Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Mean Malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 Megabust

Megabust

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 13 January 2011 - 05:48 PM

Hello, and thank you for your time. What started this seems to be much like what the poster is describing here: http://www.bleepingcomputer.com/forums/topic373174.html

Redirected searches, Sounds play in the backround without any human interaction(assuming these are pages loaded behind the desktop).

I have AVG, PC Tools, MBAM, Spybot S&D. None of which want to fix this, however they have all found elements and has been trying to stop certain actions when browsing.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Brion at 14:03:48.45 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.892 [GMT -7:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
P:\Program Files\peach\SmartPostingService2009.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PC Tools Security\BDT\FGuard.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Brion\Desktop\dds.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PeachtreePrefetcher.exe] "p:\progra~1\peach\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCTools FGuard] c:\program files\pc tools security\bdt\FGuard.exe
mRun: [Adobe Reader Speed Launcher] "p:\program files\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - p:\program files\office xp\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208213554343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-1-2 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-1-2 338880]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-1-2 51984]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-1-2 69392]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2011-1-2 249616]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-1-2 247760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-1-2 632792]
R2 Peachtree SmartPosting 2009;Peachtree SmartPosting 2009;p:\program files\peach\SmartPostingService2009.exe [2008-5-3 49152]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-4-14 18176]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-1-2 33552]
S3 cpuz129;cpuz129;\??\c:\docume~1\brion\locals~1\temp\cpuz_x32.sys --> c:\docume~1\brion\locals~1\temp\cpuz_x32.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2011-1-2 70536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-1-2 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-1-2 1150936]
S3 ThreatFire;ThreatFire;c:\program files\pc tools security\tfengine\tfservice.exe service --> c:\program files\pc tools security\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2011-01-12 00:45:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-12 00:38:43 -------- d-sh--w- c:\documents and settings\brion\IECompatCache
2011-01-12 00:38:14 -------- d-sh--w- c:\documents and settings\brion\PrivacIE
2011-01-12 00:36:45 -------- d-sh--w- c:\documents and settings\brion\IETldCache
2011-01-12 00:33:37 -------- d-----w- c:\windows\ie8updates
2011-01-12 00:30:56 -------- dc-h--w- c:\windows\ie8
2011-01-12 00:28:56 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-12 00:28:39 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-12 00:28:39 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-12 00:28:38 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-11 23:15:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-11 22:35:07 -------- d-----w- c:\docume~1\brion\applic~1\Malwarebytes
2011-01-11 22:34:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-11 22:34:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-11 22:34:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-11 22:34:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-11 22:13:51 -------- d-----w- c:\docume~1\brion\applic~1\AVG
2011-01-11 21:59:43 -------- d--h--w- C:\$AVG
2011-01-11 21:27:28 -------- d-----w- c:\docume~1\brion\applic~1\AVG10
2011-01-11 21:25:51 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-01-11 21:24:50 -------- d-----w- c:\windows\system32\drivers\AVG
2011-01-11 21:24:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-01-11 21:16:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-01-02 17:18:27 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-01-02 17:18:27 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-01-02 17:18:27 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-01-02 17:16:57 -------- d-----w- c:\docume~1\brion\locals~1\applic~1\Threat Expert
2011-01-02 17:12:41 -------- d-----w- c:\docume~1\brion\applic~1\Registry Mechanic
2011-01-02 17:07:46 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2011-01-02 17:07:46 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-01-02 17:07:46 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2011-01-02 17:07:46 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2011-01-02 16:51:11 767952 ----a-w- c:\windows\BDTSupport.dll
2011-01-02 16:51:11 1996752 ----a-w- c:\windows\PCTBDCore.dll
2011-01-02 16:51:11 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-01-02 16:51:11 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-01-02 16:47:06 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-01-02 16:47:06 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-01-02 16:47:04 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-02 16:46:58 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-01-02 16:46:58 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-01-02 16:46:55 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-01-02 16:46:51 -------- d-----w- c:\program files\PC Tools Security
2011-01-02 16:46:51 -------- d-----w- c:\program files\common files\PC Tools
2011-01-02 16:46:51 -------- d-----w- c:\docume~1\brion\applic~1\PC Tools
2011-01-02 16:45:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-01-02 00:24:18 53248 ----a-w- c:\windows\system32\drivers\sst4A.sys
2011-01-02 00:24:18 0 ----a-w- c:\windows\system32\drivers\sst4A.tmp
2010-12-15 06:04:57 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 06:04:30 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 14:11:09.87 ===============

Thanks again for anyones time and effort.

