Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help needed with removal of Antivirus Scan


  • This topic is locked This topic is locked
2 replies to this topic

#1 maddeningloop

maddeningloop

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 14 January 2011 - 08:13 PM

Hi there, computer has just been infected, I need some help with the Hijack Log. I will post DDS below. I think my laptop is 64-bit, so hopefully GMER is not required? It does however say something about infected rootkits in the DDS so I've posted it anyway... Thanks in advance, Emma



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 00:52:45, on 15/01/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Administrator\Downloads\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Maxtor Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [snmcawerox.exe] "C:\Users\Administrator\AppData\Local\Temp\snmcawerox.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MFJJEC0A1L] C:\Users\ADMINI~1\AppData\Local\Temp\Rvk.exe
O4 - HKCU\..\Run: [JP595IR86O] C:\Users\ADMINI~1\AppData\Local\Temp\Rvf.exe
O4 - HKCU\..\Run: [NtWqIVLZEWZU] C:\Users\ADMINI~1\AppData\Local\Temp\Rvn.exe
O4 - HKCU\..\Run: [vplifssd] C:\Users\ADMINI~1\AppData\Local\Temp\qofermhsl\bikgcyyusbs.exe
O4 - HKLM\..\Policies\Explorer\Run: [uwuppi] C:\Windows\system32\NTDOSN.exe
O4 - HKLM\..\Policies\Explorer\Run: [Qpyqihohr] C:\Windows\system32\wvc1dmodv.exe
O4 - HKLM\..\Policies\Explorer\Run: [Dmplz] C:\Windows\system32\jscript7.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Maxtor Scheduler2 Service (MaxSch2Svc) - Maxtor - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ShadowExplorer Service (sesvc) - www.shadowexplorer.com - C:\Program Files\ShadowExplorer\sesvc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\stacsv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6970 bytes




DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Administrator at 1:05:31.58 on 15/01/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1369 [GMT 0:00]

AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Administrator\Downloads\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:8075
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MFJJEC0A1L] c:\users\admini~1\appdata\local\temp\Rvk.exe
uRun: [JP595IR86O] c:\users\admini~1\appdata\local\temp\Rvf.exe
uRun: [NtWqIVLZEWZU] c:\users\admini~1\appdata\local\temp\Rvn.exe
uRun: [vplifssd] c:\users\admini~1\appdata\local\temp\qofermhsl\bikgcyyusbs.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [MaxBlastMonitor.exe] c:\program files\maxtor\maxblast\MaxBlastMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [Maxtor Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [snmcawerox.exe] "c:\users\administrator\appdata\local\temp\snmcawerox.exe"
mExplorerRun: [uwuppi] c:\windows\system32\NTDOSN.exe
mExplorerRun: [Qpyqihohr] c:\windows\system32\wvc1dmodv.exe
mExplorerRun: [Dmplz] c:\windows\system32\jscript7.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: o2.co.uk\*.broadband
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: avgrsstx.dll
SEH: {93994DE8-8239-4655-B1D1-5F4E91300429} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\lp43652w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-30 243024]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-10-31 270888]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2008-12-21 65576]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-30 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-30 29584]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
S1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-9-23 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-23 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\common files\maxtor\schedule2\schedul2.exe [2008-6-27 431384]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-9-1 809296]
S2 sesvc;ShadowExplorer Service;c:\program files\shadowexplorer\sesvc.exe [2010-5-10 9216]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2009-3-4 202016]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2007-4-26 74240]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2007-4-26 43904]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2007-4-26 31104]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-4-23 812544]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\frameworkservice.exe" /servicestart --> c:\program files\mcafee\common framework\FrameworkService.exe [?]

