Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Hiloti and/or Trojan.Malcol


  • This topic is locked This topic is locked
28 replies to this topic

#1 JediJoel

JediJoel

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 03 January 2011 - 03:00 PM

It seems I've been infected through my parents' machines when visiting them for Christmas. I am no longer on their network so I've eliminated cross contamination. But here's what's happening:

I think it's a rootkit. Symantec quarantined some files as a Malcol infection and Anti-Malware quarantined some file as Hiloti. The malware has blocked Windows Updates and I'm receiving the error 0x80072efe. The Windows Firewall and Internet Sharing service gets turned off every 20 min or so and I cannot manually restart it (Access denied: error code 5). And on startup I receive the Windows Security balloon notification that SAV has been disabled but only briefly. I think the infection is leveraging svchost PID 1160 as the memory usage for this task is unusually high. I just can't figure out what drivers or dlls this thing is loading to stay persistent. Here are the requested logs:


DDS (Ver_10-12-12.02) - NTFSx86
Run by G$ at 11:20:18.50 on Mon 01/03/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.834 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\TrayIconsOK\TrayIconsOK.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\G$\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [TrayOK] c:\program files\trayiconsok\TrayIconsOK.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\g$\startm~1\programs\startup\trayic~1.lnk - c:\program files\trayiconsok\TrayIconsOK.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message... - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293840020187
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\skype4com.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-6-17 20744]
R0 lfsfilt;NDAS Lean File Sharing Service;c:\windows\system32\drivers\lfsfilt.sys [2009-10-20 555496]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2009-10-20 119784]
R0 ndasfs;ndasfs;c:\windows\system32\drivers\ndasfs.sys [2009-10-20 561640]
R1 ndasfat;NDAS FAT File System Service;c:\windows\system32\drivers\ndasfat.sys [2009-10-20 461288]
R1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\drivers\ndasrofs.sys [2009-10-20 793576]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-6-17 30088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-19 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 26248]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110101.005\naveng.sys [2011-1-1 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110101.005\navex15.sys [2011-1-1 1360760]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2009-10-20 386024]
S3 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2009-2-27 143467]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2009-10-20 378344]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-11 27904]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

=============== Created Last 30 ================

2011-01-03 05:12:29 98816 ----a-w- c:\windows\sed.exe
2011-01-03 05:12:29 89088 ----a-w- c:\windows\MBR.exe
2011-01-03 05:12:29 256512 ----a-w- c:\windows\PEV.exe
2011-01-03 05:12:29 161792 ----a-w- c:\windows\SWREG.exe
2011-01-03 05:11:59 -------- d-----w- C:\ComboFix
2011-01-02 01:57:18 6144 ------w- c:\windows\system32\3.tmp
2011-01-02 01:56:15 6144 ------w- c:\windows\system32\2.tmp
2011-01-02 01:32:42 -------- d-----w- c:\docume~1\g$\applic~1\Malwarebytes
2011-01-02 01:32:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-02 01:32:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-02 01:32:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-02 01:32:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-02 01:08:32 -------- d-----w- c:\program files\Sophos
2010-12-31 19:05:31 388096 ----a-r- c:\docume~1\g$\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-31 19:05:30 -------- d-----w- c:\program files\Trend Micro
2010-12-31 01:33:36 -------- d-----w- C:\backups
2010-12-30 11:06:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\eIfHo06511
2010-12-14 09:44:39 -------- d-----w- c:\program files\JDownloader

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05:35 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:59:07 369664 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 20:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 20:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 20:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9AT00 rev.MB3OA60A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5A3555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5a97b0]; MOV EAX, [0x8a5a982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A560AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000009a[0x8A5D49E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A5BCD98]
\Driver\atapi[0x8A586638] -> IRP_MJ_CREATE -> 0x8A5A3555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS541060G9AT00_________________________MB3OA60A#5&2db186e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5A339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 11:25:48.70 ===============

Attached Files


Edited by Noviciate, 03 January 2011 - 05:14 PM.


BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 09 January 2011 - 09:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 JediJoel

JediJoel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 09 January 2011 - 07:11 PM

Thanks for the reply. Here are the update logs. After posting on the forum and receiving the "possible TDL3 rootkit" notice from GMER I sought out and ran a TLD3 removal program (site: http://www.tizersecure.com/about_TDL3_rootkit_detect_remove.php). It was a command-line program which identified an infection in atapi.sys. After removal the program restarted my machine but I don't think removal was successful as I'm still experiencing the same symptoms. I also read that Hitman was able to identify and fix a TDL3 infection so I ran a scan without any luck. Hitman didn't pick up the problem and so I didn't use it to "fix" any thing (nothing cleaned or quarantined through Hitman). Since infection I can see an extra step in startup. Before the Windows XP slash screen a progress bar loads (similar to when a machine is loading after hibernation or loading something with ramdisk.sys). I did not see this bar when starting the machine prior to infection although startup has slowed down so viewing this bar could be a result of the slow startup or it could also be the infection loading during startup. Below are the logs:


DDS (Ver_10-12-12.02) - NTFSx86
Run by G$ at 15:00:02.90 on Sun 01/09/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.547 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\TrayIconsOK\TrayIconsOK.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\G$\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [TrayOK] c:\program files\trayiconsok\TrayIconsOK.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\g$\startm~1\programs\startup\trayic~1.lnk - c:\program files\trayiconsok\TrayIconsOK.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message... - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293840020187
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\skype4com.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-6-17 20744]
R0 lfsfilt;NDAS Lean File Sharing Service;c:\windows\system32\drivers\lfsfilt.sys [2009-10-20 555496]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2009-10-20 119784]
R0 ndasfs;ndasfs;c:\windows\system32\drivers\ndasfs.sys [2009-10-20 561640]
R1 ndasfat;NDAS FAT File System Service;c:\windows\system32\drivers\ndasfat.sys [2009-10-20 461288]
R1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\drivers\ndasrofs.sys [2009-10-20 793576]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-6-17 30088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-19 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 26248]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110101.005\naveng.sys [2011-1-1 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110101.005\navex15.sys [2011-1-1 1360760]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2009-10-20 386024]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\g$\desktop\tdl3 razor\tizerbruteforceex.sys --> c:\documents and settings\g$\desktop\tdl3 razor\TizerBruteForceEx.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2009-10-20 378344]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-11 27904]

=============== Created Last 30 ================

2011-01-06 10:13:10 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-06 10:13:08 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-06 10:12:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-01-06 09:52:27 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2011-01-03 05:12:29 98816 ----a-w- c:\windows\sed.exe
2011-01-03 05:12:29 89088 ----a-w- c:\windows\MBR.exe
2011-01-03 05:12:29 256512 ----a-w- c:\windows\PEV.exe
2011-01-03 05:12:29 161792 ----a-w- c:\windows\SWREG.exe
2011-01-03 05:11:59 -------- d-----w- C:\ComboFix
2011-01-02 01:57:18 6144 ------w- c:\windows\system32\3.tmp
2011-01-02 01:56:15 6144 ------w- c:\windows\system32\2.tmp
2011-01-02 01:32:42 -------- d-----w- c:\docume~1\g$\applic~1\Malwarebytes
2011-01-02 01:32:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-02 01:32:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-02 01:32:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-02 01:32:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-02 01:08:32 -------- d-----w- c:\program files\Sophos
2010-12-31 19:05:31 388096 ----a-r- c:\docume~1\g$\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-31 19:05:30 -------- d-----w- c:\program files\Trend Micro
2010-12-31 01:33:36 -------- d-----w- C:\backups
2010-12-30 11:06:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\eIfHo06511
2010-12-14 09:44:39 -------- d-----w- c:\program files\JDownloader

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05:35 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:59:07 369664 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9AT00 rev.MB3OA60A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5AB555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5b17b0]; MOV EAX, [0x8a5b182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A5E9AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000009b[0x8A5ED9E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A5DA940]
\Driver\atapi[0x8A58D780] -> IRP_MJ_CREATE -> 0x8A5AB555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS541060G9AT00_________________________MB3OA60A#5&2db186e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5AB39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 15:05:20.51 ===============

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-09 15:27:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 HTS541060G9AT00 rev.MB3OA60A
Running: gmer.exe; Driver: C:\DOCUME~1\G$\LOCALS~1\Temp\agtciaod.sys


---- System - GMER 1.0.15 ----

SSDT 8A585C88 ZwAlertResumeThread
SSDT 8A5ED5B8 ZwAlertThread
SSDT 8A23DD98 ZwAllocateVirtualMemory
SSDT 8A2119D0 ZwConnectPort
SSDT 8A4DDAE0 ZwCreateMutant
SSDT 8A21B3F0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9F221CB0]
SSDT 8A5CDDE0 ZwFreeVirtualMemory
SSDT 8A4DC750 ZwImpersonateAnonymousToken
SSDT 8A5D0860 ZwImpersonateThread
SSDT 8A35C698 ZwMapViewOfSection
SSDT 8A584F88 ZwOpenEvent
SSDT 8A2FE890 ZwOpenProcessToken
SSDT 8A5C2518 ZwOpenThreadToken
SSDT 8A401D98 ZwQueryValueKey
SSDT 8A26A238 ZwResumeThread
SSDT 8A2ECC08 ZwSetContextThread
SSDT 8A306F88 ZwSetInformationProcess
SSDT 8A583A38 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9F221F10]
SSDT 8A5184B8 ZwSuspendProcess
SSDT 8A556308 ZwSuspendThread
SSDT 8A301DE0 ZwTerminateProcess
SSDT 8A546B70 ZwTerminateThread
SSDT 8A368AA8 ZwUnmapViewOfSection
SSDT 8A4613C8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2558 80501D90 4 Bytes CALL B730A7C4
init C:\WINDOWS\System32\DRIVERS\gtipci21.sys entry point in "init" section [0xB8BDDA80]
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !
? C:\DOCUME~1\G$\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[396] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[396] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A9000A
.text C:\WINDOWS\Explorer.EXE[396] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0081000A
.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0082000A
.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0080000C
.text C:\WINDOWS\System32\svchost.exe[1144] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01B2000A
.text C:\WINDOWS\System32\svchost.exe[1144] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00DA000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2816] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2816] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FE000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2816] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FC000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2816] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3764] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A5AB39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A5AB39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A5AB39B
Device \FileSystem\ndasrofs \Device\NdasRofsControl ndasfs.sys (NDAS LFS Filter/XIMETA, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device ndasrofs.sys (NDAS RO File System Driver/XIMETA, Inc.)
Device ndasfs.sys (NDAS LFS Filter/XIMETA, Inc.)
Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS541060G9AT00_________________________MB3OA60A#5&2db186e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000d1801173b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000d1801173b@001256f7e937 0x59 0xDD 0x3E 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x56 0xC6 0x26 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x81 0x58 0xD4 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6C 0xD2 0x76 0xE3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000d1801173b
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x56 0xC6 0x26 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x81 0x58 0xD4 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC6 0xB8 0x21 0x12 ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000d1801173b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x56 0xC6 0x26 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x81 0x58 0xD4 0x79 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC6 0xB8 0x21 0x12 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:31 AM