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:29 PM

Posted 14 January 2011 - 12:09 AM

Hello Megabust ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IF YOU USE AVG IT MUST BE UNINSTALLED OR THIS WILL NOT RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to megabust.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Megabust

Megabust
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 14 January 2011 - 04:19 PM

Hello and thank you Tea. I ran the combofix, had a few problems:

When first opened I receive an error for firefox.(Which I do not have)
The instruction at "0x10005382" referenced memory at "0x00000018".... didnt copy the rest cause the combofix took me out of the desktop.

Then when combofix tried to do a restart, it just turned off and never rebooted. So I waited about 5 minutes and hit the power button. I let the combofix continue and it produced this log.

Edit ADDED: Still having same issues after running this, Redirect searches and some audio occasionally playing in the backround.


ComboFix 11-01-14.01 - Brion 01/14/2011 13:23:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1494 [GMT -7:00]
Running from: c:\documents and settings\Brion\Desktop\megabust.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sst4A.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_sst4A
-------\Service_sst4A


((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-12 00:45 . 2011-01-12 00:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-12 00:41 . 2011-01-12 00:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-01-12 00:38 . 2011-01-12 00:38 -------- d-sh--w- c:\documents and settings\Brion\IECompatCache
2011-01-12 00:38 . 2011-01-12 00:38 -------- d-sh--w- c:\documents and settings\Brion\PrivacIE
2011-01-12 00:36 . 2011-01-12 00:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-01-12 00:36 . 2011-01-12 00:36 -------- d-sh--w- c:\documents and settings\Brion\IETldCache
2011-01-12 00:30 . 2011-01-12 00:32 -------- dc-h--w- c:\windows\ie8
2011-01-12 00:28 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-12 00:28 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-12 00:28 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-12 00:28 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-11 23:23 . 2011-01-11 23:23 -------- d-----w- c:\program files\Common Files\Java
2011-01-11 23:15 . 2011-01-12 00:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-11 22:35 . 2011-01-11 22:35 -------- d-----w- c:\documents and settings\Brion\Application Data\Malwarebytes
2011-01-11 22:34 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-11 22:34 . 2011-01-11 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-11 22:34 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-11 22:34 . 2011-01-11 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-11 21:59 . 2011-01-11 21:59 -------- d-----w- C:\$AVG
2011-01-11 21:27 . 2011-01-11 21:27 -------- d-----w- c:\documents and settings\Brion\Application Data\AVG10
2011-01-11 21:25 . 2011-01-11 21:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-01-11 21:24 . 2011-01-14 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-01-11 21:16 . 2011-01-11 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-01-07 14:06 . 2011-01-07 14:06 -------- d-----w- c:\program files\Common Files\Adobe
2011-01-02 17:18 . 2010-12-02 18:33 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-01-02 17:18 . 2010-12-02 18:33 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-01-02 17:18 . 2010-12-02 18:33 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-01-02 17:16 . 2011-01-02 17:16 -------- d-----w- c:\documents and settings\Brion\Local Settings\Application Data\Threat Expert
2011-01-02 17:12 . 2011-01-11 20:26 -------- d-----w- c:\documents and settings\Brion\Application Data\Registry Mechanic
2011-01-02 17:07 . 2010-09-16 19:26 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-01-02 17:07 . 2008-04-02 23:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2011-01-02 17:07 . 2008-04-02 23:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2011-01-02 17:07 . 2008-04-02 23:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2011-01-02 16:51 . 2010-12-09 17:48 1996752 ----a-w- c:\windows\PCTBDCore.dll
2011-01-02 16:51 . 2010-12-03 22:34 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-01-02 16:51 . 2010-12-03 22:34 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-01-02 16:51 . 2010-12-03 22:34 767952 ----a-w- c:\windows\BDTSupport.dll
2011-01-02 16:47 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-01-02 16:47 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-01-02 16:47 . 2010-11-17 17:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-02 16:46 . 2010-11-25 17:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-01-02 16:46 . 2010-11-25 17:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-01-02 16:46 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-01-02 16:46 . 2011-01-13 21:02 -------- d-----w- c:\program files\PC Tools Security
2011-01-02 16:46 . 2011-01-02 17:07 -------- d-----w- c:\program files\Common Files\PC Tools
2011-01-02 16:46 . 2011-01-02 16:46 -------- d-----w- c:\documents and settings\Brion\Application Data\PC Tools
2011-01-02 16:46 . 2011-01-14 20:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-01-02 16:45 . 2011-01-02 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-01-02 16:34 . 2011-01-11 21:07 -------- d-----w- c:\documents and settings\Administrator
2011-01-02 00:24 . 2011-01-02 00:24 0 ----a-w- c:\windows\system32\drivers\sst4A.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2008-04-14 06:18 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2007-07-27 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2007-07-27 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2007-07-27 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2007-07-27 12:00 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2007-07-27 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2007-07-27 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2007-07-27 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8429568]
"nwiz"="nwiz.exe" [2007-07-07 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-07 16132608]
"PeachtreePrefetcher.exe"="p:\progra~1\peach\PeachtreePrefetcher.exe" [2008-10-02 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2010-12-03 108496]
"Adobe Reader Speed Launcher"="p:\program files\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - p:\program files\Office Xp\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 18:00 49152 ----a-w- p:\program files\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/2/2011 9:46 AM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [1/2/2011 9:47 AM 338880]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [1/2/2011 10:18 AM 51984]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [1/2/2011 10:18 AM 69392]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/2/2011 9:47 AM 249616]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [1/2/2011 9:51 AM 247760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/2/2011 10:07 AM 632792]
R2 Peachtree SmartPosting 2009;Peachtree SmartPosting 2009;p:\program files\peach\SmartPostingService2009.exe [5/3/2008 5:10 PM 49152]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [9/5/2007 11:25 AM 455968]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [4/14/2008 3:48 PM 18176]
S3 cpuz129;cpuz129;\??\c:\docume~1\Brion\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Brion\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/2/2011 9:46 AM 70536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [1/2/2011 9:46 AM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [1/2/2011 10:18 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Security\TFEngine\TFService.exe service [?]
.
Contents of the 'Scheduled Tasks' folder

