14.0171 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINNT\system32\DRIVERS\mrxdav.sys
2010/12/23 09:07:14.0968 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINNT\system32\DRIVERS\mrxsmb.sys
2010/12/23 09:07:15.0656 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINNT\system32\drivers\Msfs.sys
2010/12/23 09:07:16.0218 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINNT\system32\drivers\MSKSSRV.sys
2010/12/23 09:07:16.0937 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINNT\system32\drivers\MSPCLOCK.sys
2010/12/23 09:07:17.0437 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINNT\system32\drivers\MSPQM.sys
2010/12/23 09:07:17.0984 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINNT\system32\DRIVERS\mssmbios.sys
2010/12/23 09:07:18.0593 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINNT\system32\drivers\Mup.sys
2010/12/23 09:07:19.0187 MxlW2k (d37a535bbe77a16c232969c6882b524b) C:\WINNT\system32\drivers\MxlW2k.sys
2010/12/23 09:07:19.0890 NDIS (1df7f42665c94b825322fae71721130d) C:\WINNT\system32\drivers\NDIS.sys
2010/12/23 09:07:20.0468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINNT\system32\DRIVERS\ndistapi.sys
2010/12/23 09:07:20.0921 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINNT\system32\DRIVERS\ndisuio.sys
2010/12/23 09:07:21.0468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINNT\system32\DRIVERS\ndiswan.sys
2010/12/23 09:07:21.0984 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINNT\system32\drivers\NDProxy.sys
2010/12/23 09:07:22.0640 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINNT\system32\DRIVERS\netbios.sys
2010/12/23 09:07:23.0281 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINNT\system32\DRIVERS\netbt.sys
2010/12/23 09:07:23.0921 NMSCFG (419f4d80fe7e34e2626c84b3c6035955) C:\WINNT\system32\drivers\NMSCFG.SYS
2010/12/23 09:07:24.0453 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINNT\system32\drivers\Npfs.sys
2010/12/23 09:07:25.0234 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINNT\system32\drivers\Ntfs.sys
2010/12/23 09:07:26.0093 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINNT\system32\drivers\Null.sys
2010/12/23 09:07:27.0906 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINNT\system32\DRIVERS\nv4_mini.sys
2010/12/23 09:07:30.0406 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINNT\system32\DRIVERS\nv4.sys
2010/12/23 09:07:31.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
2010/12/23 09:07:31.0578 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
2010/12/23 09:07:32.0046 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINNT\system32\DRIVERS\parport.sys
2010/12/23 09:07:32.0500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINNT\system32\drivers\PartMgr.sys
2010/12/23 09:07:32.0921 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINNT\system32\drivers\ParVdm.sys
2010/12/23 09:07:33.0375 PcdrNt (231f133b4a5a04307abd95cac80fd063) C:\WINNT\System32\drivers\PcdrNt.sys
2010/12/23 09:07:33.0843 PCI (a219903ccf74233761d92bef471a07b1) C:\WINNT\system32\DRIVERS\pci.sys
2010/12/23 09:07:34.0625 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINNT\system32\DRIVERS\pciide.sys
2010/12/23 09:07:35.0062 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINNT\system32\drivers\Pcmcia.sys
2010/12/23 09:07:36.0437 PdiPorts (3b2f443b8e23d17d46f0e43e2fc42cfe) C:\WINNT\system32\Drivers\PdiPorts.sys
2010/12/23 09:07:38.0125 Pivot (943f840611d33832308ec5310b616b57) C:\WINNT\system32\drivers\pivot.sys
2010/12/23 09:07:38.0578 pivotmou (998c58295288eedfbfe95e7f6cc94df4) C:\WINNT\System32\drivers\pivotmou.sys
2010/12/23 09:07:39.0218 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINNT\system32\DRIVERS\raspptp.sys
2010/12/23 09:07:39.0750 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINNT\system32\DRIVERS\processr.sys
2010/12/23 09:07:40.0234 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINNT\system32\DRIVERS\ptilink.sys
2010/12/23 09:07:40.0750 pwd_2k (d43e18f4c48f469b064b6105daffe5a1) C:\WINNT\system32\drivers\pwd_2k.sys
2010/12/23 09:07:43.0140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINNT\system32\DRIVERS\rasacd.sys
2010/12/23 09:07:43.0609 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINNT\system32\DRIVERS\rasl2tp.sys
2010/12/23 09:07:44.0125 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINNT\system32\DRIVERS\raspppoe.sys
2010/12/23 09:07:44.0562 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINNT\system32\DRIVERS\raspti.sys
2010/12/23 09:07:45.0015 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINNT\system32\DRIVERS\rdbss.sys
2010/12/23 09:07:45.0531 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINNT\system32\DRIVERS\RDPCDD.sys
2010/12/23 09:07:45.0968 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINNT\system32\drivers\RDPWD.sys
2010/12/23 09:07:46.0656 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINNT\system32\DRIVERS\redbook.sys
