Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect hijack possible TDL3 rootkit infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 rodbic

rodbic

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 19 December 2010 - 02:56 PM

Google search looks normal but I am redirected from the site given by google.
I have updated and run AVGin safemode, (now deleted, combofix instruction) in safe mode, Ad-aware, spybot, Malwarbytes anti-malware.
My helper advised running ComBofix, (in normal mode) which reported "possible TDL3 rootkit infection". This done before visiting bleeping, and seeing the strong instruction not to do this. I append the log.txt at the end produced by combofix. I am still well and truly hijacked, I had to use a different computer to find you, but can access you directly.
Ant help will be sincerely appreciated




DDS (Ver_10-12-12.02) - NTFSx86
Run by rod at 16:54:52.89 on 19/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1115 [GMT 0:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\TV Tuner USB\MediaDetector.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\rod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\rod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\rod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\rod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rod\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn0.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn0.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn0.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BlazeServoTool] "c:\program files\tv tuner usb\MediaDetector.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Google Update] "c:\documents and settings\rod\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-28 64288]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-11-5 12672]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-9-3 68136]
R3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [2009-11-21 117376]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-7 136176]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\gpotato\flyff\gameguard\dump_wmimmc.sys --> c:\program files\gpotato\flyff\gameguard\dump_wmimmc.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]

=============== Created Last 30 ================

2010-12-19 15:33:04 709456 ----a-w- c:\windows\isRS-000.tmp
2010-12-18 23:41:22 -------- d-sha-r- C:\cmdcons
2010-12-18 23:38:46 98816 ----a-w- c:\windows\sed.exe
2010-12-18 23:38:46 89088 ----a-w- c:\windows\MBR.exe
2010-12-18 23:38:46 256512 ----a-w- c:\windows\PEV.exe
2010-12-18 23:38:46 161792 ----a-w- c:\windows\SWREG.exe
2010-12-18 20:32:27 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-18 20:28:23 -------- d-----w- c:\docume~1\rod\locals~1\applic~1\Sunbelt Software
2010-12-18 19:24:03 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-15 10:29:21 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-15 10:29:21 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-15 10:03:33 -------- d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-12-19 15:34:56 16608 ----a-w- c:\windows\gdrv.sys
2010-12-03 09:05:33 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-11 22:20:27 4406552 ----a-w- c:\windows\system32\GameMon.des
2010-09-23 13:35:50 279896 ----a-r- c:\windows\system32\cpnprtuk.cid
2010-09-23 13:35:48 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-09-23 13:35:41 31 ---ha-w- c:\windows\UKCpInfo.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDT721010SLA360 rev.ST6OA31B -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A55C555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5627b0]; MOV EAX, [0x8a56282c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A5CCAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000005e[0x8A57C4A8]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A505940]
\Driver\atapi[0x8A5CB948] -> IRP_MJ_CREATE -> 0x8A55C555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDT721010SLA360_________________ST6OA31B#5&17ef7b8e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A55C39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 16:56:06.82 ===============

[EDIT]
Update 21:30 Internet security 2011 appeared, added problem, forum advice was to do nothing until this is answered.
I intend doing nothing and only working in safe mode until I am advised.

Attached Files


Edited by rodbic, 19 December 2010 - 04:55 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 29 December 2010 - 09:10 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 rodbic

rodbic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 31 December 2010 - 08:22 AM

Good afternoon, I am so pleased to see a reply, THANK YOU. I have not attempted to use the pc since I posted the edit, and working from an old pc which has no sound and cannot manage moving images. I am past retirement age and am not good on pc's, but can get (delayed) help from my son. My PC is networked to this one, but I have avoided using the network for fear of cross contamination.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 31 December 2010 - 03:28 PM

Okay, well I'll take it slowly. Let me know if you need anything explained and ask any questions you need to.

First thing is that, yes, TDL3 is the infection. This is a variant of the TDSS rootkit and we can use this tool to remove it.