2011-01-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]

2011-01-14 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-01-02 00:05]

2011-01-14 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2011-01-02 19:26]

2011-01-10 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-04-14 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 13:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(828)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2624)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
p:\program files\Office Xp\Office10\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-01-14 14:10:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-14 21:10

Pre-Run: 79,658,618,880 bytes free
Post-Run: 79,686,270,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=4 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 525323CBDE6B81E43C001253BCCF9510


Thanks again.

Edited by Megabust, 14 January 2011 - 04:28 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:29 PM

Posted 14 January 2011 - 04:42 PM

Hi there,

I didn't expect perfection. As you said in your title, this stuff is mean. There is usually not a one click fix for it. But we'll get it. :thumbup2:

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Megabust

Megabust
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 14 January 2011 - 09:24 PM

2011/01/14 19:09:32.0656 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/14 19:09:32.0656 ================================================================================
2011/01/14 19:09:32.0656 SystemInfo:
2011/01/14 19:09:32.0656
2011/01/14 19:09:32.0656 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/14 19:09:32.0656 Product type: Workstation
2011/01/14 19:09:32.0656 ComputerName: BRION2008
2011/01/14 19:09:32.0656 UserName: Brion
2011/01/14 19:09:32.0656 Windows directory: C:\WINDOWS
2011/01/14 19:09:32.0656 System windows directory: C:\WINDOWS
2011/01/14 19:09:32.0656 Processor architecture: Intel x86
2011/01/14 19:09:32.0656 Number of processors: 2
2011/01/14 19:09:32.0656 Page size: 0x1000
2011/01/14 19:09:32.0656 Boot type: Normal boot
2011/01/14 19:09:32.0656 ================================================================================
2011/01/14 19:09:32.0828 Initialize success
2011/01/14 19:09:39.0796 ================================================================================
2011/01/14 19:09:39.0796 Scan started
2011/01/14 19:09:39.0796 Mode: Manual;
2011/01/14 19:09:39.0796 ================================================================================
2011/01/14 19:09:40.0109 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/14 19:09:40.0140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/14 19:09:40.0187 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/14 19:09:40.0234 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/14 19:09:40.0328 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/01/14 19:09:40.0359 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/14 19:09:40.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/14 19:09:40.0437 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/14 19:09:40.0468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/14 19:09:40.0500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/14 19:09:40.0546 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/14 19:09:40.0781 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/14 19:09:40.0812 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/14 19:09:40.0843 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/14 19:09:40.0859 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/14 19:09:41.0078 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/14 19:09:41.0125 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/14 19:09:41.0156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/14 19:09:41.0187 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/14 19:09:41.0203 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/14 19:09:41.0234 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/14 19:09:41.0281 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/14 19:09:41.0296 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/14 19:09:41.0328 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/14 19:09:41.0328 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/14 19:09:41.0359 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/14 19:09:41.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/14 19:09:41.0390 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/14 19:09:41.0406 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/14 19:09:41.0421 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/14 19:09:41.0437 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/14 19:09:41.0500 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/14 19:09:41.0546 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/14 19:09:41.0687 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/01/14 19:09:41.0734 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/14 19:09:41.0765 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/14 19:09:41.0781 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/14 19:09:41.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/14 19:09:41.0828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/14 19:09:41.0828 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/14 19:09:41.0859 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/14 19:09:41.0875 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/14 19:09:41.0875 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/14 19:09:41.0906 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/14 19:09:41.0937 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/14 19:09:41.0984 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/14 19:09:42.0000 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/14 19:09:42.0015 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/14 19:09:42.0046 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/14 19:09:42.0062 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/14 19:09:42.0093 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/14 19:09:42.0140 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/14 19:09:42.0156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/14 19:09:42.0187 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/14 19:09:42.0203 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/14 19:09:42.0218 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/14 19:09:42.0250 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/14 19:09:42.0250 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/14 19:09:42.0265 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/14 