2010/12/23 09:07:47.0218 RioPNP (ace39b5ee46094f8f0c61fa4ceda9f18) C:\WINNT\system32\drivers\RioPNP.sys
2010/12/23 09:07:47.0453 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/23 09:07:47.0687 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/23 09:07:48.0265 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINNT\system32\DRIVERS\secdrv.sys
2010/12/23 09:07:48.0890 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINNT\system32\DRIVERS\serenum.sys
2010/12/23 09:07:49.0375 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINNT\system32\DRIVERS\serial.sys
2010/12/23 09:07:49.0937 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINNT\system32\drivers\Sfloppy.sys
2010/12/23 09:07:50.0687 Sk99202k (c75c87a92d8d96ca16e35df929981793) C:\WINNT\system32\DRIVERS\Sk99202k.sys
2010/12/23 09:07:51.0078 Sk9920nt (36f8779600661a2a5faaba74e9392961) C:\WINNT\system32\DRIVERS\Sk9920nt.sys
2010/12/23 09:07:51.0687 smwdm (b911c822922cf62df83ad36d5c9775cc) C:\WINNT\system32\drivers\smwdm.sys
2010/12/23 09:07:52.0296 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINNT\system32\DRIVERS\SONYPVU1.SYS
2010/12/23 09:07:53.0015 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINNT\system32\drivers\splitter.sys
2010/12/23 09:07:53.0484 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINNT\system32\DRIVERS\sr.sys
2010/12/23 09:07:54.0109 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINNT\system32\DRIVERS\srv.sys
2010/12/23 09:07:54.0718 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINNT\system32\DRIVERS\swenum.sys
2010/12/23 09:07:55.0250 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINNT\system32\drivers\swmidi.sys
2010/12/23 09:07:57.0062 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINNT\system32\drivers\sysaudio.sys
2010/12/23 09:07:57.0562 tap0901 (1e89de7a4fb7a854ebb241d0aa8996dd) C:\WINNT\system32\DRIVERS\tap0901.sys
2010/12/23 09:07:58.0234 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINNT\system32\DRIVERS\tcpip.sys
2010/12/23 09:07:58.0968 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINNT\system32\drivers\TDPIPE.sys
2010/12/23 09:07:59.0515 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINNT\system32\drivers\TDTCP.sys
2010/12/23 09:08:00.0015 TermDD (88155247177638048422893737429d9e) C:\WINNT\system32\DRIVERS\termdd.sys
2010/12/23 09:08:01.0531 UdfReadr_xp (38f35f42c149379434c7cac40b974728) C:\WINNT\system32\drivers\UdfReadr_xp.sys
2010/12/23 09:08:02.0046 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINNT\system32\drivers\Udfs.sys
2010/12/23 09:08:02.0500 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINNT\system32\DRIVERS\ultra.sys
2010/12/23 09:08:03.0062 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINNT\system32\DRIVERS\update.sys
2010/12/23 09:08:04.0000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINNT\system32\DRIVERS\usbccgp.sys
2010/12/23 09:08:04.0531 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINNT\system32\DRIVERS\usbehci.sys
2010/12/23 09:08:04.0984 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINNT\system32\DRIVERS\usbhub.sys
2010/12/23 09:08:05.0453 usbprint (a717c8721046828520c9edf31288fc00) C:\WINNT\system32\DRIVERS\usbprint.sys
2010/12/23 09:08:05.0937 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINNT\system32\DRIVERS\usbscan.sys
2010/12/23 09:08:06.0406 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
2010/12/23 09:08:06.0937 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINNT\system32\DRIVERS\usbuhci.sys
2010/12/23 09:08:07.0390 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINNT\System32\drivers\vga.sys
2010/12/23 09:08:08.0078 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINNT\system32\DRIVERS\viaide.sys
2010/12/23 09:08:08.0593 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINNT\system32\drivers\VolSnap.sys
2010/12/23 09:08:09.0218 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINNT\system32\DRIVERS\wanarp.sys
2010/12/23 09:08:09.0718 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINNT\system32\DRIVERS\wanatw4.sys
2010/12/23 09:08:10.0187 wceusbsh (4c0b8ef721783f52f8e531fbdc4b1f74) C:\WINNT\system32\DRIVERS\wceusbsh.sys
2010/12/23 09:08:10.0984 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINNT\system32\drivers\wdmaud.sys
2010/12/23 09:08:11.0593 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINNT\System32\drivers\ws2ifsl.sys
2010/12/23 09:08:12.0109 {6080A529-897E-4629-A488-ABA0C29B635E} (5b3d453a2f38105bcd0c573b94dea346) C:\WINNT\system32\drivers\ialmsbw.sys
2010/12/23 09:08:12.0593 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (e147bd61a697701096ca5c830a5adb90) C:\WINNT\system32\drivers\ialmkchw.sys
2010/12/23 09:08:14.0234 ================================================================================
2010/12/23 09:08:14.0234 Scan finished
2010/12/23 09:08:14.0234 ================================================================================