Posted 10 January 2011 - 02:32 PM

Hello

My name is gringo and I will be Helping you from this point forward

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes unless I tell you so.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Here is the first thing I would like you to do.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 JediJoel

JediJoel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 11 January 2011 - 03:44 AM

There is no noticeable change to my machine after running ComboFix. ComboFix ran without any incident, identified a possible TDL3 infection, and proceeded with removal. After ComboFix ran I used the computer for a while hoping to see if anything had changed. Sure enough the Windows Firewall service shutdown after a while and I was unable to connect to my LAN causing me to restart (par for the course since infection). Below is the ComboFix log:

ComboFix 11-01-10.07 - G$ 01/10/2011 23:26:21.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.924 [GMT -8:00]
Running from: c:\documents and settings\G$\Desktop\ComFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
.

2011-01-06 10:13 . 2011-01-06 10:13 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-06 10:13 . 2011-01-06 10:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-06 10:12 . 2011-01-06 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-01-06 09:52 . 2010-03-16 11:12 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2011-01-02 01:57 . 2010-05-26 18:39 6144 ------w- c:\windows\system32\3.tmp
2011-01-02 01:56 . 2010-05-26 18:39 6144 ------w- c:\windows\system32\2.tmp
2011-01-02 01:32 . 2011-01-02 01:32 -------- d-----w- c:\documents and settings\G$\Application Data\Malwarebytes
2011-01-02 01:32 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-02 01:32 . 2011-01-02 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-02 01:32 . 2011-01-02 01:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-02 01:32 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-02 01:08 . 2011-01-02 01:08 -------- d-----w- c:\program files\Sophos
2011-01-02 00:57 . 2011-01-02 00:57 -------- d-----w- c:\program files\Windows Defender
2010-12-31 21:57 . 2010-12-31 21:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2010-12-31 21:57 . 2010-12-31 21:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2010-12-31 21:57 . 2010-12-31 21:57 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-12-31 19:05 . 2010-12-31 19:05 388096 ----a-r- c:\documents and settings\G$\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-31 19:05 . 2010-12-31 19:05 -------- d-----w- c:\program files\Trend Micro
2010-12-31 01:33 . 2011-01-03 06:15 -------- d-----w- C:\backups
2010-12-30 11:06 . 2011-01-01 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\eIfHo06511
2010-12-14 09:44 . 2010-12-31 03:08 -------- d-----w- c:\program files\JDownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-09 23:54 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-11-18 18:12 . 2006-08-01 20:17 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05 . 2004-01-08 22:23 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-23 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2011-01-03_09.37.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-11 07:22 . 2011-01-11 07:22 16384 c:\windows\Temp\Perflib_Perfdata_590.dat
+ 2001-08-23 12:00 . 2011-01-09 23:54 96512 c:\windows\system32\dllcache\atapi.sys
+ 2008-11-04 04:01 . 2008-11-05 04:01 717296 c:\windows\system32\drivers\sptd.sys
- 2008-11-04 04:01 . 2008-11-04 20:01 717296 c:\windows\system32\drivers\sptd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-04-25 94208]
"Persistence"="c:\windows\System32\igfxpers.exe" [2005-04-25 114688]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-04-25 77824]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-08-30 286720]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"TrayOK"="c:\program files\TrayIconsOK\TrayIconsOK.exe" [2007-04-24 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

c:\documents and settings\cheesehead\Start Menu\Programs\Startup\
WinIPS.lnk.disabled [2008-6-3 529]

c:\documents and settings\G$\Start Menu\Programs\Startup\
TrayIconsOK.lnk - c:\program files\TrayIconsOK\TrayIconsOK.exe [2010-8-18 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-06-01 05:46 110592 ------w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 07:24 620152 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
2009-02-28 00:04 278016 ----a-w- c:\program files\IVT Corporation\BlueSoleil\BtTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 19:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:mIRC
"427:UDP"= 427:UDP:SLP_Port(427)
"6182:TCP"= 6182:TCP:DigiNet Pop-up

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [6/17/2009 1:01 PM 20744]
R0 ndasfs;ndasfs;c:\windows\system32\drivers\ndasfs.sys [10/20/2009 7:04 PM 561640]
R1 ndasfat;NDAS FAT File System Service;c:\windows\system32\drivers\ndasfat.sys [10/20/2009 7:04 PM 461288]
R1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\drivers\ndasrofs.sys [10/20/2009 7:04 PM 793576]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [6/17/2009 1:02 PM 30088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/19/2010 10:36 PM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 9:26 AM 80384]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [6/17/2009 1:01 PM 26248]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\G$\Desktop\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\G$\Desktop\TDL3 Razor\TizerBruteForceEx.sys [?]
S3 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2/27/2009 3:40 PM 143467]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [11/11/2008 11:35 PM 27904]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/3/2008 8:01 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-01-03 c:\windows\Tasks\BeerSmith Reg.job
- c:\windows\regedit.exe [2001-08-23 13:42]

2010-08-26 c:\windows\Tasks\kill mirc.job
- c:\program files\mIRC\Download\killmirc.bat [2010-08-18 08:48]

2011-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TdlRazor - c:\documents and settings\G$\Desktop\TDL3 Razor\tdlrazor.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-10 23:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TdlRazor = c:\documents and settings\G$\Desktop\TDL3 Razor\tdlrazor.exe??l?T?h?????o?o?k?e???&???????&????? ?????????&?????????0?&????????????????????????? ???^<@???????@??A@??A@??A@? ?&???????????????????&????????????????????|_???????????????????6 ?|P?????&???&???&????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9AT00 rev.MB3OA60A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5AF555]<<
c:\docume~1\G$\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5b57b0]; MOV EAX, [0x8a5b582c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A5C6AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000009a[0x8A5E19E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A5C8D98]
\Driver\atapi[0x8A5384A8] -> IRP_MJ_CREATE -> 0x8A5AF555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS541060G9AT00_________________________MB3OA60A#5&2db186e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5AF39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\x001.sys\00system32\drivers\iaStor."

