Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection: Possible Rootkit.TDSS.Gen


  • This topic is locked This topic is locked
2 replies to this topic

#1 Icarian

Icarian

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 14 December 2010 - 07:47 PM

Hello,

Thanks for helping me out with this particularly stubborn problem. I've been running Malwarebytes', AVG, and Windows Security Essentials but can't seem to shake this bug.

Symptoms:
It will often bring me to third party websites after I click on links from Google searches.
Windows explorer will sometimes revert back to Windows Classic Theme without mine instructing it to.
Computer will be fine one second, then extremely sluggish the next.
On startup I get an error message"Error loading C:\WINDOWS\umomadoyadomipu.dll. The specified module could not be found."
Sometimes my desktop (taskbar, icons) will not load after startup.
I cannot post onto the forum with the afflicted computer, it says webpage unavailable.

Also, I ran ComboFix before reading the Preparation Guide - I apologize. Here are the items currently in my Malware Bytes Quarantine, the earliest one was found on 11/29/2010, so all fairly recent:

Trojan.Hiloti
Rootkit.TDSS.Gen
Malware.Trace
Trojan.BHO
Trojan.Agent
Rogue.SpyDefender
Adware.MyWebSearch
Adware.Admedia

I thank you all in advance.

And here are my logs:

DDS (Ver_10-12-12.02) - NTFSx86
Run by GBC at 18:40:40.35 on Tue 12/14/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.633 [GMT -5:00]

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Godwin B. Chen\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyServer = proxy.nyit.edu:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [Google Update] "c:\documents and settings\godwin b. chen\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Wireless Console] c:\program files\asus\wireless console\wcourier.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Mpavidayiyu] rundll32.exe "c:\windows\umomadoyadomipu.dll",Startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMan] SOUNDMAN.EXE
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\godwin~1.che\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\godwin b. chen\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\godwin~1.che\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://65.175.208.71:888/VatDec.cab
DPF: {583EDC6D-F8C9-4067-AB67-0DECF1800482} - hxxp://192.168.0.200/sdvrcms.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161431519718
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} - hxxp://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-1-18 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-1-18 5248]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\plcmpr5.sys --> c:\windows\system32\PLCMPR5.SYS [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\plcndis5.sys --> c:\windows\system32\PLCNDIS5.SYS [?]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [2009-10-6 41984]