19:09:42.0281 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/14 19:09:42.0312 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/14 19:09:42.0312 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/14 19:09:42.0343 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/14 19:09:42.0359 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/14 19:09:42.0375 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/14 19:09:42.0421 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/14 19:09:42.0437 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/14 19:09:42.0468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/14 19:09:42.0500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/14 19:09:42.0640 nv (f43b110e1e97eb5606ab51aea2a26247) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/14 19:09:42.0734 NVENETFD (d875346596bd48d74ac9b9be791b8d69) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/01/14 19:09:42.0765 NVHDA (67217c1482e55da37673e6bc61df18b3) C:\WINDOWS\system32\drivers\nvhda32.sys
2011/01/14 19:09:42.0781 nvnetbus (f02c1c5e84c37667ecd3eea5958449bc) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/01/14 19:09:42.0812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/14 19:09:42.0828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/14 19:09:42.0859 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/14 19:09:42.0875 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/14 19:09:42.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/14 19:09:42.0906 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/14 19:09:42.0921 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/14 19:09:42.0953 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/14 19:09:42.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/14 19:09:43.0000 PCTCore (6ef125721a9f1f7dbf3229786f7decd0) C:\WINDOWS\system32\drivers\PCTCore.sys
2011/01/14 19:09:43.0031 pctDS (f820b4c61d1e591325b679d479d4eea4) C:\WINDOWS\system32\drivers\pctDS.sys
2011/01/14 19:09:43.0062 pctgntdi (b76c829f00b9b534405b4ed5f58b8f52) C:\WINDOWS\system32\drivers\pctgntdi.sys
2011/01/14 19:09:43.0093 pctplsg (c5c488e6232b29f5744b8f7988a20730) C:\WINDOWS\system32\drivers\pctplsg.sys
2011/01/14 19:09:43.0203 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/14 19:09:43.0218 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/14 19:09:43.0234 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/14 19:09:43.0250 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/14 19:09:43.0328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/14 19:09:43.0343 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/14 19:09:43.0359 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/14 19:09:43.0375 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/14 19:09:43.0406 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/14 19:09:43.0406 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/14 19:09:43.0437 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/14 19:09:43.0453 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/14 19:09:43.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/14 19:09:43.0546 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/14 19:09:43.0562 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/14 19:09:43.0578 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/14 19:09:43.0640 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/01/14 19:09:43.0671 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/14 19:09:43.0687 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/14 19:09:43.0718 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/14 19:09:43.0750 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/14 19:09:43.0781 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/14 19:09:43.0859 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/14 19:09:43.0890 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/14 19:09:43.0921 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/14 19:09:43.0937 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/14 19:09:43.0953 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/14 19:09:43.0984 TfFsMon (18d09508877e3f697866b39e9d0e6dcf) C:\WINDOWS\system32\drivers\TfFsMon.sys
2011/01/14 19:09:44.0000 TfNetMon (c657f352613d8e592efb54cc35f21f5e) C:\WINDOWS\system32\drivers\TfNetMon.sys
2011/01/14 19:09:44.0015 TFSysMon (71e3073419cfda8d60813c1502acc420) C:\WINDOWS\system32\drivers\TfSysMon.sys
2011/01/14 19:09:44.0062 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/14 19:09:44.0109 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/14 19:09:44.0140 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/14 19:09:44.0156 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/14 19:09:44.0156 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/14 19:09:44.0171 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/14 19:09:44.0187 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/14 19:09:44.0203 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/14 19:09:44.0234 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/14 19:09:44.0250 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/14 19:09:44.0265 VolSnap (0fd6d2221c85dafe1a1a149972463458) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/14 19:09:44.0265 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 0fd6d2221c85dafe1a1a149972463458, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/01/14 19:09:44.0281 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/01/14 19:09:44.0296 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/14 19:09:44.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/14 19:09:44.0375 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/14 19:09:44.0406 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/14 19:09:44.0437 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/14 19:09:44.0453 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/14 19:09:44.0578 ================================================================================
2011/01/14 19:09:44.0578 Scan finished
2011/01/14 19:09:44.0578 ================================================================================
2011/01/14 19:09:44.0593 Detected object count: 1
2011/01/14 19:10:21.0781 VolSnap (0fd6d2221c85dafe1a1a149972463458) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/14 19:10:21.0781 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 0fd6d2221c85dafe1a1a149972463458, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/01/14 19:10:22.0062 Backup copy found, using it..
2011/01/14 19:10:22.0062 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/01/14 19:10:22.0062 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/01/14 19:10:37.0453 Deinitialize success