MBRCheck log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 146):
0x804D7000 \WINNT\system32\ntoskrnl.exe
0x806EE000 \WINNT\system32\hal.dll
0xF7AD7000 \WINNT\system32\KDCOM.DLL
0xF79E7000 \WINNT\system32\BOOTVID.dll
0xF7588000 ACPI.sys
0xF7AD9000 \WINNT\System32\DRIVERS\WMILIB.SYS
0xF7577000 pci.sys
0xF75D7000 isapnp.sys
0xF7B9F000 pciide.sys
0xF7857000 \WINNT\System32\DRIVERS\PCIIDEX.SYS
0xF7ADB000 viaide.sys
0xF7ADD000 intelide.sys
0xF75E7000 MountMgr.sys
0xF7558000 ftdisk.sys
0xF785F000 PartMgr.sys
0xF75F7000 VolSnap.sys
0xF7540000 atapi.sys
0xF7607000 ultra.sys
0xF7528000 \WINNT\System32\DRIVERS\SCSIPORT.SYS
0xF750F000 adpu160m.sys
0xF7617000 disk.sys
0xF7627000 \WINNT\System32\DRIVERS\CLASSPNP.SYS
0xF74EF000 fltmgr.sys
0xF74DD000 sr.sys
0xF74C6000 KSecDD.sys
0xF7439000 Ntfs.sys
0xF740C000 NDIS.sys
0xF73F2000 Mup.sys
0xF7637000 klbg.sys
0xF7647000 agp440.sys
0xF7717000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF5B1E000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF5B0A000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7727000 \SystemRoot\System32\drivers\pivot.sys
0xF798F000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF59A6000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF799F000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF5897000 \SystemRoot\System32\DRIVERS\GWMDM.sys
0xF5874000 \SystemRoot\System32\DRIVERS\ks.sys
0xF79A7000 \SystemRoot\System32\Drivers\Modem.SYS
0xF79DF000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7797000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7AC3000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF583D000 \SystemRoot\System32\DRIVERS\parport.sys
0xF655A000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7AE5000 \SystemRoot\System32\DRIVERS\Sk99202k.sys
0xF5823000 \SystemRoot\System32\drivers\keyscrambler.sys
0xF7947000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF654A000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF5811000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF7907000 \SystemRoot\System32\Drivers\MxlW2k.SYS
0xF653A000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF652A000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF57F6000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF7927000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF650A000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF51AF000 \SystemRoot\system32\drivers\smwdm.sys
0xF7BCC000 \SystemRoot\system32\drivers\SENSUPGD.SYS
0xF518B000 \SystemRoot\system32\drivers\portcls.sys
0xF77F7000 \SystemRoot\system32\drivers\drmk.sys
0xF5C63000 \SystemRoot\system32\DRIVERS\klim5.sys
0xF7BCF000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF5C13000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF5CDC000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF5174000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF76A7000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF5C03000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF787F000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF7967000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF78AF000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7887000 \SystemRoot\System32\DRIVERS\wanatw4.sys
0xF788F000 \SystemRoot\system32\DRIVERS\tap0901.sys
0xF5CD4000 \SystemRoot\System32\Drivers\PdiPorts.sys
0xF77D7000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF78C7000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7B21000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF5116000 \SystemRoot\System32\DRIVERS\update.sys
0xF7AA7000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF791F000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF5BF3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7707000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7AFF000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7A93000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF797F000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xECF87000 \SystemRoot\system32\DRIVERS\klif.sys
0xF7B59000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BD6000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B5B000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B5D000 \SystemRoot\System32\DRIVERS\Sk9920nt.sys
0xF78F7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7917000 \SystemRoot\System32\drivers\vga.sys