=============== Created Last 30 ================

2010-12-14 23:03:08 -------- d-----w- c:\program files\Winamp Detect
2010-12-14 22:42:15 -------- d-----w- c:\program files\Secunia
2010-12-14 22:10:04 -------- d-sha-r- C:\cmdcons
2010-12-14 22:03:54 98816 ----a-w- c:\windows\sed.exe
2010-12-14 22:03:54 89088 ----a-w- c:\windows\MBR.exe
2010-12-14 22:03:54 256512 ----a-w- c:\windows\PEV.exe
2010-12-14 22:03:54 161792 ----a-w- c:\windows\SWREG.exe
2010-12-14 21:31:29 4677 -c--a-w- c:\windows\system32\dllcache\zeeverm.dll
2010-12-14 21:31:29 41029 -c--a-w- c:\windows\system32\dllcache\zcorem.dll
2010-12-14 21:31:29 36937 -c--a-w- c:\windows\system32\dllcache\zclientm.exe
2010-12-14 21:31:29 29760 -c--a-w- c:\windows\system32\dllcache\znetm.dll
2010-12-14 21:31:29 13894 -c--a-w- c:\windows\system32\dllcache\zonelibm.dll
2010-12-14 21:31:29 113222 -c--a-w- c:\windows\system32\dllcache\zoneclim.dll
2010-12-14 21:31:11 5632 -c--a-w- c:\windows\system32\dllcache\write.exe
2010-12-14 21:29:58 79872 -c--a-w- c:\windows\system32\dllcache\rwia330.dll
2010-12-14 21:28:54 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-12-14 21:27:59 57856 -c--a-w- c:\windows\system32\dllcache\esuimgd.dll
2010-12-14 21:26:59 29696 -c--a-w- c:\windows\system32\dllcache\admexs.dll
2010-12-14 21:20:55 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-12-14 21:20:55 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2010-12-14 21:20:13 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-12-14 21:20:13 32768 ----a-w- c:\program files\internet explorer\connection wizard\icwdl.dll
2010-12-14 21:20:12 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-12-14 21:20:12 20480 ----a-w- c:\program files\internet explorer\connection wizard\inetwiz.exe
2010-12-14 21:20:11 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-12-14 21:20:11 86016 ----a-w- c:\program files\internet explorer\connection wizard\icwconn2.exe
2010-12-14 21:20:11 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-12-14 21:20:11 214528 ----a-w- c:\program files\internet explorer\connection wizard\icwconn1.exe
2010-12-14 21:16:31 87424 ----a-w- c:\windows\system32\drivers\irda.sys
2010-12-14 21:16:31 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-12-14 21:16:31 27136 ----a-w- c:\windows\system32\irmon.dll
2010-12-14 21:16:31 152576 ----a-w- c:\windows\system32\irftp.exe
2010-12-14 21:08:45 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2010-12-14 21:02:05 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-12-14 21:02:05 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-12-14 21:02:05 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-12-14 21:02:05 13312 ----a-w- c:\windows\system32\irclass.dll
2010-12-14 21:01:33 13753 ----a-r- c:\windows\SET13A.tmp
2010-12-14 21:01:28 1086058 ----a-r- c:\windows\SET12E.tmp
2010-12-14 21:01:23 1042903 ----a-r- c:\windows\SET12B.tmp
2010-12-14 20:43:41 -------- d-----w- c:\windows\setup.pss
2010-12-14 07:52:50 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-12-12 20:04:13 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2010-12-12 20:04:13 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2010-12-12 20:04:04 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-12-12 20:02:56 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-12-12 20:02:47 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2010-12-12 20:02:47 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2010-12-12 20:02:43 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2010-12-12 20:02:38 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2010-12-12 20:02:34 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2010-12-12 20:02:34 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2010-12-12 20:02:29 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2010-12-12 20:02:18 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2010-12-12 20:02:11 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2010-12-12 20:02:10 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2010-12-12 20:02:07 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-12-12 20:02:06 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-12-12 20:01:57 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-12-12 20:01:50 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-12-12 20:01:34 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-12-12 20:01:34 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-12-12 20:01:30 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-12-12 20:01:20 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-12-12 20:01:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-12-12 20:01:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-12-12 20:01:06 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2010-12-12 20:00:58 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-12-12 20:00:58 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2010-12-12 20:00:55 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-12-12 20:00:55 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-12-12 20:00:44 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-12-12 20:00:34 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-12-12 20:00:25 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2010-12-12 20:00:14 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2010-12-12 20:00:14 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2010-12-12 19:59:58 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-12-12 19:59:53 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2010-12-12 19:59:50 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2010-12-12 19:59:47 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-12-12 19:59:43 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2010-12-12 19:59:43 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2010-12-12 19:59:41 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-12-12 19:59:37 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2010-12-12 19:59:35 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2010-12-12 19:54:46 -------- d-----w- c:\windows\Logs
2010-12-11 15:35:07 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{14138956-82b0-4cff-b85e-f3248380f64f}\mpengine.dll
2010-12-11 15:31:22 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-09 04:53:23 -------- d-----w- c:\program files\TweetDeck
2010-11-29 18:08:34 -------- d-----w- c:\docume~1\godwin~1.che\applic~1\Malwarebytes
2010-11-29 18:08:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 18:08:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-29 18:08:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 18:08:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-29 17:54:10 0 ----a-w- c:\windows\Bxeginozu.bin