  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 02 January 2011 - 08:23 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 rodbic

rodbic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 03 January 2011 - 09:27 AM

I saw your 2nd reply and responded, but can now see that it was not posted.
Should i follow instructions in safe mode, or normal mode.
Did you see my edit of the original post:
[EDIT]
Update 21:30 Internet security 2011 appeared, added problem, forum advice was to do nothing until this is answered.
I intend doing nothing and only working in safe mode until I am advised.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 03 January 2011 - 07:43 PM

Do everything in normal mode unless I specifically request Safe Mode.

Please run TDSSKiller now.
Posted Image
m0le is a proud member of UNITE

#8 rodbic

rodbic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 04 January 2011 - 06:20 PM

hi, thank you
I followed the instruction.
the expected infection was found and pressed "reboot now"
Obviously there was no "close" to click
I opened the rout of C and there was no .txt file created today.
the report was on the desk top:

2011/01/04 22:55:13.0615 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/04 22:55:13.0615 ================================================================================
2011/01/04 22:55:13.0615 SystemInfo:
2011/01/04 22:55:13.0615
2011/01/04 22:55:13.0615 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/04 22:55:13.0615 Product type: Workstation
2011/01/04 22:55:13.0615 ComputerName: RODBIC
2011/01/04 22:55:13.0615 UserName: rod
2011/01/04 22:55:13.0615 Windows directory: C:\WINDOWS
2011/01/04 22:55:13.0615 System windows directory: C:\WINDOWS
2011/01/04 22:55:13.0615 Processor architecture: Intel x86
2011/01/04 22:55:13.0615 Number of processors: 2
2011/01/04 22:55:13.0615 Page size: 0x1000
2011/01/04 22:55:13.0615 Boot type: Normal boot
2011/01/04 22:55:13.0615 ================================================================================
2011/01/04 22:55:14.0006 Initialize success
2011/01/04 22:55:25.0084 ================================================================================
2011/01/04 22:55:25.0084 Scan started
2011/01/04 22:55:25.0084 Mode: Manual;
2011/01/04 22:55:25.0084 ================================================================================
2011/01/04 22:55:26.0740 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/04 22:55:26.0772 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/04 22:55:26.0818 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
2011/01/04 22:55:26.0928 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/04 22:55:26.0959 AF05BDA (593da4d53aed56f4172d270649333957) C:\WINDOWS\system32\drivers\AF05BDA.sys
2011/01/04 22:55:27.0006 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/04 22:55:27.0303 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/04 22:55:27.0350 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/04 22:55:27.0397 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/04 22:55:27.0459 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/04 22:55:27.0490 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/04 22:55:27.0584 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/04 22:55:27.0662 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/04 22:55:27.0725 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/04 22:55:27.0740 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/04 22:55:27.0803 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/04 22:55:27.0928 cpuz132 (097a0a4899b759a4f032bd464963b4be) C:\WINDOWS\system32\drivers\cpuz132_x32.sys
2011/01/04 22:55:27.0990 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/04 22:55:28.0037 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/04 22:55:28.0115 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/04 22:55:28.0178 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/04 22:55:28.0209 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/04 22:55:28.0256 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/04 22:55:28.0334 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/04 22:55:28.0365 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/04 22:55:28.0397 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/01/04 22:55:28.0428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/04 22:55:28.0459 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/04 22:55:28.0553 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/04 22:55:28.0584 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/04 22:55:28.0615 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/04 22:55:28.0647 gdrv (c6e3105b8c68c35cc1eb26a00fd1a8c6) C:\WINDOWS\gdrv.sys
2011/01/04 22:55:29.0162 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/04 22:55:29.0225 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/04 22:55:29.0240 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/04 22:55:29.0303 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/04 22:55:29.0397 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/04 22:55:29.0443 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/04 22:55:29.0584 IntcAzAudAddService (db589671e0c403d65884cf0b50600fcd) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/01/04 22:55:29.0725 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/04 22:55:29.0756 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/04 22:55:29.0787 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/04 22:55:29.0803 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/04 22:55:29.0865 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/04 22:55:29.0912 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/04 22:55:29.0943 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/04 22:55:29.0959 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/04 22:55:30.0037 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/04 22:55:30.0068 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/04 22:55:30.0084 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/04 22:55:30.0131 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/04 22:55:30.0178 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/01/04 22:55:30.0272 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/01/04 22:55:30.0443 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/01/04 22:55:30.0600 ManyCam (c6d085c7045200143528136a43a65fde) C:\WINDOWS\system32\DRIVERS\ManyCam.sys