=============== Created Last 30 ================

2011-01-15 00:30:29 213504 ----a-w- c:\windows\Rxymeb.exe
2011-01-14 23:04:43 -------- d-----w- c:\users\admini~1\appdata\roaming\3D7AEA71F70D859FEBA4160DCFCC7AE3
2011-01-14 22:29:09 213504 ----a-w- c:\windows\Rxymea.exe
2011-01-14 22:28:51 94208 --sha-r- c:\windows\system32\jscript7.exe
2011-01-14 22:28:49 94208 --sha-r- c:\windows\system32\wvc1dmodv.exe
2011-01-14 22:28:49 94208 --sha-r- c:\windows\system32\NTDOSN.exe
2011-01-12 20:48:34 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-12 20:48:34 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
2011-01-12 20:48:34 409600 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 20:48:34 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-12 20:48:34 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-12 20:48:34 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-12 20:48:31 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-21 21:18:40 -------- d-----w- C:\cc8130b366df12a8aa2c7473bd

==================== Find3M ====================

2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-06 11:10:29 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-06 11:10:13 357376 ----a-w- c:\windows\system32\taskschd.dll
2010-11-06 11:10:13 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-06 11:09:57 603648 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-05 00:53:47 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:02:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:03:07 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 12:56:58 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-18 14:01:05 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:56:44 2037248 ----a-w- c:\windows\system32\win32k.sys
2009-04-18 23:03:19 643072 ----a-w- c:\program files\JoyToKey.exe
2009-04-08 13:30:25 3067803 ----a-r- c:\program files\ComboFix.exe
2008-05-07 00:09:25 6416469 ----a-w- c:\program files\realalt180.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: FUJITSU_ rev.0000 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86EE4555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86eea7b0]; MOV EAX, [0x86eea82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x830D005F] -> \Device\Harddisk0\DR0[0x86EBBAC8]
3 CLASSPNP[0x893A7745] -> ntkrnlpa!IofCallDriver[0x830D005F] -> [0x8641E748]
5 acpi[0x8369B6A0] -> ntkrnlpa!IofCallDriver[0x830D005F] -> [0x86420030]
\Driver\iaStor[0x86EC3F38] -> IRP_MJ_CREATE -> 0x86EE4555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHW2120BH_______________________00000012#4&295f162b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 1:07:28.06 ===============





GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-15 01:42:15
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\iaStor0 FUJITSU_ rev.0000
Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kxldapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0x807AC160]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0x807AB868]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateKey [0x807A8320]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0x807AAE90]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0x807AAD9C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0x807AB3FC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0x807AC210]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0x807A8786]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteValueKey [0x807A8846]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0x807ABB54]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0x807A85CA]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0x807AB4EC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0x807ABE8C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetValueKey [0x807A89BC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0x807ABDE0]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThreadEx [0x807AB48E]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateUserProcess [0x807AAF82]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 3DC 830CCAA0 4 Bytes [60, C1, 7A, 80]
.text ntkrnlpa.exe!KeSetTimerEx + 40C 830CCAD0 4 Bytes [68, B8, 7A, 80]
.text ntkrnlpa.exe!KeSetTimerEx + 41C 830CCAE0 4 Bytes [20, 83, 7A, 80]
.text ntkrnlpa.exe!KeSetTimerEx + 43C 830CCB00 8 Bytes [90, AE, 7A, 80, 9C, AD, 7A, ...] {NOP ; SCASB ; JP 0xffffffffffffff84; PUSHF ; LODSD ; JP 0xffffffffffffff88}
.text ntkrnlpa.exe!KeSetTimerEx + 454 830CCB18 4 Bytes [FC, B3, 7A, 80]
.text ...
? C:\Users\ADMINI~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[212] ntdll.dll!NtProtectVirtualMemory 77BF8968 5 Bytes JMP 0036000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[212] ntdll.dll!NtWriteVirtualMemory 77BF92A8 5 Bytes JMP 0037000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[212] ntdll.dll!KiUserExceptionDispatcher 77BF99E8 5 Bytes JMP 0035000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[212] USER32.dll!CreateWindowExW 769E3D67 5 Bytes JMP 71FBDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[212] USER32.dll!DialogBoxParamW 769F1FD5 5 Bytes JMP 71EE5501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[560] ntdll.dll!NtProtectVirtualMemory 77BF8968 5 Bytes JMP 009B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[560] ntdll.dll!NtWriteVirtualMemory 77BF92A8 5 Bytes JMP 009C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[560] ntdll.dll!KiUserExceptionDispatcher 77BF99E8 5 Bytes JMP 009A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[560] USER32.dll!SetWindowsHookExW 769D7B69 5 Bytes JMP 71FB9AE9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[560] USER32.dll!CallNextHookEx 769D8C33 5 Bytes JMP 71FAD145 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[560] USER32.dll!CreateWindowExW 769E3D67 5 Bytes JMP 71FBDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[560] USER32.dll!DialogBoxParamW 769F1FD5 5 Bytes JMP 71EE5501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[560] USER32.dll!UnhookWindowsHookEx 76A008BE 5 Bytes JMP 71F24696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[560] ole32.dll!CoCreateInstance 76ABE2D8 5 Bytes JMP 71FBDBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] ntdll.dll!NtProtectVirtualMemory 77BF8968 5 Bytes JMP 0099000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] ntdll.dll!NtWriteVirtualMemory 77BF92A8 5 Bytes JMP 009A000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] ntdll.dll!KiUserExceptionDispatcher 77BF99E8 5 Bytes JMP 0098000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] USER32.dll!SetWindowsHookExW 769D7B69 5 Bytes JMP 71FB9AE9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] USER32.dll!CallNextHookEx 769D8C33 5 Bytes JMP 71FAD145 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] USER32.dll!CreateWindowExW 769E3D67 5 Bytes JMP 71FBDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] USER32.dll!DialogBoxParamW 769F1FD5 5 Bytes JMP 71EE5501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] USER32.dll!UnhookWindowsHookEx 76A008BE 5 Bytes JMP 71F24696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[572] ole32.dll!CoCreateInstance 76ABE2D8 5 Bytes JMP 71FBDBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtProtectVirtualMemory 77BF8968 5 Bytes JMP 008D000A
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtWriteVirtualMemory 77BF92A8 5 Bytes JMP 008E000A
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!KiUserExceptionDispatcher 77BF99E8 5 Bytes JMP 008C000A
.text C:\Windows\system32\svchost.exe[1028] ole32.dll!CoCreateInstance 76ABE2D8 5 Bytes JMP 00BD000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!GetCursorPos 769F0F5E 5 Bytes JMP 0092000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1676] ntdll.dll!NtProtectVirtualMemory 77BF8968 5 Bytes JMP 00A1000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1676] ntdll.dll!NtWriteVirtualMemory 77BF92A8 5 Bytes JMP 00A6000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1676] ntdll.dll!KiUserExceptionDispatcher 77BF99E8 5 Bytes JMP 007E000A
.text C:\Windows\Explorer.EXE[1720] ntdll.dll!NtProtectVirtualMemory 77BF8968 5 Bytes JMP 0050000A
.text C:\Windows\Explorer.EXE[1720] ntdll.dll!NtWriteVirtualMemory 77BF92A8 5 Bytes JMP 0051000A