0xF7B5F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B61000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEC8F4000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF79D7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF792F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEC8AF000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xECC0E000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xEC37D000 \??\C:\WINNT\system32\drivers\kl1.sys
0xEC36A000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xECEF0000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xEC311000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xEC2E9000 \SystemRoot\System32\DRIVERS\netbt.sys
0xEC966000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEC2C7000 \SystemRoot\System32\drivers\afd.sys
0xECEE0000 \SystemRoot\System32\DRIVERS\netbios.sys
0xEC2A5000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xECA84000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEC27A000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEC20A000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xECEC0000 \SystemRoot\System32\Drivers\Fips.SYS
0xEC1E4000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xECEB0000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xECA7C000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xECFF4000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF5BE3000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF7ABF000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF7737000 \??\C:\WINNT\System32\drivers\pivotmou.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0xEC1CC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B9D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6FC4000 \SystemRoot\System32\drivers\Dxapi.sys
0xECA4C000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C62000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF025000 \SystemRoot\System32\ialmrnt5.dll
0xBF033000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\wpfb_ialmrnt5.dll
0xBF052000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEC14C000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xEBF87000 \SystemRoot\system32\drivers\wdmaud.sys
0xECF00000 \SystemRoot\system32\drivers\sysaudio.sys
0xF64EA000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEBBEC000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7B49000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEBC29000 \??\C:\WINNT\System32\drivers\CdaC15BA.SYS
0xEB7B1000 \SystemRoot\System32\DRIVERS\srv.sys
0xF7AE3000 \SystemRoot\System32\Drivers\RioPNP.SYS
0xEBDB1000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xEB3AD000 \SystemRoot\System32\Drivers\HTTP.sys
0xEB369000 \??\C:\WINNT\system32\drivers\NMSCFG.SYS
0xEB06A000 \SystemRoot\System32\DRIVERS\e100b325.sys
0x7C900000 \WINNT\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
764 C:\WINNT\system32\smss.exe
844 csrss.exe
868 C:\WINNT\system32\winlogon.exe
912 C:\WINNT\system32\services.exe
924 C:\WINNT\system32\lsass.exe
1080 C:\WINNT\system32\svchost.exe
1180 svchost.exe
1324 C:\WINNT\system32\svchost.exe
1448 svchost.exe
1588 svchost.exe
1744 C:\WINNT\system32\spoolsv.exe
544 C:\WINNT\explorer.exe
680 C:\WINNT\system32\SK9910DM.EXE
688 C:\WINNT\GWMDMMSG.exe
696 C:\WINNT\system32\igfxtray.exe
712 C:\WINNT\system32\hkcmd.exe
728 C:\Program Files\CPal\CPBrWtch.exe
496 C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
804 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
948 C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
996 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
1056 C:\Program Files\Acer Display\eDisplay Management\dthtml.exe
1416 C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
1692 C:\Program Files\Portrait Displays\Pivot Software\Floater.exe
1812 svchost.exe
1860 C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
1872 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
1900 C:\Program Files\Bonjour\mDNSResponder.exe
1936 C:\WINNT\system32\drivers\CDAC11BA.EXE
2016 C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
208 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
288 C:\WINNT\system32\NMSSvc.Exe
1160 C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
108 C:\WINNT\system32\svchost.exe
1528 wdfmgr.exe
1280 C:\WINNT\wanmpsvc.exe
2036 C:\Program Files\Common Files\Portrait Displays\Drivers\pdiSDKHelper.exe
3044 alg.exe
3532 C:\Program Files\Mozilla Firefox\firefox.exe
276 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
3784 C:\WINNT\system32\notepad.exe
3628 C:\WINNT\system32\wscntfy.exe
2848 C:\WINNT\system32\notepad.exe
3752 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD600BB-53CAA1, Rev: 17.07W17