2011/01/04 22:55:30.0631 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/04 22:55:30.0662 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/04 22:55:30.0693 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/04 22:55:30.0772 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/04 22:55:30.0818 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/04 22:55:30.0865 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2011/01/04 22:55:30.0897 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/04 22:55:30.0959 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/04 22:55:31.0037 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/04 22:55:31.0068 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/04 22:55:31.0100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/04 22:55:31.0115 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/04 22:55:31.0131 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/04 22:55:31.0193 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/04 22:55:31.0225 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/04 22:55:31.0256 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/04 22:55:31.0303 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/04 22:55:31.0350 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/04 22:55:31.0381 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/04 22:55:31.0397 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/04 22:55:31.0397 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/04 22:55:31.0428 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/04 22:55:31.0459 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/04 22:55:31.0490 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/04 22:55:31.0584 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/04 22:55:31.0615 NPPTNT2 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
2011/01/04 22:55:31.0678 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/04 22:55:31.0772 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/04 22:55:31.0943 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/04 22:55:32.0115 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/04 22:55:32.0131 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/04 22:55:32.0162 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/04 22:55:32.0209 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/04 22:55:32.0225 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/04 22:55:32.0303 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/04 22:55:32.0334 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/04 22:55:32.0365 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/04 22:55:32.0475 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/04 22:55:32.0490 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/04 22:55:32.0553 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/04 22:55:32.0568 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/04 22:55:32.0600 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/04 22:55:32.0678 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/04 22:55:32.0725 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/04 22:55:32.0740 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/04 22:55:32.0756 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/04 22:55:32.0865 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/04 22:55:32.0881 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/04 22:55:32.0897 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/04 22:55:32.0928 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/04 22:55:33.0022 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/04 22:55:33.0068 RTLE8023xp (839141088ad7ee90f5b441b2d1afd22c) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/01/04 22:55:33.0115 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/04 22:55:33.0162 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/04 22:55:33.0209 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/04 22:55:33.0256 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/04 22:55:33.0303 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/04 22:55:33.0350 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/01/04 22:55:33.0397 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/04 22:55:33.0428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/04 22:55:33.0459 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/04 22:55:33.0506 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/04 22:55:33.0537 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/04 22:55:33.0553 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/04 22:55:33.0631 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/04 22:55:33.0725 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/04 22:55:33.0787 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/04 22:55:33.0803 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/04 22:55:33.0850 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/04 22:55:33.0912 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/04 22:55:33.0959 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/04 22:55:34.0037 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/04 22:55:34.0053 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/04 22:55:34.0068 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/04 22:55:34.0100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/04 22:55:34.0147 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/04 22:55:34.0193 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/04 22:55:34.0209 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/04 22:55:34.0240 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/01/04 22:55:34.0272 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/04 22:55:34.0318 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/04 22:55:34.0397 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/04 22:55:34.0428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/04 22:55:34.0490 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/04 22:55:34.0537 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/04 22:55:34.0553 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/04 22:55:34.0600 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/04 22:55:34.0600 ================================================================================
2011/01/04 22:55:34.0600 Scan finished
2011/01/04 22:55:34.0600 ================================================================================
2011/01/04 22:55:34.0600 Detected object count: 1
2011/01/04 22:55:53.0193 \HardDisk0 - will be cured after reboot
2011/01/04 22:55:53.0193 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/04 22:56:12.0193 Deinitialize success