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\x001.sys\00system32\drivers\iaStor."

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2011-01-10 23:41:01
ComboFix-quarantined-files.txt 2011-01-11 07:40
ComboFix2.txt 2011-01-03 18:49
ComboFix3.txt 2011-01-03 06:00

Pre-Run: 889,520,128 bytes free
Post-Run: 1,163,227,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 667CD88B3506CA8C4F8873C8BF81ED69

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:31 AM

Posted 11 January 2011 - 03:45 AM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:31 AM

Posted 14 January 2011 - 12:20 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 JediJoel

JediJoel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 16 January 2011 - 05:52 PM

Please keep this thread active. I'm leaving on vacation tonight and will respond to this thread by the 25th.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:31 AM

Posted 16 January 2011 - 06:05 PM

the thread will most likely by closed but just give me a pm and I will open it again for you


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:31 AM

Posted 20 January 2011 - 08:05 AM

1/25
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:31 AM

Posted 22 January 2011 - 11:58 PM

1/25
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:31 AM

Posted 26 January 2011 - 09:11 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 JediJoel

JediJoel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 26 January 2011 - 02:22 PM

Initial prognosis is good. After running TDSSKiller.exe the system rebooted. The machine restarted and loaded the OS faster than usual. Upon reboot automatic updates started to download (an action disabled by the rootkit). It looks like things are good. I am going to run the machine for a bit and see if the Windows Firewall service stops but I think things are back to normal. Thanks for the help and you patience in keeping the thread open. Here is the log:



2011/01/26 10:56:39.0281 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53
2011/01/26 10:56:39.0281 ================================================================================
2011/01/26 10:56:39.0281 SystemInfo:
2011/01/26 10:56:39.0281
2011/01/26 10:56:39.0281 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/26 10:56:39.0281 Product type: Workstation
2011/01/26 10:56:39.0281 ComputerName: MAC-N-CHEESE
2011/01/26 10:56:39.0281 UserName: G$
2011/01/26 10:56:39.0281 Windows directory: C:\WINDOWS
2011/01/26 10:56:39.0281 System windows directory: C:\WINDOWS
2011/01/26 10:56:39.0281 Processor architecture: Intel x86
2011/01/26 10:56:39.0281 Number of processors: 1
2011/01/26 10:56:39.0281 Page size: 0x1000
2011/01/26 10:56:39.0281 Boot type: Normal boot
2011/01/26 10:56:39.0281 ================================================================================
2011/01/26 10:56:39.0546 Initialize success
2011/01/26 10:56:43.0140 ================================================================================
2011/01/26 10:56:43.0140 Scan started
2011/01/26 10:56:43.0140 Mode: Manual;
2011/01/26 10:56:43.0140 ================================================================================
2011/01/26 10:56:45.0265 1001E (ae03ce743cba34d9f90ad65714a26183) C:\WINDOWS\system32\drivers\1001E.sys
2011/01/26 10:56:45.0437 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/26 10:56:45.0453 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/01/26 10:56:45.0562 aeaudio (ad707942e4ccb28d77cee5ed989c9e55) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/01/26 10:56:45.0640 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/26 10:56:45.0718 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/26 10:56:45.0968 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/26 10:56:46.0078 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2011/01/26 10:56:46.0203 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/26 10:56:46.0296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\x001.sys
2011/01/26 10:56:46.0343 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/26 10:56:46.0437 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/26 10:56:46.0500 b57w2k (2fa609c3411ec5f77f42d0b04d304ae5) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/01/26 10:56:46.0578 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/26 10:56:46.0703 BT (8e2d9ece59dfe7d310201e0d65d97ecb) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
2011/01/26 10:56:46.0796 Btcsrusb (942c602296119d758547808221c85a2c) C:\WINDOWS\system32\Drivers\btcusb.sys
2011/01/26 10:56:46.0875 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/01/26 10:56:46.0953 BtHidBus (ce441ccd98c5ecb10cb12fcaf97322ec) C:\WINDOWS\system32\Drivers\BtHidBus.sys
2011/01/26 10:56:47.0140 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
2011/01/26 10:56:47.0203 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/01/26 10:56:47.0312 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/01/26 10:56:47.0375 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/01/26 10:56:47.0468 btnetBUs (d3c277a51ef9e2ec972d6221f99c0b6d) C:\WINDOWS\system32\Drivers\btnetBus.sys
2011/01/26 10:56:47.0640 BTNetFilter (4f26303becbb7cc5ca8ff39593124cf2) C:\Program Files\IVT Corporation\BlueSoleil\Device\Win2k\BTNetFilter.sys
2011/01/26 10:56:47.0875 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/26 10:56:48.0078 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/26 10:56:48.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/26 10:56:48.0265 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/26 10:56:48.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/26 10:56:48.0437 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/26 10:56:48.0515 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/26 10:56:48.0687 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/26 10:56:48.0781 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/26 10:56:48.0859 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/26 10:56:48.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/26 10:56:48.0937 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/26 10:56:49.0171 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/01/26 10:56:49.0234 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/01/26 10:56:49.0296 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/01/26 10:56:49.0375 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/26 10:56:49.0453 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\System32\drivers\EABFiltr.sys
2011/01/26 10:56:49.0531 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
2011/01/26 10:56:49.0765 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/01/26 10:56:49.0859 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/01/26 10:56:49.0921 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/26 10:56:50.0140 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/26 10:56:50.0218 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/26 10:56:50.0312 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/26 10:56:50.0359 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/26 10:56:50.0406 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/26 10:56:50.0437 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/26 10:56:50.0484 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/01/26 10:56:50.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/26 10:56:50.0640 GTIPCI21 (7d074058804ad398f93ca0a08af83ff2) C:\WINDOWS\system32\DRIVERS\gtipci21.sys
2011/01/26 10:56:50.0718 HidBth (7bd2de4c85eb4241eed57672b16a7d8d) C:\WINDOWS\system32\DRIVERS\hidbth.sys
2011/01/26 10:56:50.0812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/26 10:56:50.0953 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/01/26 10:56:51.0109 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/01/26 10:56:51.0171 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/01/26 10:56:51.0234 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/26 10:56:51.0390 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/26 10:56:51.0468 ialm (d95eb1c9b3a5c2f6fdeab05dd03736fe) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/01/26 10:56:51.0531 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/26 10:56:51.0671 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/26 10:56:51.0750 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/26 10:56:51.0843 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/26 10:56:52.0078 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/26 10:56:52.0156 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/26 10:56:52.0218 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/26 10:56:52.0265 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/01/26 10:56:52.0296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/26 10:56:52.0359 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/26 10:56:52.0421 IvtBtBUs (71e1fc547cc488d5cd7bf0860c96f5af) C:\WINDOWS\system32\Drivers\IvtBtBus.sys
2011/01/26 10:56:52.0468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/26 10:56:52.0500 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/26 10:56:52.0734 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/26 10:56:52.0781 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/26 10:56:53.0062 lfsfilt (d98f42e4d526448a9276010a74f4c101) C:\WINDOWS\system32\DRIVERS\lfsfilt.sys
2011/01/26 10:56:53.0156 LoopBeMidi1 (de65ebd42567c33c0152e308a982b834) C:\WINDOWS\system32\drivers\loopbe1.sys
2011/01/26 10:56:53.0234 lpx (6ef4fdde95dd58440f5242c2ba459e0f) C:\WINDOWS\system32\DRIVERS\lpx.sys
2011/01/26 10:56:53.0296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/26 10:56:53.0390 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/26 10:56:53.0437 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/26 10:56:53.0500 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/26 10:56:54.0125 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/26 10:56:54.0328 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/26 10:56:54.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/26 10:56:54.0500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/26 10:56:54.0562 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/26 10:56:54.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/26 10:56:54.0671 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/26 10:56:54.0812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/26 10:56:54.0937 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/26 10:56:54.0984 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/26 10:56:55.0046 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/26 10:56:55.0296 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110124.003\naveng.sys
2011/01/26 10:56:55.0484 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110124.003\navex15.sys
2011/01/26 10:56:55.0734 ndasbus (b9c9db9ce88e39c37f0e544bd51e6e7c) C:\WINDOWS\system32\DRIVERS\ndasbus.sys
2011/01/26 10:56:55.0812 ndasfat (a4fe380cc37676274f993c09acdf184f) C:\WINDOWS\system32\DRIVERS\ndasfat.sys
2011/01/26 10:56:55.0875 ndasfs (466cb08d60ca31543f9a92de41855f0d) C:\WINDOWS\system32\DRIVERS\ndasfs.sys