.text C:\Windows\Explorer.EXE[1720] ntdll.dll!KiUserExceptionDispatcher 77BF99E8 5 Bytes JMP 004F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1840] ntdll.dll!NtProtectVirtualMemory 77BF8968 5 Bytes JMP 0191000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1840] ntdll.dll!NtWriteVirtualMemory 77BF92A8 5 Bytes JMP 0192000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1840] ntdll.dll!KiUserExceptionDispatcher 77BF99E8 5 Bytes JMP 00AE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!CreateWindowExW 769E3D67 5 Bytes JMP 71FBDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!DialogBoxParamW 769F1FD5 5 Bytes JMP 71EE5501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\tdx \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHW2120BH_______________________00000012#4&295f162b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0xCE 0x4F 0x85 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDF 0xB8 0x8E 0xBE ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2E 0xC8 0x5F 0x34 ...
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{20df4009-c1fe-4c67-827c-e9fab185ce0b}@Dhcpv6Iaid 251789396
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{20df4009-c1fe-4c67-827c-e9fab185ce0b}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{696839dc-42cd-4577-8d3c-ac35f6dfb452}@Dhcpv6Iaid 268442487
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{696839dc-42cd-4577-8d3c-ac35f6dfb452}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{93eaf8b0-c9ec-4f63-9f11-e8d9999e36eb}@Dhcpv6Iaid 201331625
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{93eaf8b0-c9ec-4f63-9f11-e8d9999e36eb}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}@Dhcpv6Iaid 117445666
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ee745858-1ba0-4590-a101-403d0e89fbbe}@Dhcpv6Iaid 151001554
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ee745858-1ba0-4590-a101-403d0e89fbbe}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}@Dhcpv6Iaid 100668450
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ffdcc38d-f871-444c-a46a-5543eb92fccf}@Dhcpv6Iaid 335544320
Reg HKLM\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ffdcc38d-f871-444c-a46a-5543eb92fccf}@Dhcpv6State 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0xCE 0x4F 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDF 0xB8 0x8E 0xBE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2E 0xC8 0x5F 0x34 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{20df4009-c1fe-4c67-827c-e9fab185ce0b}@Dhcpv6Iaid 251789396
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{20df4009-c1fe-4c67-827c-e9fab185ce0b}@Dhcpv6State 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{696839dc-42cd-4577-8d3c-ac35f6dfb452}@Dhcpv6Iaid 268442487
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{696839dc-42cd-4577-8d3c-ac35f6dfb452}@Dhcpv6State 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{93eaf8b0-c9ec-4f63-9f11-e8d9999e36eb}@Dhcpv6Iaid 201331625
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{93eaf8b0-c9ec-4f63-9f11-e8d9999e36eb}@Dhcpv6State 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}@Dhcpv6Iaid 117445666
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}@Dhcpv6State 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ee745858-1ba0-4590-a101-403d0e89fbbe}@Dhcpv6Iaid 151001554
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ee745858-1ba0-4590-a101-403d0e89fbbe}@Dhcpv6State 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}@Dhcpv6Iaid 100668450
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}@Dhcpv6State 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ffdcc38d-f871-444c-a46a-5543eb92fccf}@Dhcpv6Iaid 335544320
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ffdcc38d-f871-444c-a46a-5543eb92fccf}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0xCE 0x4F 0x85 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDF 0xB8 0x8E 0xBE ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2E 0xC8 0x5F 0x34 ...
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{20df4009-c1fe-4c67-827c-e9fab185ce0b}@Dhcpv6Iaid 251789396
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{20df4009-c1fe-4c67-827c-e9fab185ce0b}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{696839dc-42cd-4577-8d3c-ac35f6dfb452}@Dhcpv6Iaid 268442487
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{696839dc-42cd-4577-8d3c-ac35f6dfb452}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{93eaf8b0-c9ec-4f63-9f11-e8d9999e36eb}@Dhcpv6Iaid 201331625
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{93eaf8b0-c9ec-4f63-9f11-e8d9999e36eb}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}@Dhcpv6Iaid 117445666
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{ee745858-1ba0-4590-a101-403d0e89fbbe}@Dhcpv6Iaid 151001554
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{ee745858-1ba0-4590-a101-403d0e89fbbe}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}@Dhcpv6Iaid 100668450
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}@Dhcpv6State 0
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{ffdcc38d-f871-444c-a46a-5543eb92fccf}@Dhcpv6Iaid 335544320
Reg HKLM\SYSTEM\ControlSet004\Services\Tcpip6\Parameters\Interfaces\{ffdcc38d-f871-444c-a46a-5543eb92fccf}@Dhcpv6State 0

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSXU2BMU\M_A_o_S[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[1].txt 818 bytes

---- EOF - GMER 1.0.15 ----

Edited by maddeningloop, 14 January 2011 - 08:43 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:44 AM

Posted 18 January 2011 - 04:29 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



IMPORTANT NOTE: :exclame:

If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.



Regards,
Georgi :hello:

cXfZ4wS.png


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 AM

Posted 25 January 2011 - 09:23 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users