I am sorry I could not get back sooner, I just got home

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 04 January 2011 - 08:27 PM

Now please run Combofix, agreeing any updates it requests.
Posted Image
m0le is a proud member of UNITE

#10 rodbic

rodbic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 05 January 2011 - 05:00 AM

Done.
combofix detected rootkit activity, and asked me to note file name........application data\zade\ocny.exe.
the log file noted orphan removal .......application data\zade\ocny.exe

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 05 January 2011 - 01:28 PM

Do you have a log?
Posted Image
m0le is a proud member of UNITE

#12 rodbic

rodbic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 05 January 2011 - 02:25 PM

Yes, below.
I had to remove AVG to get one of the "fix" programmes to run. AVG did not stop routkit, and it the latest version really keeps the drives busy.
The only (affordable) alternative I know is Avast. Any thoughts?

the new AVG on the old PC is nearly making it unusable despite turning off resident shield.
a couple of years back I had AVG and Avast running on the old pc. I was told this was inadvisable, and it was slowing things down, so I removed avast, but nothing got past while I was doing that.





ComboFix 11-01-04.04 - rod 05/01/2011 9:32.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1719 [GMT 0:00]
Running from: c:\documents and settings\rod\Desktop\1234.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\eJeEf02900
c:\documents and settings\All Users\Application Data\eJeEf02900\eJeEf02900
c:\documents and settings\All Users\Application Data\eJeEf02900\eJeEf02900.exe
c:\documents and settings\rod\Application Data\Zade
c:\documents and settings\rod\Application Data\Zade\ocny.exe
c:\documents and settings\rod\Desktop\System Tool 2011.lnk

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-02 17:16 . 2011-01-02 17:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-18 20:32 . 2010-12-18 20:32 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-18 20:28 . 2010-12-18 20:28 -------- d-----w- c:\documents and settings\rod\Local Settings\Application Data\Sunbelt Software
2010-12-18 19:24 . 2010-12-18 19:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-15 10:29 . 2010-12-15 10:29 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-15 10:03 . 2010-12-15 10:05 -------- d-----w- c:\windows\system32\NtmsData
2010-12-15 08:43 . 2010-12-15 10:27 -------- d-s---w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 09:31 . 2009-09-03 10:43 16608 ----a-w- c:\windows\gdrv.sys
2010-12-03 09:05 . 2010-01-28 10:08 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-03 09:05 . 2010-01-28 13:12 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-29 17:42 . 2009-11-21 18:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2009-11-21 18:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 22:20 . 2010-10-20 14:10 4406552 ----a-w- c:\windows\system32\GameMon.des
.

((((((((((((((((((((((((((((( SnapShot@2010-12-19_00.27.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-05 09:31 . 2011-01-05 09:31 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2011-01-05 09:31 . 2011-01-05 09:31 16384 c:\windows\Temp\Perflib_Perfdata_6b4.dat
+ 2010-12-18 16:52 . 2010-12-19 14:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-12-18 16:52 . 2010-12-18 20:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-03 10:30 . 2010-12-19 14:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-09-03 10:30 . 2010-12-18 20:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn0.dll" [2010-12-02 2735200]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-12-02 08:33 2735200 ----a-w- c:\program files\Zynga\tbZyn0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn0.dll" [2010-12-02 2735200]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyn0.dll" [2010-12-02 2735200]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlazeServoTool"="c:\program files\TV Tuner USB\MediaDetector.exe" [2006-12-01 286720]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Google Update"="c:\documents and settings\rod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-14 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
adceva.exe [2011-1-2 152064]
ibyrek.exe [2011-1-2 152064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-14 18:29 133104 ----atw- c:\documents and settings\rod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-14 20:53 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"59082:TCP"= 59082:TCP:Pando Media Booster
"59082:UDP"= 59082:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [28/01/2010 10:08 64288]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [03/09/2009 10:45 68136]
R3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [21/11/2009 10:59 117376]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/08/2010 13:23 136176]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys --> c:\program files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/12/2010 09:05 1389400]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 10:06 21632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 05:51]