Thanks again! Looks better now, no search redirects and no multiple instances of IE open in my backround!!!

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:29 PM

Posted 15 January 2011 - 12:32 PM

Yay for progress! :clapping:

Better still. :thumbup2: Now, if you would, please, have another run with ComboFix, and we'll see what might be left and get you all finished up. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Megabust

Megabust
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 15 January 2011 - 03:14 PM

ComboFix 11-01-14.01 - Brion 01/15/2011 12:34:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1389 [GMT -7:00]
Running from: c:\documents and settings\Brion\Desktop\megabust.exe
.

((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
.

2011-01-14 20:06 . 2011-01-14 21:11 -------- d-----w- C:\megabust
2011-01-12 00:45 . 2011-01-12 00:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-12 00:41 . 2011-01-12 00:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-01-12 00:38 . 2011-01-12 00:38 -------- d-sh--w- c:\documents and settings\Brion\IECompatCache
2011-01-12 00:38 . 2011-01-12 00:38 -------- d-sh--w- c:\documents and settings\Brion\PrivacIE
2011-01-12 00:36 . 2011-01-12 00:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-01-12 00:36 . 2011-01-12 00:36 -------- d-sh--w- c:\documents and settings\Brion\IETldCache
2011-01-12 00:30 . 2011-01-12 00:32 -------- dc-h--w- c:\windows\ie8
2011-01-12 00:28 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-12 00:28 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-12 00:28 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-12 00:28 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-11 23:23 . 2011-01-11 23:23 -------- d-----w- c:\program files\Common Files\Java
2011-01-11 23:15 . 2011-01-12 00:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-11 22:35 . 2011-01-11 22:35 -------- d-----w- c:\documents and settings\Brion\Application Data\Malwarebytes
2011-01-11 22:34 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-11 22:34 . 2011-01-11 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-11 22:34 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-11 22:34 . 2011-01-11 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-11 21:59 . 2011-01-11 21:59 -------- d-----w- C:\$AVG
2011-01-11 21:27 . 2011-01-11 21:27 -------- d-----w- c:\documents and settings\Brion\Application Data\AVG10
2011-01-11 21:25 . 2011-01-11 21:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-01-11 21:24 . 2011-01-14 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-01-11 21:16 . 2011-01-11 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-01-07 14:06 . 2011-01-07 14:06 -------- d-----w- c:\program files\Common Files\Adobe
2011-01-02 17:18 . 2010-12-02 18:33 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-01-02 17:18 . 2010-12-02 18:33 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-01-02 17:18 . 2010-12-02 18:33 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-01-02 17:16 . 2011-01-02 17:16 -------- d-----w- c:\documents and settings\Brion\Local Settings\Application Data\Threat Expert
2011-01-02 17:12 . 2011-01-11 20:26 -------- d-----w- c:\documents and settings\Brion\Application Data\Registry Mechanic
2011-01-02 17:07 . 2010-09-16 19:26 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-01-02 17:07 . 2008-04-02 23:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2011-01-02 17:07 . 2008-04-02 23:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2011-01-02 17:07 . 2008-04-02 23:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2011-01-02 16:51 . 2010-12-09 17:48 1996752 ----a-w- c:\windows\PCTBDCore.dll
2011-01-02 16:51 . 2010-12-03 22:34 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-01-02 16:51 . 2010-12-03 22:34 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-01-02 16:51 . 2010-12-03 22:34 767952 ----a-w- c:\windows\BDTSupport.dll
2011-01-02 16:47 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-01-02 16:47 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-01-02 16:47 . 2010-11-17 17:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-02 16:46 . 2010-11-25 17:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-01-02 16:46 . 2010-11-25 17:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-01-02 16:46 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-01-02 16:46 . 2011-01-13 21:02 -------- d-----w- c:\program files\PC Tools Security
2011-01-02 16:46 . 2011-01-02 17:07 -------- d-----w- c:\program files\Common Files\PC Tools
2011-01-02 16:46 . 2011-01-02 16:46 -------- d-----w- c:\documents and settings\Brion\Application Data\PC Tools
2011-01-02 16:46 . 2011-01-15 02:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-01-02 16:45 . 2011-01-02 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-01-02 16:34 . 2011-01-11 21:07 -------- d-----w- c:\documents and settings\Administrator
2011-01-02 00:24 . 2011-01-02 00:24 0 ----a-w- c:\windows\system32\drivers\sst4A.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-15 02:11 . 2007-07-27 12:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-18 18:12 . 2008-04-14 06:18 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2007-07-27 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2007-07-27 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2007-07-27 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2007-07-27 12:00 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2007-07-27 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2007-07-27 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2007-07-27 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2011-01-14_20.54.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-15 02:11 . 2011-01-15 02:11 16384 c:\windows\Temp\Perflib_Perfdata_790.dat
+ 2007-07-27 12:00 . 2011-01-15 02:16 71594 c:\windows\system32\perfc009.dat
- 2007-07-27 12:00 . 2011-01-14 20:54 71594 c:\windows\system32\perfc009.dat
- 2008-04-14 13:44 . 2011-01-14 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-14 13:44 . 2011-01-14 20:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-14 13:44 . 2011-01-14 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 13:44 . 2011-01-14 20:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-01-12 00:41 . 2011-01-14 20:52 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2011-01-12 00:41 . 2011-01-14 20:08 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2008-04-14 13:44 . 2011-01-14 20:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-04-14 13:44 . 2011-01-14 20:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-07-27 12:00 . 2011-01-15 02:16 442060 c:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2011-01-14 20:54 442060 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8429568]
"nwiz"="nwiz.exe" [2007-07-07 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-07 16132608]
"PeachtreePrefetcher.exe"="p:\progra~1\peach\PeachtreePrefetcher.exe" [2008-10-02 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2010-12-03 108496]
"Adobe Reader Speed Launcher"="p:\program files\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - p:\program files\Office Xp\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 18:00 49152 ----a-w- p:\program files\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/2/2011 9:46 AM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [1/2/2011 9:47 AM 338880]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [1/2/2011 10:18 AM 51984]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [1/2/2011 10:18 AM 69392]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/2/2011 9:47 AM 249616]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [1/2/2011 9:51 AM 247760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/2/2011 10:07 AM 632792]
R2 Peachtree SmartPosting 2009;Peachtree SmartPosting 2009;p:\program files\peach\SmartPostingService2009.exe [5/3/2008 5:10 PM 49152]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [9/5/2007 11:25 AM 455968]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [4/14/2008 3:48 PM 18176]
S3 cpuz129;cpuz129;\??\c:\docume~1\Brion\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Brion\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/2/2011 9:46 AM 70536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [1/2/2011 9:46 AM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [1/2/2011 10:18 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Security\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]

2011-01-15 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-01-02 00:05]

2011-01-15 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2011-01-02 19:26]

2011-01-10 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-04-14 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 12:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(808)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(288)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-15 12:48:46
ComboFix-quarantined-files.txt 2011-01-15 19:48
ComboFix2.txt 2011-01-14 21:11