2011/01/26 10:56:56.0046 ndasrofs (8cce314294c35febdb7312f5be9a6d87) C:\WINDOWS\system32\DRIVERS\ndasrofs.sys
2011/01/26 10:56:56.0281 ndasscsi (b9266024863bddd2f774db3d519f367a) C:\WINDOWS\system32\DRIVERS\ndasscsi.sys
2011/01/26 10:56:56.0359 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/26 10:56:56.0437 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/26 10:56:56.0500 Ndisprot (a3b80c6e0774815c362aeb5ed5ac047d) C:\WINDOWS\system32\drivers\Ndisprot.sys
2011/01/26 10:56:56.0562 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/26 10:56:56.0609 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/26 10:56:56.0687 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/26 10:56:56.0734 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/26 10:56:56.0781 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/26 10:56:56.0859 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/26 10:56:57.0062 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/01/26 10:56:57.0078 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/26 10:56:57.0140 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS
2011/01/26 10:56:57.0390 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/26 10:56:57.0515 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/26 10:56:57.0687 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/26 10:56:57.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/26 10:56:57.0781 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/26 10:56:57.0812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/26 10:56:57.0859 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/26 10:56:57.0906 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/26 10:56:58.0015 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/26 10:56:58.0078 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/26 10:56:58.0125 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/01/26 10:56:58.0375 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
2011/01/26 10:56:58.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/26 10:56:58.0515 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/26 10:56:58.0562 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/26 10:56:58.0656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/26 10:56:58.0781 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/26 10:56:58.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/26 10:56:59.0046 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/01/26 10:56:59.0093 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/26 10:56:59.0140 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/26 10:56:59.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/26 10:56:59.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/26 10:56:59.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/26 10:56:59.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/26 10:56:59.0437 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/26 10:56:59.0500 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/26 10:56:59.0593 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/01/26 10:56:59.0734 SAVRT (cdb565c093b0105086cc630b32f9e6e6) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/01/26 10:56:59.0781 SAVRTPEL (1042cb5a003f9aed8d6cec56a0fc6c49) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/01/26 10:57:00.0031 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/01/26 10:57:00.0171 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/26 10:57:00.0218 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/26 10:57:00.0281 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/26 10:57:00.0375 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/26 10:57:00.0484 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/26 10:57:00.0578 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2011/01/26 10:57:00.0703 smwdm (858934c454bdc6664c752bf0cd3eaeae) C:\WINDOWS\system32\drivers\smwdm.sys
2011/01/26 10:57:00.0812 SndTDriverV32 (3b4d9b067230fab80ea1e3cfa1c11337) C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2011/01/26 10:57:01.0062 snpstd2 (c01904b1390ce8893331698e54e58ca5) C:\WINDOWS\system32\DRIVERS\snpstd2.sys
2011/01/26 10:57:01.0281 SPBBCDrv (cc22bf5631c4837abcd81d75de8fb1aa) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/01/26 10:57:01.0390 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/26 10:57:01.0515 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys
2011/01/26 10:57:01.0687 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/26 10:57:01.0796 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/26 10:57:01.0875 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/01/26 10:57:01.0968 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/26 10:57:02.0015 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/26 10:57:02.0078 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/26 10:57:02.0328 SymEvent (5156f63e684e8c864ff40e40d5309f41) C:\Program Files\Symantec\SYMEVENT.SYS
2011/01/26 10:57:02.0421 SYMREDRV (5314e345dfc068504cfb2676d3b2ca39) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/01/26 10:57:02.0484 SYMTDI (8cd0a1478256240249b8ee88e6f25e94) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/01/26 10:57:02.0750 SynTP (0f332c0ba9b968ebc8cbb906416f8597) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/01/26 10:57:02.0843 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/26 10:57:02.0937 tbhsd (10a926ef723a816d3db771608f184e3b) C:\WINDOWS\system32\drivers\tbhsd.sys
2011/01/26 10:57:03.0031 Tcpip (4afb3b0919649f95c1964aa1fad27d73) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/26 10:57:03.0078 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/26 10:57:03.0125 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/26 10:57:03.0171 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/26 10:57:03.0265 tifm21 (f779ba4cd37963ab4600c9871b7752a3) C:\WINDOWS\system32\drivers\tifm21.sys
2011/01/26 10:57:03.0437 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/26 10:57:03.0546 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/26 10:57:03.0625 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/26 10:57:03.0718 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/26 10:57:03.0796 usbbus (5353218b3265e3b8190335059f697a11) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/01/26 10:57:03.0875 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/26 10:57:03.0968 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/01/26 10:57:04.0000 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/26 10:57:04.0078 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/26 10:57:04.0187 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/01/26 10:57:04.0250 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/26 10:57:04.0281 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/26 10:57:04.0328 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/26 10:57:04.0375 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/26 10:57:04.0437 VComm (0955553090e0a88614e5b8a02af9324c) C:\WINDOWS\system32\DRIVERS\VComm.sys
2011/01/26 10:57:04.0500 VcommMgr (ea0d7c68dc77b478f1c08022b8afe8ca) C:\WINDOWS\system32\Drivers\VcommMgr.sys
2011/01/26 10:57:04.0562 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/26 10:57:04.0625 VHidMinidrv (95a38e0a1b06109ad2bfb50dd40e31db) C:\WINDOWS\system32\drivers\VHIDMini.sys
2011/01/26 10:57:04.0718 VolSnap (7d6322d2567d94acf1e8c4b79ea1c880) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/26 10:57:04.0734 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/01/26 10:57:04.0953 w29n51 (d6006de6a6ed423d8016a03bc50cbe6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2011/01/26 10:57:05.0281 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/26 10:57:05.0406 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/26 10:57:05.0500 wlluc48 (dca17912a1926ae427537648fc0e74d5) C:\WINDOWS\system32\DRIVERS\wlluc48.sys
2011/01/26 10:57:05.0578 wlluc48b (212724e926b6b0cb41cadf579b9bf024) C:\WINDOWS\system32\DRIVERS\wlluc48b.sys
2011/01/26 10:57:05.0671 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/26 10:57:05.0765 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/01/26 10:57:05.0812 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/26 10:57:05.0906 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/26 10:57:05.0984 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/26 10:57:06.0062 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/26 10:57:06.0062 ================================================================================
2011/01/26 10:57:06.0062 Scan finished
2011/01/26 10:57:06.0062 ================================================================================
2011/01/26 10:57:06.0062 Detected object count: 2
2011/01/26 10:57:21.0359 VolSnap (7d6322d2567d94acf1e8c4b79ea1c880) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/26 10:57:26.0546 Backup copy found, using it..
2011/01/26 10:57:26.0609 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/01/26 10:57:26.0609 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/01/26 10:57:26.0687 \HardDisk0 - will be cured after reboot
2011/01/26 10:57:26.0687 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/26 10:57:32.0093 Deinitialize success