2010-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 05:51]

2010-12-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-616249376-839522115-1003Core.job
- c:\documents and settings\rod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-14 18:29]

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-616249376-839522115-1003UA.job
- c:\documents and settings\rod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-14 18:29]

2010-12-19 c:\windows\Tasks\Norton Security Scan for rod.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-30 10:04]

2011-01-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]

2011-01-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-27 22:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{CCAAC129-3F82-B7BE-221C-F4A9F88133F5} - c:\documents and settings\rod\Application Data\Zade\ocny.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 09:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,0e,e8,94,e9,04,74,43,a9,34,d9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,0e,e8,94,e9,04,74,43,a9,34,d9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-01-05 09:41:28
ComboFix-quarantined-files.txt 2011-01-05 09:41
ComboFix2.txt 2010-12-19 15:04
ComboFix3.txt 2010-12-19 00:31

Pre-Run: 136,222,769,152 bytes free
Post-Run: 136,632,954,880 bytes free

- - End Of File - - 9E747D6EF461D94DAA0191BFEF811326

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 05 January 2011 - 05:05 PM

Avast is a better free version than AVG so I'd recommend that without a problem.

Please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\documents and settings\Default User\Start Menu\Programs\Startup\adceva.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\ibyrek.exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 rodbic

rodbic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 05 January 2011 - 05:48 PM

before I joined bleeping I read that I should rename combofix before running it, hence the 1234.exe
I have an 05:30 start tomorrow, so i wont be back on line until about 3PM uk time.
Sincear thanks for the considerable amount of time and trouble you are giving this


ComboFix 11-01-05.01 - rod 05/01/2011 22:30:23.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1626 [GMT 0:00]
Running from: c:\documents and settings\rod\Desktop\1234.exe
Command switches used :: c:\documents and settings\rod\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FILE ::
"c:\documents and settings\Default User\Start Menu\Programs\Startup\adceva.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\ibyrek.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Default User\Start Menu\Programs\Startup\adceva.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\ibyrek.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-05 09:09 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-05 09:09 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-02 17:16 . 2011-01-02 17:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-18 20:32 . 2010-12-18 20:32 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-18 20:28 . 2010-12-18 20:28 -------- d-----w- c:\documents and settings\rod\Local Settings\Application Data\Sunbelt Software
2010-12-18 19:24 . 2010-12-18 19:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-15 10:29 . 2010-12-15 10:29 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-15 10:03 . 2010-12-15 10:05 -------- d-----w- c:\windows\system32\NtmsData
2010-12-15 08:43 . 2010-12-15 10:27 -------- d-s---w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 10:42 . 2009-09-03 10:43 16608 ----a-w- c:\windows\gdrv.sys
2010-12-03 09:05 . 2010-01-28 10:08 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-03 09:05 . 2010-01-28 13:12 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-29 17:42 . 2009-11-21 18:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2009-11-21 18:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2009-09-03 10:24 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-07-16 16:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2009-10-14 17:30 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-07-16 16:31 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2003-07-16 16:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2003-07-16 16:45 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-11 22:20 . 2010-10-20 14:10 4406552 ----a-w- c:\windows\system32\GameMon.des
.