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 AM

Posted 23 December 2010 - 08:29 PM

Well, that was a surprise because there's definite rootkit activity in the DDS log.

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 brianksac

brianksac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 23 December 2010 - 09:22 PM

combofix log:

ComboFix 10-12-23.02 - Owner 12/23/2010 17:48:54.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.575 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\comfix.exe
AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\Oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2011-05-14 02:05 . 2010-12-12 01:37 -------- d-----w- c:\program files\WS_FTP Pro
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-13 03:36 . 2010-12-13 03:36 -------- d-----w- c:\program files\ESET
2010-12-13 02:37 . 2010-12-13 03:06 -------- d-----w- C:\ComboFix2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-30 01:42 . 2009-06-06 16:11 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-30 01:42 . 2009-06-06 16:11 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
1999-01-15 17:51 . 2004-02-21 18:20 266 ----a-w- c:\program files\internet explorer\plugins\Efile.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [BU]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-17 160328]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Key Kbd 9910 Daemon"="c:\winnt\system32\SK9910DM.EXE" [2001-01-03 66048]
"GWMDMMSG"="c:\winnt\GWMDMMSG.exe" [2002-08-06 90112]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2006-10-29 155648]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2006-10-29 126976]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"Cookie Pal"="c:\program files\CPal\CPBrWtch.exe" [2002-07-24 20523]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2009-11-12 92784]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2010-08-18 340520]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\winnt\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\winnt\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\winnt\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\winnt\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\winnt\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\winnt\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=c:\winnt\pss\HP LaserJet Director.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^j2 Tray Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\j2 Tray Menu.lnk
backup=c:\winnt\pss\j2 Tray Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=c:\winnt\pss\Live Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\winnt\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\winnt\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\winnt\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\winnt\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=c:\winnt\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\winnt\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-06-19 06:05 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 20:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezCron]
2005-07-29 18:05 77824 ----a-w- c:\my documents\Internet\rsstoblog\EZcron\ezCron.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2002-01-07 08:24 401496 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer]
2002-01-03 22:05 90112 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer]
2002-01-03 22:04 94208 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPLJ Config]
2002-02-05 21:07 520192 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppcfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 14:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 14:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
2006-07-14 20:03 107008 ----a-w- c:\program files\j2 Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Marketing Tips Messenger]
2004-05-28 01:54 272917 ----a-w- c:\winnt\marketing tips messenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-23 21:52 331830 ----a-w- c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