Pre-Run: 79,621,091,328 bytes free
Post-Run: 79,729,291,264 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - F3FD16680A17D7D43B986F1FB46A8A6A


Scan went alot faster with no error's this time.
THanks

Megabust

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:29 PM

Posted 15 January 2011 - 03:33 PM

Good to know it went better.....looks pretty good too! :thumbup2:

Just this one file that doesn't seem to want to go :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
FILE::
c:\windows\system32\drivers\sst4A.tmp
DRIVER::
sst4A


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Megabust

Megabust
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 15 January 2011 - 09:50 PM

ComboFix 11-01-14.01 - Brion 01/15/2011 19:15:19.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1294 [GMT -7:00]
Running from: c:\documents and settings\Brion\Desktop\megabust.exe
Command switches used :: c:\documents and settings\Brion\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\sst4A.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sst4A.tmp

.
((((((((((((((((((((((((( Files Created from 2010-12-16 to 2011-01-16 )))))))))))))))))))))))))))))))
.

2011-01-14 20:06 . 2011-01-14 21:11 -------- d-----w- C:\megabust
2011-01-12 00:45 . 2011-01-12 00:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-12 00:41 . 2011-01-12 00:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-01-12 00:38 . 2011-01-12 00:38 -------- d-sh--w- c:\documents and settings\Brion\IECompatCache
2011-01-12 00:38 . 2011-01-12 00:38 -------- d-sh--w- c:\documents and settings\Brion\PrivacIE
2011-01-12 00:36 . 2011-01-12 00:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-01-12 00:36 . 2011-01-12 00:36 -------- d-sh--w- c:\documents and settings\Brion\IETldCache
2011-01-12 00:30 . 2011-01-12 00:32 -------- dc-h--w- c:\windows\ie8
2011-01-12 00:28 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-12 00:28 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-12 00:28 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-12 00:28 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-11 23:23 . 2011-01-11 23:23 -------- d-----w- c:\program files\Common Files\Java
2011-01-11 23:15 . 2011-01-12 00:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-11 22:35 . 2011-01-11 22:35 -------- d-----w- c:\documents and settings\Brion\Application Data\Malwarebytes
2011-01-11 22:34 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-11 22:34 . 2011-01-11 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-11 22:34 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-11 22:34 . 2011-01-11 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-11 21:59 . 2011-01-11 21:59 -------- d-----w- C:\$AVG
2011-01-11 21:27 . 2011-01-11 21:27 -------- d-----w- c:\documents and settings\Brion\Application Data\AVG10
2011-01-11 21:25 . 2011-01-11 21:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-01-11 21:24 . 2011-01-14 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-01-11 21:16 . 2011-01-11 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-01-07 14:06 . 2011-01-07 14:06 -------- d-----w- c:\program files\Common Files\Adobe
2011-01-02 17:18 . 2010-12-02 18:33 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-01-02 17:18 . 2010-12-02 18:33 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-01-02 17:18 . 2010-12-02 18:33 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-01-02 17:16 . 2011-01-02 17:16 -------- d-----w- c:\documents and settings\Brion\Local Settings\Application Data\Threat Expert
2011-01-02 17:12 . 2011-01-11 20:26 -------- d-----w- c:\documents and settings\Brion\Application Data\Registry Mechanic
2011-01-02 17:07 . 2010-09-16 19:26 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-01-02 17:07 . 2008-04-02 23:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2011-01-02 17:07 . 2008-04-02 23:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2011-01-02 17:07 . 2008-04-02 23:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2011-01-02 16:51 . 2010-12-09 17:48 1996752 ----a-w- c:\windows\PCTBDCore.dll
2011-01-02 16:51 . 2010-12-03 22:34 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-01-02 16:51 . 2010-12-03 22:34 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-01-02 16:51 . 2010-12-03 22:34 767952 ----a-w- c:\windows\BDTSupport.dll