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AT rev.00000096 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86E6A555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86e707b0]; MOV EAX, [0x86e7082c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x86F8CAB8]
3 CLASSPNP[0xF751005B] -> nt!IofCallDriver[0x804E3D45] -> \Device\00000089[0x86F1C9E8]
5 ACPI[0xF7466620] -> nt!IofCallDriver[0x804E3D45] -> [0x86F74940]
\Driver\atapi[0x86F8D330] -> IRP_MJ_CREATE -> 0x86E6A555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskFUJITSU_MHV2100AT_______________________00000096#5&32d8631f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86E6A39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:42:24.76 ===============


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-14 19:04:47
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHV2100AT rev.00000096
Running: gmer.exe; Driver: C:\DOCUME~1\GODWIN~1.CHE\LOCALS~1\Temp\pxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF7447818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF74477D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF743BA20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF743C2A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF7447910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF7447794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF743C2C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF7447866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF74470B0]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\GODWIN~1.CHE\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[316] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00EC000A
.text C:\WINDOWS\Explorer.EXE[316] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00ED000A
.text C:\WINDOWS\Explorer.EXE[316] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00EB000C
.text C:\WINDOWS\System32\svchost.exe[1512] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 008E000A
.text C:\WINDOWS\System32\svchost.exe[1512] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[1512] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 008D000C
.text C:\WINDOWS\System32\svchost.exe[1512] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00A8000A
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1824] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2220] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Godwin B. Chen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F753E8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Cdrom \Device\CdRom0 86C7A598
Device \FileSystem\Rdbss \Device\FsWrap 86D53388
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86E6A39B
Device \Driver\atapi \Device\Ide\IdePort0 86B55CE0
Device \Driver\atapi \Device\Ide\IdePort0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 86E6A39B
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 86B55CE0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c
Device \Driver\Cdrom \Device\CdRom1 86C7A598
Device \FileSystem\Srv \Device\LanmanServer 86D601E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86D535A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86D535A0
Device \FileSystem\Npfs \Device\NamedPipe 86DE5260
Device \FileSystem\Msfs \Device\Mailslot 86D561F0
Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 86ABDBB8
Device \Driver\d347prt \Device\Scsi\d347prt1 86ABDBB8
Device \FileSystem\Fastfat \Fat B532FC8A
Device \FileSystem\Fastfat \Fat 86BDA240

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 86DE2830
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 86DE2830
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 86DE2830
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 86DE2830
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 86DE2830
Device \FileSystem\Cdfs \Cdfs 86DE2618
Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskFUJITSU_MHV2100AT_______________________00000096#5&32d8631f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Modules - GMER 1.0.15 ----

Module _________ F7298000-F72B0000 (98304 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x84 0x95 0xD8 0x2C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xCC 0xE9 0xE1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xCC 0xE9 0xE1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xCC 0xE9 0xE1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xCC 0xE9 0xE1 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths@Directory C:\Documents and Settings\Godwin B. Chen\Local Settings\Temporary Internet Files\Content.IE5
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1@CacheLimit 262144
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1@CachePath C:\Documents and Settings\Godwin B. Chen\Local Settings\Temporary Internet Files\Content.IE5\Cache1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2@CacheLimit 262144
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2@CachePath C:\Documents and Settings\Godwin B. Chen\Local Settings\Temporary Internet Files\Content.IE5\Cache2
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3@CacheLimit 262144
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3@CachePath C:\Documents and Settings\Godwin B. Chen\Local Settings\Temporary Internet Files\Content.IE5\Cache3
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4@CacheLimit 262144
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4@CachePath C:\Documents and Settings\Godwin B. Chen\Local Settings\Temporary Internet Files\Content.IE5\Cache4
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@xF\xa6\6m\5\x2018|\1\ImageUploader4.ocx 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@šT\x2026\vm\5\x2018|\1\ImageUploader4.ocx 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Godwin B. Chen\Local Settings\temp\~DFBA23.tmp 16384 bytes
File C:\Documents and Settings\Godwin B. Chen\Local Settings\temp\~DFBA33.tmp 512 bytes