((((((((((((((((((((((((((((( SnapShot@2010-12-19_00.27.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-05 10:42 . 2011-01-05 10:42 16384 c:\windows\Temp\Perflib_Perfdata_6e4.dat
+ 2011-01-05 10:42 . 2011-01-05 10:42 16384 c:\windows\Temp\Perflib_Perfdata_68c.dat
+ 2009-11-27 07:35 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
- 2009-11-27 07:35 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
+ 2009-11-25 21:56 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2009-11-25 21:56 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2003-07-16 16:30 . 2010-09-10 05:58 66560 c:\windows\system32\mshtmled.dll
+ 2003-07-16 16:30 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
- 2009-03-08 04:31 . 2010-09-10 05:58 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 04:31 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
+ 2003-07-16 16:25 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
- 2003-07-16 16:25 . 2010-09-10 05:58 25600 c:\windows\system32\jsproxy.dll
+ 2009-11-20 21:10 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-11-20 21:10 . 2010-09-10 05:58 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-03-08 04:31 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2009-03-08 04:31 . 2010-09-10 05:58 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-11-20 21:10 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-11-20 21:10 . 2010-09-10 05:58 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-03-08 04:34 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 04:34 . 2010-09-10 05:58 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 04:33 . 2010-09-10 05:58 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 04:33 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-11-18 18:12 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
+ 2010-12-18 16:52 . 2010-12-19 14:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-12-18 16:52 . 2010-12-18 20:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-03 10:30 . 2010-12-18 20:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-03 10:30 . 2010-12-19 14:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-14 17:53 . 2010-11-11 07:57 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2010-06-04 06:14 . 2011-01-05 10:39 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-06-04 06:14 . 2010-09-29 21:45 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 12800 c:\windows\ie8updates\KB2416400-IE8\xpshims.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 66560 c:\windows\ie8updates\KB2416400-IE8\mshtmled.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 55296 c:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 43520 c:\windows\ie8updates\KB2416400-IE8\licmgr10.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 25600 c:\windows\ie8updates\KB2416400-IE8\jsproxy.dll
+ 2009-10-14 17:53 . 2011-01-05 10:38 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2003-07-16 16:34 . 2010-09-10 05:58 206848 c:\windows\system32\occache.dll
+ 2003-07-16 16:34 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
+ 2003-07-16 16:31 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
- 2003-07-16 16:31 . 2010-09-10 05:58 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 04:32 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
- 2009-03-08 04:32 . 2010-09-10 05:58 602112 c:\windows\system32\msfeeds.dll
- 2003-07-16 16:24 . 2010-09-10 05:58 184320 c:\windows\system32\iepeers.dll
+ 2003-07-16 16:24 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
- 2003-07-16 16:24 . 2010-09-10 05:58 387584 c:\windows\system32\iedkcs32.dll
+ 2003-07-16 16:24 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
+ 2003-07-16 16:24 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
+ 2009-03-08 04:34 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-03-08 04:34 . 2010-09-10 05:58 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-03-08 04:34 . 2010-09-10 05:58 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 04:34 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
- 2009-03-08 04:32 . 2010-09-10 05:58 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-03-08 04:32 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-11-20 21:10 . 2010-09-10 05:58 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-11-20 21:10 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-11-20 21:10 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-11-20 21:10 . 2010-09-10 05:58 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-03-08 04:31 . 2010-09-10 05:58 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 04:31 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-10 07:20 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-10 07:20 . 2010-09-10 05:58 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2009-03-08 14:09 . 2010-09-10 05:58 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 14:09 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 04:32 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2010-11-16 12:54 . 2010-11-16 12:54 906240 c:\windows\Installer\3d706e.msp
- 2009-10-14 17:53 . 2010-11-11 07:57 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2009-10-14 17:53 . 2010-11-11 07:57 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-10-14 17:53 . 2011-01-05 10:38 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2011-01-05 10:39 . 2010-09-10 05:58 916480 c:\windows\ie8updates\KB2416400-IE8\wininet.dll