2006-06-21 00:54 57344 ----a-w- c:\program files\Mobipocket.com\Mobipocket Reader\readernotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
2001-07-25 15:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
2001-08-01 17:30 94208 ----a-w- c:\program files\QUICKENW\qagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCMAgent]
2003-11-25 23:23 32768 ----a-w- c:\program files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-19 00:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtector]
2010-04-20 00:15 9999080 ----a-w- c:\program files\Advanced System Optimizer 3\systemprotector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SubmitEaze\\SubmitEaze.exe"=
"c:\\Program Files\\SubmitEaze\\SubmitEaze Help.exe"=
"c:\\Program Files\\CommentKahuna\\CommentKahuna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\4W WebMerge\\4W WebMerge.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\PC-Doctor for Windows\\Pcdrw32.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\SubmitEaze\\j2re1.6\\bin\\javaw.exe"=
"c:\\WINNT\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [1/28/2010 1:25 PM 238824]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2/25/2010 3:56 PM 109168]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [9/20/2002 9:45 PM 6736]
R3 KeyScrambler;KeyScrambler;c:\winnt\system32\drivers\keyscrambler.sys [4/8/2008 8:26 AM 113896]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\winnt\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S0 qrvtni;qrvtni;c:\winnt\system32\drivers\accyt.sys --> c:\winnt\system32\drivers\accyt.sys [?]
S1 aAaAAAA;aAaAAAA;c:\winnt\system32\drivers\aAaAAAA.sys --> c:\winnt\system32\drivers\aAaAAAA.sys [?]
S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [1/28/2010 1:25 PM 6656]
S3 iscFlash;iscFlash;\??\c:\winnt\SYSTEM32\DRIVERS\iscflash.sys --> c:\winnt\SYSTEM32\DRIVERS\iscflash.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 TIAu5Bt;Actiontec USB Home DSL Modem Boot Device Service;c:\winnt\system32\Drivers\tiau5bt.sys --> c:\winnt\system32\Drivers\tiau5bt.sys [?]
S3 TIAU5LN;Actiontec USB Home DSL Modem Service;c:\winnt\system32\DRIVERS\TIAU5LN.sys --> c:\winnt\system32\DRIVERS\TIAU5LN.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
*NewlyCreated* - SYMTDI
*Deregistered* - klmd25
*Deregistered* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder

2010-12-14 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-09-21 20:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Identities Editor - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: turbotax.com
TCP: {732FD978-12B5-4A29-9837-5F2F4695FE35} = 216.131.95.20,216.131.94.5
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n6f6uwzh.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Owner/Desktop/kindsvater.html
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: SeoQuake: {317B5128-0B0B-49b2-B2DB-1E7560E16C74} - %profile%\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
FF - Ext: RankChecker: rankchecker@seobook.com - %profile%\extensions\rankchecker@seobook.com
FF - Ext: Google Global: {B97F57B9-1B42-4aed-9475-0022600C62DC} - %profile%\extensions\{B97F57B9-1B42-4aed-9475-0022600C62DC}
FF - Ext: NoDoFollow: {c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294} - %profile%\extensions\{c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-23 18:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_046d&Pid_c521&MI_00\7&bd168df&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\winnt\system32\WININET.dll
.
Completion time: 2010-12-23 18:17:47
ComboFix-quarantined-files.txt 2010-12-24 02:17
ComboFix2.txt 2010-12-13 15:34
ComboFix3.txt 2010-12-13 03:05
ComboFix4.txt 2010-12-04 05:35
ComboFix5.txt 2010-12-24 01:40

Pre-Run: 1,590,165,504 bytes free
Post-Run: 1,598,500,864 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 208E2314F334859471A50BB65BC1D15A

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 AM

Posted 23 December 2010 - 09:34 PM

We need to rerun Combofix, as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\winnt\system32\drivers\accyt.sys
c:\winnt\system32\drivers\aAaAAAA.sys

Driver::
qrvtni
aAaAAAA


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by m0le, 23 December 2010 - 09:35 PM.