---- EOF - GMER 1.0.15 ----


ComboFix 10-12-14.01 - GBC 12/14/2010 17:18:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.707 [GMT -5:00]
Running from: c:\documents and settings\Godwin B. Chen\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Godwin B. Chen\Application Data\install
c:\documents and settings\Godwin B. Chen\Local Settings\Application Data\{D30DD39F-AD78-4E1A-BD71-D7757F97B105}
c:\documents and settings\Godwin B. Chen\Local Settings\Application Data\{D30DD39F-AD78-4E1A-BD71-D7757F97B105}\chrome.manifest
c:\documents and settings\Godwin B. Chen\Local Settings\Application Data\{D30DD39F-AD78-4E1A-BD71-D7757F97B105}\chrome\content\_cfg.js
c:\documents and settings\Godwin B. Chen\Local Settings\Application Data\{D30DD39F-AD78-4E1A-BD71-D7757F97B105}\chrome\content\overlay.xul
c:\documents and settings\Godwin B. Chen\Local Settings\Application Data\{D30DD39F-AD78-4E1A-BD71-D7757F97B105}\install.rdf
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\daemon.dll
c:\windows\system32\suspend.bin
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2010-12-14 21:31 . 2004-08-04 12:00 4677 -c--a-w- c:\windows\system32\dllcache\zeeverm.dll
2010-12-14 21:31 . 2004-08-04 12:00 41029 -c--a-w- c:\windows\system32\dllcache\zcorem.dll
2010-12-14 21:31 . 2004-08-04 12:00 36937 -c--a-w- c:\windows\system32\dllcache\zclientm.exe
2010-12-14 21:31 . 2004-08-04 12:00 29760 -c--a-w- c:\windows\system32\dllcache\znetm.dll
2010-12-14 21:31 . 2004-08-04 12:00 13894 -c--a-w- c:\windows\system32\dllcache\zonelibm.dll
2010-12-14 21:31 . 2004-08-04 12:00 113222 -c--a-w- c:\windows\system32\dllcache\zoneclim.dll
2010-12-14 21:31 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\write.exe
2010-12-14 21:29 . 2004-08-04 12:00 79872 -c--a-w- c:\windows\system32\dllcache\rwia330.dll
2010-12-14 21:28 . 2004-08-04 12:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-12-14 21:27 . 2004-08-04 12:00 57856 -c--a-w- c:\windows\system32\dllcache\esuimgd.dll
2010-12-14 21:26 . 2004-08-04 12:00 29696 -c--a-w- c:\windows\system32\dllcache\admexs.dll
2010-12-14 21:20 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-12-14 21:20 . 2004-08-04 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2010-12-14 21:20 . 2004-08-04 12:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-12-14 21:20 . 2004-08-04 12:00 32768 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwdl.dll
2010-12-14 21:20 . 2004-08-04 12:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-12-14 21:20 . 2004-08-04 12:00 20480 ----a-w- c:\program files\Internet Explorer\Connection Wizard\inetwiz.exe
2010-12-14 21:20 . 2004-08-04 12:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-12-14 21:20 . 2004-08-04 12:00 86016 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe
2010-12-14 21:20 . 2004-08-04 12:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-12-14 21:20 . 2004-08-04 12:00 214528 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
2010-12-14 21:16 . 2004-08-04 05:56 152576 ----a-w- c:\windows\system32\irftp.exe
2010-12-14 21:16 . 2004-08-04 05:56 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-12-14 21:16 . 2004-08-04 05:56 27136 ----a-w- c:\windows\system32\irmon.dll
2010-12-14 21:16 . 2004-08-04 04:00 87424 ----a-w- c:\windows\system32\drivers\irda.sys
2010-12-14 21:08 . 2001-08-17 18:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2010-12-14 21:02 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-12-14 21:02 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-12-14 21:02 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-12-14 21:02 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-12-14 21:01 . 2004-08-04 12:00 13753 ----a-r- c:\windows\SET13A.tmp
2010-12-14 21:01 . 2004-08-04 12:00 1086058 ----a-r- c:\windows\SET12E.tmp
2010-12-14 21:01 . 2004-08-04 12:00 1042903 ----a-r- c:\windows\SET12B.tmp