2011-01-02 16:47 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-01-02 16:47 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-01-02 16:47 . 2010-11-17 17:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-02 16:46 . 2010-11-25 17:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-01-02 16:46 . 2010-11-25 17:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-01-02 16:46 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-01-02 16:46 . 2011-01-13 21:02 -------- d-----w- c:\program files\PC Tools Security
2011-01-02 16:46 . 2011-01-02 17:07 -------- d-----w- c:\program files\Common Files\PC Tools
2011-01-02 16:46 . 2011-01-02 16:46 -------- d-----w- c:\documents and settings\Brion\Application Data\PC Tools
2011-01-02 16:46 . 2011-01-16 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-01-02 16:45 . 2011-01-02 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-01-02 16:34 . 2011-01-11 21:07 -------- d-----w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-15 02:11 . 2007-07-27 12:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-18 18:12 . 2008-04-14 06:18 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2007-07-27 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2007-07-27 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2007-07-27 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2007-07-27 12:00 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2007-07-27 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2007-07-27 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2007-07-27 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2011-01-14_20.54.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-16 02:24 . 2011-01-16 02:24 16384 c:\windows\temp\Perflib_Perfdata_794.dat
+ 2007-07-27 12:00 . 2011-01-15 02:16 71594 c:\windows\system32\perfc009.dat
- 2007-07-27 12:00 . 2011-01-14 20:54 71594 c:\windows\system32\perfc009.dat
+ 2008-04-14 13:44 . 2011-01-16 02:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-14 13:44 . 2011-01-14 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-14 13:44 . 2011-01-16 02:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-14 13:44 . 2011-01-14 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-01-12 00:41 . 2011-01-14 20:08 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-01-12 00:41 . 2011-01-16 02:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2008-04-14 13:44 . 2011-01-14 20:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-01-16 02:11 . 2011-01-16 02:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-07-27 12:00 . 2011-01-15 02:16 442060 c:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2011-01-14 20:54 442060 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8429568]
"nwiz"="nwiz.exe" [2007-07-07 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-07 16132608]
"PeachtreePrefetcher.exe"="p:\progra~1\peach\PeachtreePrefetcher.exe" [2008-10-02 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2010-12-03 108496]
"Adobe Reader Speed Launcher"="p:\program files\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - p:\program files\Office Xp\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 18:00 49152 ----a-w- p:\program files\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/2/2011 9:46 AM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [1/2/2011 9:47 AM 338880]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [1/2/2011 10:18 AM 51984]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [1/2/2011 10:18 AM 69392]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/2/2011 9:47 AM 249616]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [1/2/2011 9:51 AM 247760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/2/2011 10:07 AM 632792]
R2 Peachtree SmartPosting 2009;Peachtree SmartPosting 2009;p:\program files\peach\SmartPostingService2009.exe [5/3/2008 5:10 PM 49152]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [9/5/2007 11:25 AM 455968]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [4/14/2008 3:48 PM 18176]
S3 cpuz129;cpuz129;\??\c:\docume~1\Brion\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Brion\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/2/2011 9:46 AM 70536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [1/2/2011 9:46 AM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [1/2/2011 10:18 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Security\TFEngine\TFService.exe service [?]
.
Contents of the 'Scheduled Tasks' folder