+ 2011-01-05 10:39 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll
+ 2011-01-05 10:39 . 2010-02-22 14:23 231288 c:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe
+ 2011-01-05 10:39 . 2010-09-10 05:58 206848 c:\windows\ie8updates\KB2416400-IE8\occache.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 611840 c:\windows\ie8updates\KB2416400-IE8\mstime.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 602112 c:\windows\ie8updates\KB2416400-IE8\msfeeds.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 247808 c:\windows\ie8updates\KB2416400-IE8\ieproxy.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 184320 c:\windows\ie8updates\KB2416400-IE8\iepeers.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 743424 c:\windows\ie8updates\KB2416400-IE8\iedvtool.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 387584 c:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll
+ 2011-01-05 10:39 . 2010-08-26 12:22 173056 c:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe
+ 2003-07-16 16:43 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
- 2003-07-16 16:43 . 2010-09-10 05:58 1210880 c:\windows\system32\urlmon.dll
+ 2003-07-16 16:30 . 2010-11-06 00:26 5959168 c:\windows\system32\mshtml.dll
+ 2009-03-08 04:32 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
+ 2009-09-03 11:06 . 2011-01-05 10:42 2005168 c:\windows\system32\FNTCACHE.DAT
+ 2009-08-14 13:21 . 2010-10-26 13:25 1853312 c:\windows\system32\dllcache\win32k.sys
- 2009-03-08 04:34 . 2010-09-10 05:58 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2009-03-08 04:34 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2009-03-08 04:41 . 2010-11-06 00:26 5959168 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-20 21:10 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2010-10-04 13:59 . 2010-10-04 13:59 8300032 c:\windows\Installer\3d7083.msp
+ 2011-01-05 10:39 . 2010-09-10 05:58 1210880 c:\windows\ie8updates\KB2416400-IE8\urlmon.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 5957120 c:\windows\ie8updates\KB2416400-IE8\mshtml.dll
+ 2011-01-05 10:39 . 2010-09-10 05:58 1986560 c:\windows\ie8updates\KB2416400-IE8\iertutil.dll
+ 2009-11-20 21:11 . 2011-01-05 10:35 37366216 c:\windows\system32\MRT.exe
+ 2009-03-08 04:39 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
+ 2009-11-20 21:10 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2011-01-05 10:38 . 2011-01-05 10:38 20304384 c:\windows\Installer\3d7090.msp
+ 2011-01-05 10:39 . 2010-09-10 05:58 11080192 c:\windows\ie8updates\KB2416400-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn0.dll" [2010-12-02 2735200]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-12-02 08:33 2735200 ----a-w- c:\program files\Zynga\tbZyn0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn0.dll" [2010-12-02 2735200]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyn0.dll" [2010-12-02 2735200]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlazeServoTool"="c:\program files\TV Tuner USB\MediaDetector.exe" [2006-12-01 286720]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Google Update"="c:\documents and settings\rod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-14 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-14 18:29 133104 ----atw- c:\documents and settings\rod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-14 20:53 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"59082:TCP"= 59082:TCP:Pando Media Booster
"59082:UDP"= 59082:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [28/01/2010 10:08 64288]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [03/09/2009 10:45 68136]
R3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [21/11/2009 10:59 117376]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/08/2010 13:23 136176]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys --> c:\program files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/12/2010 09:05 1389400]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 10:06 21632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 05:51]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 05:51]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-616249376-839522115-1003Core.job
- c:\documents and settings\rod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-14 18:29]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-616249376-839522115-1003UA.job
- c:\documents and settings\rod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-14 18:29]

2011-01-05 c:\windows\Tasks\Norton Security Scan for rod.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-30 10:04]

2011-01-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]

2011-01-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-27 22:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 22:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-01-05 22:35:47
ComboFix-quarantined-files.txt 2011-01-05 22:35
ComboFix2.txt 2011-01-05 09:41
ComboFix3.txt 2010-12-19 15:04
ComboFix4.txt 2010-12-19 00:31

Pre-Run: 136,466,616,320 bytes free
Post-Run: 136,448,950,272 bytes free

- - End Of File - - 019DE5A72AF23BE844FBD976D3E4FCD0

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 05 January 2011 - 07:51 PM

It must be renamed if a specific infection is suspected (Bagel worm) which used to "read" Combofix but I just say to do it anyway, it's no problem.

The Combofix log looks like it's completed its work so next is the online scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users