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:31 AM

Posted 26 January 2011 - 02:28 PM

Hello

yes the rootkit has been cleared. Now it is time to sweep up and lock the doors.


update combofix

I would like you to download an updated virsion of combofix.

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
[/list]

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 JediJoel

JediJoel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 28 January 2011 - 02:17 PM

I ran ComboFix again and here is the latest log:

ComboFix 11-01-28.01 - G$ 01/28/2011 11:04:06.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.906 [GMT -8:00]
Running from: c:\documents and settings\G$\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\HA4ZwyzeBXm3J.exe
c:\documents and settings\All Users\Application Data\tajymhxtvegigv.exe
c:\documents and settings\All Users\Application Data\uviOqwUFXLstVG.dll
c:\documents and settings\G$\Application Data\Avnyh\enifu.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-26 23:21 . 2010-10-19 18:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-25 23:39 . 2011-01-25 23:39 -------- d-----w- C:\Adobe
2011-01-24 20:27 . 2011-01-24 20:27 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-01-24 20:25 . 2011-01-28 19:09 -------- d-----w- c:\documents and settings\G$\Application Data\Avnyh
2011-01-24 20:25 . 2011-01-28 18:34 -------- d-----w- c:\documents and settings\G$\Application Data\Ebtof
2011-01-15 02:31 . 2011-01-15 02:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-01-12 23:05 . 2011-01-12 23:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-01-06 10:13 . 2011-01-06 10:13 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-06 10:13 . 2011-01-06 10:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-06 10:12 . 2011-01-06 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-01-06 09:52 . 2010-03-16 11:12 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2011-01-02 01:57 . 2010-05-26 18:39 6144 ------w- c:\windows\system32\3.tmp
2011-01-02 01:56 . 2010-05-26 18:39 6144 ------w- c:\windows\system32\2.tmp
2011-01-02 01:32 . 2011-01-02 01:32 -------- d-----w- c:\documents and settings\G$\Application Data\Malwarebytes
2011-01-02 01:32 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-02 01:32 . 2011-01-02 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-02 01:32 . 2011-01-02 01:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-02 01:32 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-02 01:08 . 2011-01-28 18:39 -------- d-----w- c:\program files\Sophos
2010-12-31 21:57 . 2010-12-31 21:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2010-12-31 21:57 . 2010-12-31 21:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2010-12-31 21:57 . 2010-12-31 21:57 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-12-31 19:05 . 2010-12-31 19:05 388096 ----a-r- c:\documents and settings\G$\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-31 19:05 . 2010-12-31 19:05 -------- d-----w- c:\program files\Trend Micro
2010-12-31 01:33 . 2011-01-03 06:15 -------- d-----w- C:\backups
2010-12-30 11:06 . 2011-01-01 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\eIfHo06511

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-26 18:58 . 2001-08-23 12:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-01-09 23:54 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-11-18 18:12 . 2006-08-01 20:17 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05 . 2004-01-08 22:23 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce\sp3qfe\spoolsv.exe
[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce\sp3gdr\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe

c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2011-01-03_09.37.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-28 18:34 . 2011-01-28 18:34 16384 c:\windows\Temp\Perflib_Perfdata_23c.dat
- 2008-01-23 05:44 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
+ 2008-01-23 05:44 . 2009-05-26 09:01 17272 c:\windows\system32\spmsg.dll
- 2001-08-23 12:00 . 2008-04-14 13:41 80384 c:\windows\system32\iccvid.dll
+ 2001-08-23 12:00 . 2010-06-17 14:03 80384 c:\windows\system32\iccvid.dll
+ 2001-08-23 12:00 . 2011-01-09 23:54 96512 c:\windows\system32\dllcache\atapi.sys
+ 2001-08-23 12:00 . 2008-04-14 13:42 86016 c:\windows\drCS3d.dll
+ 2011-01-26 19:23 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB982665\update\spcustom.dll
+ 2011-01-26 19:23 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB982665\spmsg.dll
+ 2010-06-17 14:02 . 2010-06-17 14:02 80384 c:\windows\$hf_mig$\KB982665\SP3QFE\iccvid.dll
+ 2011-01-26 19:24 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB981322\update\spcustom.dll
+ 2011-01-26 19:24 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB981322\spmsg.dll
+ 2011-01-26 19:24 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB980436\update\spcustom.dll
+ 2011-01-26 19:24 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB980436\spmsg.dll
+ 2011-01-26 19:23 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2141007\update\spcustom.dll
+ 2011-01-26 19:23 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2141007\spmsg.dll
+ 2011-01-26 19:24 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2121546\update\spcustom.dll
+ 2011-01-26 19:24 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2121546\spmsg.dll
+ 2011-01-26 19:25 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB2115168\update\spcustom.dll
+ 2011-01-26 19:25 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB2115168\spmsg.dll
- 2001-08-23 12:00 . 2008-04-14 13:42 293376 c:\windows\system32\winsrv.dll
+ 2001-08-23 12:00 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
- 2001-08-23 12:00 . 2008-04-14 13:42 406016 c:\windows\system32\usp10.dll
+ 2001-08-23 12:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
+ 2001-08-23 12:00 . 2010-06-30 12:31 149504 c:\windows\system32\schannel.dll
+ 2011-01-28 18:35 . 2011-01-28 18:35 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_Plugin.exe
+ 2006-08-01 20:17 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll
- 2008-11-04 04:01 . 2008-11-04 20:01 717296 c:\windows\system32\drivers\sptd.sys
+ 2008-11-04 04:01 . 2008-11-05 04:01 717296 c:\windows\system32\drivers\sptd.sys
+ 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-04-16 15:36 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
+ 2008-11-04 05:12 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2011-01-26 19:23 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB982665\update\updspapi.dll
+ 2011-01-26 19:23 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB982665\update\update.exe
+ 2011-01-26 19:23 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB982665\spuninst.exe
+ 2011-01-26 19:24 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB981322\update\updspapi.dll
+ 2011-01-26 19:24 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB981322\update\update.exe
+ 2011-01-26 19:24 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB981322\spuninst.exe
+ 2010-04-16 15:29 . 2010-04-16 15:29 406016 c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
+ 2011-01-26 19:24 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB980436\update\updspapi.dll
+ 2011-01-26 19:24 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB980436\update\update.exe
+ 2011-01-26 19:24 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB980436\spuninst.exe
+ 2010-06-30 12:23 . 2010-06-30 12:23 149504 c:\windows\$hf_mig$\KB980436\SP3QFE\schannel.dll
+ 2011-01-26 19:23 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB2141007\update\updspapi.dll
+ 2011-01-26 19:23 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB2141007\update\update.exe
+ 2011-01-26 19:23 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2141007\spuninst.exe
+ 2010-06-09 07:41 . 2010-06-09 07:41 692736 c:\windows\$hf_mig$\KB2141007\SP3QFE\inetcomm.dll
+ 2011-01-26 19:24 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB2121546\update\updspapi.dll
+ 2011-01-26 19:24 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB2121546\update\update.exe
+ 2011-01-26 19:24 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2121546\spuninst.exe
+ 2010-06-18 17:43 . 2010-06-18 17:43 293376 c:\windows\$hf_mig$\KB2121546\SP3QFE\winsrv.dll
+ 2011-01-26 19:25 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB2115168\update\updspapi.dll
+ 2011-01-26 19:25 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB2115168\update\update.exe
+ 2011-01-26 19:25 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB2115168\spuninst.exe
+ 2001-08-23 12:00 . 2010-04-28 02:25 2189952 c:\windows\system32\ntoskrnl.exe
- 2001-08-23 12:00 . 2010-02-17 16:10 2189952 c:\windows\system32\ntoskrnl.exe
- 2001-08-17 13:48 . 2010-02-16 13:25 2066816 c:\windows\system32\ntkrnlpa.exe
+ 2001-08-17 13:48 . 2010-04-27 13:05 2066816 c:\windows\system32\ntkrnlpa.exe
+ 2010-01-27 01:07 . 2011-01-28 18:35 5971408 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-11-04 05:51 . 2010-02-17 16:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-11-04 05:51 . 2010-04-28 02:25 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-11-04 05:51 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-04 05:51 . 2010-04-27 13:05 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-11-04 05:51 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-11-04 05:51 . 2010-04-27 13:05 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-11-04 05:51 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-11-04 05:51 . 2010-04-27 13:59 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2010-03-10 21:19 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2010-03-10 21:19 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2008-11-04 05:51 . 2010-02-17 16:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-04 05:51 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-04 05:51 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-11-04 05:51 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-11-04 05:51 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-11-04 05:51 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-11-04 05:51 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-11-04 05:51 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-04-25 94208]
"Persistence"="c:\windows\System32\igfxpers.exe" [2005-04-25 114688]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-04-25 77824]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-08-30 286720]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"TrayOK"="c:\program files\TrayIconsOK\TrayIconsOK.exe" [2007-04-24 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\cheesehead\Start Menu\Programs\Startup\
WinIPS.lnk.disabled [2008-6-3 529]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
aqurf.exe [2011-1-24 168960]

c:\documents and settings\G$\Start Menu\Programs\Startup\
TrayIconsOK.lnk - c:\program files\TrayIconsOK\TrayIconsOK.exe [2010-8-18 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-06-01 05:46 110592 ------w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 07:24 620152 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
2009-02-28 00:04 278016 ----a-w- c:\program files\IVT Corporation\BlueSoleil\BtTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 19:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:mIRC
"427:UDP"= 427:UDP:*:Disabled:SLP_Port(427)
"6182:TCP"= 6182:TCP:DigiNet Pop-up

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [6/17/2009 1:01 PM 20744]
R0 ndasfs;ndasfs;c:\windows\system32\drivers\ndasfs.sys [10/20/2009 7:04 PM 561640]
R1 ndasfat;NDAS FAT File System Service;c:\windows\system32\drivers\ndasfat.sys [10/20/2009 7:04 PM 461288]
R1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\drivers\ndasrofs.sys [10/20/2009 7:04 PM 793576]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [6/17/2009 1:02 PM 30088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/19/2010 10:36 PM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 9:26 AM 80384]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [6/17/2009 1:01 PM 26248]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\G$\Desktop\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\G$\Desktop\TDL3 Razor\TizerBruteForceEx.sys [?]
S3 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2/27/2009 3:40 PM 143467]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [11/11/2008 11:35 PM 27904]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/3/2008 8:01 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-01-03 c:\windows\Tasks\BeerSmith Reg.job
- c:\windows\regedit.exe [2001-08-23 13:42]

2010-08-26 c:\windows\Tasks\kill mirc.job
- c:\program files\mIRC\Download\killmirc.bat [2010-08-18 08:48]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{9F798D65-5EDF-4CC6-2C2C-76E76D074C5E} - c:\documents and settings\G$\Application Data\Avnyh\enifu.exe
HKU-Default-Run-TAjymhxtvEgigv.exe - c:\documents and settings\All Users\Application Data\TAjymhxtvEgigv.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\x001.sys\00system32\drivers\iaStor."

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\x001.sys\00system32\drivers\iaStor."

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2011-01-28 11:13:48
ComboFix-quarantined-files.txt 2011-01-28 19:13
ComboFix2.txt 2011-01-11 07:41
ComboFix3.txt 2011-01-03 18:49
ComboFix4.txt 2011-01-03 06:00

Pre-Run: 1,417,359,360 bytes free
Post-Run: 1,409,912,832 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B5B4CB309BE2416DC32C4342B861D36C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users