Posted Image
m0le is a proud member of UNITE

#9 brianksac

brianksac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 23 December 2010 - 10:45 PM

new combifix log:

ComboFix 10-12-23.03 - Owner 12/23/2010 19:01:35.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.599 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\winnt\system32\drivers\aAaAAAA.sys"
"c:\winnt\system32\drivers\accyt.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_aAaAAAA
-------\Service_qrvtni


((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2011-05-14 02:05 . 2010-12-12 01:37 -------- d-----w- c:\program files\WS_FTP Pro
2010-12-24 01:39 . 2010-12-24 02:18 -------- d-----w- C:\comfix
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-13 03:36 . 2010-12-13 03:36 -------- d-----w- c:\program files\ESET
2010-12-13 02:37 . 2010-12-13 03:06 -------- d-----w- C:\ComboFix2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-30 01:42 . 2009-06-06 16:11 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-30 01:42 . 2009-06-06 16:11 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
1999-01-15 17:51 . 2004-02-21 18:20 266 ----a-w- c:\program files\internet explorer\plugins\Efile.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [BU]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-17 160328]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Key Kbd 9910 Daemon"="c:\winnt\system32\SK9910DM.EXE" [2001-01-03 66048]
"GWMDMMSG"="c:\winnt\GWMDMMSG.exe" [2002-08-06 90112]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2006-10-29 155648]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2006-10-29 126976]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"Cookie Pal"="c:\program files\CPal\CPBrWtch.exe" [2002-07-24 20523]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2009-11-12 92784]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2010-08-18 340520]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\winnt\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\winnt\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\winnt\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\winnt\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\winnt\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\winnt\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=c:\winnt\pss\HP LaserJet Director.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^j2 Tray Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\j2 Tray Menu.lnk
backup=c:\winnt\pss\j2 Tray Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=c:\winnt\pss\Live Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\winnt\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\winnt\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\winnt\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\winnt\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=c:\winnt\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\winnt\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-06-19 06:05 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 20:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezCron]
2005-07-29 18:05 77824 ----a-w- c:\my documents\Internet\rsstoblog\EZcron\ezCron.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2002-01-07 08:24 401496 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer]
2002-01-03 22:05 90112 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer]
2002-01-03 22:04 94208 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPLJ Config]
2002-02-05 21:07 520192 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppcfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 14:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 14:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
2006-07-14 20:03 107008 ----a-w- c:\program files\j2 Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Marketing Tips Messenger]
2004-05-28 01:54 272917 ----a-w- c:\winnt\marketing tips messenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-23 21:52 331830 ----a-w- c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
2006-06-21 00:54 57344 ----a-w- c:\program files\Mobipocket.com\Mobipocket Reader\readernotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
2001-07-25 15:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
2001-08-01 17:30 94208 ----a-w- c:\program files\QUICKENW\qagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCMAgent]
2003-11-25 23:23 32768 ----a-w- c:\program files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-19 00:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtector]
2010-04-20 00:15 9999080 ----a-w- c:\program files\Advanced System Optimizer 3\systemprotector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SubmitEaze\\SubmitEaze.exe"=
"c:\\Program Files\\SubmitEaze\\SubmitEaze Help.exe"=
"c:\\Program Files\\CommentKahuna\\CommentKahuna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\4W WebMerge\\4W WebMerge.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\PC-Doctor for Windows\\Pcdrw32.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\SubmitEaze\\j2re1.6\\bin\\javaw.exe"=
"c:\\WINNT\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [1/28/2010 1:25 PM 238824]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [9/20/2002 9:45 PM 6736]
R3 KeyScrambler;KeyScrambler;c:\winnt\system32\drivers\keyscrambler.sys [4/8/2008 8:26 AM 113896]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\winnt\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [1/28/2010 1:25 PM 6656]
S3 iscFlash;iscFlash;\??\c:\winnt\SYSTEM32\DRIVERS\iscflash.sys --> c:\winnt\SYSTEM32\DRIVERS\iscflash.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 TIAu5Bt;Actiontec USB Home DSL Modem Boot Device Service;c:\winnt\system32\Drivers\tiau5bt.sys --> c:\winnt\system32\Drivers\tiau5bt.sys [?]
S3 TIAU5LN;Actiontec USB Home DSL Modem Service;c:\winnt\system32\DRIVERS\TIAU5LN.sys --> c:\winnt\system32\DRIVERS\TIAU5LN.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSSVC
*NewlyCreated* - SYMTDI
*Deregistered* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder

2010-12-24 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-09-21 20:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Identities Editor - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: turbotax.com
TCP: {732FD978-12B5-4A29-9837-5F2F4695FE35} = 216.131.95.20,216.131.94.5
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n6f6uwzh.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Owner/Desktop/kindsvater.html
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: SeoQuake: {317B5128-0B0B-49b2-B2DB-1E7560E16C74} - %profile%\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
FF - Ext: RankChecker: rankchecker@seobook.com - %profile%\extensions\rankchecker@seobook.com
FF - Ext: Google Global: {B97F57B9-1B42-4aed-9475-0022600C62DC} - %profile%\extensions\{B97F57B9-1B42-4aed-9475-0022600C62DC}
FF - Ext: NoDoFollow: {c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294} - %profile%\extensions\{c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-23 19:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_046d&Pid_c521&MI_00\7&bd168df&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\winnt\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2200)
c:\winnt\system32\WININET.dll
c:\winnt\system32\CPWATCH.dll
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Portrait Displays\Pivot Software\floater.exe
c:\program files\Acer Display\eDisplay Management\DTHtml.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\System32\drivers\CDAC11BA.EXE
c:\program files\Common Files\Portrait Displays\Shared\dtsrvc.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\winnt\System32\NMSSvc.exe
c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
c:\winnt\System32\wdfmgr.exe
c:\winnt\wanmpsvc.exe
c:\program files\Common Files\Portrait Displays\Drivers\pdiSdkHelper.exe
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-23 19:40:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-24 03:40
ComboFix2.txt 2010-12-24 02:17
ComboFix3.txt 2010-12-13 15:34
ComboFix4.txt 2010-12-13 03:05
ComboFix5.txt 2010-12-24 02:56

Pre-Run: 1,613,094,912 bytes free
Post-Run: 1,704,452,096 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 701A891DCD3711BE4395474874FAF363

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 AM

Posted 24 December 2010 - 08:11 PM

Please run ESET's online scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#11 brianksac

brianksac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 25 December 2010 - 08:26 PM

ESETScan.txt log report:

C:\My Documents\download\registrybooster2rboupd.exe a variant of Win32/RegistryBooster application deleted - quarantined

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 AM

Posted 25 December 2010 - 09:15 PM

Well, that looks fine now. Any symptoms showing?
Posted Image
m0le is a proud member of UNITE

#13 brianksac

brianksac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 27 December 2010 - 08:39 PM

Been 2 days and everything seems to fine and clear.

Much appreciated and a donation has been made.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 AM

Posted 27 December 2010 - 08:44 PM

Thanks :). Glad we could deal with the problem, we can now clear up and you can carry on surfing!

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it brianksac and a happy new year to you.

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 AM

Posted 01 January 2011 - 09:01 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users