2011-01-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]

2011-01-16 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-01-02 00:05]

2011-01-15 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2011-01-02 19:26]

2011-01-10 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-04-14 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 19:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(808)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(1104)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-01-15 19:28:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-16 02:28
ComboFix2.txt 2011-01-15 19:48
ComboFix3.txt 2011-01-14 21:11

Pre-Run: 79,757,344,768 bytes free
Post-Run: 79,738,818,560 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - B008E6006EBD18C226CEF49D9D39FBF0


Ty,

Megabust

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:29 PM

Posted 19 January 2011 - 01:36 PM

Hello there,

I'm sorry for my absence. :(

Looks like that file stayed gone this time. How is it running now please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Megabust

Megabust
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 19 January 2011 - 04:01 PM

As far as I know everything seems to be running great...

I guess my biggest concern is how to stop this from happening again. I use AVG, SpyBot S&D, MBAM, is there some other applications I should add to my arsenal?
Should I reinstall my AVG on this machine or will we be running the combofix again?

Thanks so much for your help and I hope your feeling better!

Megabust

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:29 PM

Posted 19 January 2011 - 04:58 PM

Hello,

Thank you for the kind words. I do feel better today, thanks. :)

Go ahead and reinstall AVG after you uninstall ComboFix.

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

I use AVG, SpyBot S&D, MBAM

Those should be sufficient. No program can catch everything, and too much protection is worse than not enough.

If you have any questions or concerns please feel free to let me know. Otherwise.....

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:29 PM

Posted 12 February 2011 - 02:57 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users