2010-12-14 07:52 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-12-12 20:04 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2010-12-12 20:04 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2010-12-12 20:04 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-12-12 20:02 . 2008-07-10 16:00 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-12-12 20:02 . 2008-05-30 19:19 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2010-12-12 20:02 . 2008-05-30 19:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2010-12-12 20:02 . 2008-05-30 19:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2010-12-12 20:02 . 2008-05-30 19:17 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2010-12-12 20:02 . 2008-05-30 19:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2010-12-12 20:02 . 2008-05-30 19:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2010-12-12 20:02 . 2008-05-30 19:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2010-12-12 20:02 . 2008-03-05 21:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2010-12-12 20:02 . 2008-03-05 21:03 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2010-12-12 20:02 . 2008-03-05 21:00 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2010-12-12 20:02 . 2008-03-05 20:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-12-12 20:02 . 2008-02-06 04:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-12-12 20:01 . 2008-03-05 20:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-12-12 20:01 . 2007-10-22 08:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-12-12 20:01 . 2007-10-12 20:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-12-12 20:01 . 2007-10-02 14:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-12-12 20:01 . 2007-10-12 20:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-12-12 20:01 . 2007-07-20 05:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-12-12 20:01 . 2007-07-19 23:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-12-12 20:01 . 2007-07-19 23:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-12-12 20:01 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2010-12-12 20:00 . 2007-10-22 08:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2010-12-12 20:00 . 2007-06-21 01:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-12-12 20:00 . 2007-05-16 21:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-12-12 20:00 . 2007-05-16 21:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-12-12 20:00 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-12-12 20:00 . 2007-04-04 23:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-12-12 20:00 . 2007-04-04 23:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2010-12-12 20:00 . 2007-03-15 21:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2010-12-12 20:00 . 2007-03-12 21:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2010-12-12 19:59 . 2007-03-12 21:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-12-12 19:59 . 2007-01-24 20:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2010-12-12 19:59 . 2006-12-08 17:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2010-12-12 19:59 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-12-12 19:59 . 2007-03-05 17:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2010-12-12 19:59 . 2006-09-28 21:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2010-12-12 19:59 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-12-12 19:59 . 2006-07-28 14:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2010-12-12 19:59 . 2006-07-28 14:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2010-12-12 19:54 . 2010-12-12 19:54 -------- d-----w- c:\windows\Logs
2010-12-11 15:35 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{14138956-82B0-4CFF-B85E-F3248380F64F}\mpengine.dll
2010-12-11 15:31 . 2010-12-14 21:43 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-10 21:50 . 2010-12-10 21:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-12-10 21:50 . 2010-12-10 21:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2010-12-09 04:53 . 2010-12-09 04:53 -------- d-----w- c:\program files\TweetDeck
2010-12-08 14:20 . 2010-12-08 14:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-03 01:10 . 2010-12-03 01:10 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-29 18:08 . 2010-11-29 18:08 -------- d-----w- c:\documents and settings\Godwin B. Chen\Application Data\Malwarebytes
2010-11-29 18:08 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 18:08 . 2010-11-29 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-29 18:08 . 2010-12-08 15:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-29 18:08 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 17:54 . 2010-12-01 18:20 0 ----a-w- c:\windows\Bxeginozu.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-05-04 00:32 . 2007-05-04 00:32 961024 c:\program files\Ares\bak\Ares.exe

2005-11-11 02:20 . 2005-07-22 18:36 57344 c:\program files\ASUS\Wireless Console\bak\wcourier.exe

2007-12-19 20:13 . 2007-12-19 20:13 486856 c:\program files\DAEMON Tools Lite\bak\daemon.exe

2005-08-29 03:30 . 2006-11-18 19:24 110592 c:\windows\ATK0100\bak\HControl.exe
2008-01-29 06:34 . 2006-08-10 21:10 110592 c:\windows\ATK0100\HControl.exe

2004-08-20 19:18 . 2004-08-05 00:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Godwin B. Chen\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Godwin B. Chen\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Godwin B. Chen\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Google Update"="c:\documents and settings\Godwin B. Chen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-23 136176]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wireless Console"="c:\program files\ASUS\Wireless Console\wcourier.exe" [N/A]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-08-10 110592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Mpavidayiyu"="c:\windows\umomadoyadomipu.dll" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-05 44032]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-23 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-23 688218]
"SoundMan"="SOUNDMAN.EXE" [2004-11-05 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-05 44544]

c:\documents and settings\Godwin B. Chen\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Godwin B. Chen\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Godwin B. Chen^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Godwin B. Chen\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2006-08-01 19:35 67112 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
c:\program files\Ares\Ares.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-05-13 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-15 01:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 22:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
2004-02-28 16:12 144896 ----a-w- c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScanUtility]
2007-05-21 08:37 124512 ----a-w- c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
c:\program files\MSN Messenger\MsnMsgr.Exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 ----a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-05 14:03 73728 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield]
c:\program files\SpyDefender Pro\SpyDefender.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\Steam\Steam.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 06:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-12-23 04:35 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-12-23 04:35 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54 37376 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16Student\\spss.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Godwin B. Chen\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\magic the gathering - duels of the planeswalkers\\DotP.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [1/18/2009 6:13 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [1/18/2009 6:13 PM 5248]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/27/2007 8:28 AM 715248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:05 PM 135664]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\PLCNDIS5.SYS --> c:\windows\system32\PLCNDIS5.SYS [?]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [10/6/2009 2:11 AM 41984]
.
Contents of the 'Scheduled Tasks' folder

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 04:05]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 04:05]

2010-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1855222660-2617649676-3897588483-1004Core.job
- c:\documents and settings\Godwin B. Chen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-10 18:20]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1855222660-2617649676-3897588483-1004UA.job
- c:\documents and settings\Godwin B. Chen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-10 18:20]

2010-12-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

2010-12-14 c:\windows\Tasks\User_Feed_Synchronization-{6E3A142A-708E-4846-9523-5DABEABB8E73}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyServer = proxy.nyit.edu:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://65.175.208.71:888/VatDec.cab
DPF: {583EDC6D-F8C9-4067-AB67-0DECF1800482} - hxxp://192.168.0.200/sdvrcms.cab
FF - ProfilePath - c:\documents and settings\Godwin B. Chen\Application Data\Mozilla\Firefox\Profiles\y0ay2sez.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WebSlingPlayer: {9EB34849-81D3-4841-939D-666D522B889A} - %profile%\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
.
- - - - ORPHANS REMOVED - - - -

AddRemove-WinAlarm - c:\program files\Winamp\uninst-winalarm.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-14 17:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AT rev.00000096 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86E6B555]<<
c:\docume~1\GODWIN~1.CHE\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86e717b0]; MOV EAX, [0x86e7182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x86F86AB8]
3 CLASSPNP[0xF751005B] -> nt!IofCallDriver[0x804E3D45] -> \Device\00000089[0x86F129E8]
5 ACPI[0xF7466620] -> nt!IofCallDriver[0x804E3D45] -> [0x86F12D98]
\Driver\atapi[0x86F2E1A0] -> IRP_MJ_CREATE -> 0x86E6B555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskFUJITSU_MHV2100AT_______________________00000096#5&32d8631f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86E6B39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-12-14 17:38:55
ComboFix-quarantined-files.txt 2010-12-14 22:38

Pre-Run: 13,572,500,480 bytes free
Post-Run: 16,249,173,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A5E892A84BC92EAC4721CCE2051EA0EC

BC AdBot (Login to Remove)

 


#2 Icarian

Icarian
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 17 December 2010 - 11:32 AM

I am already receiving help on this issue, please ignore/delete thread.

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 AM

Posted 19 December 2010 - 07:50 PM

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users