This topic is locked
I was doing some Google image searching online and appear to contracted a browser hijack via an image download!
Since then, I had a LOT of trouble booting back into Windows. Windows would freeze at my wallpaper before loading my desktop icons and start menu. I was able to get past it by disabling a couple of extra "explorer.exe" processes, some process-kill guessing and several restarts. My start bar looks more like a Win98 Start bar now.
Following this, now when I do a Google search, clicking on a result begins to redirect to yafraudcheckonline, at which point I quickly close the browser.
I am running Windows XP Pro SP3, IE8 and CA Anti-Virus.
My DDS is included below and Attach logs is attach. I will attach the GMER log in a separate file because last time I ran it, my PC died and it took ages to get back this far. So if there's a delay between this post and my next that includes GMER log, it's because I'm trying to run it. Like many others no doubt, at this point I am SUPER-DESPERATE! Any help I get get to remove these issues is VERY much appreciated!
EDIT: Ark.log now attached. It was too big to attach directly so I had to ZIP it first. I don't know why it was so big. I followed the instructions in the Preparation Guide (unchecking IAT/EAT and, Non-C Drives and Show All). And yes... it broke my PC towards the end of running it. But it's here now! See attached. Cheers!
Thanks very much!!!!
Regards,
Stanbridge
DDS
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 10:35:58.50 on Thu 10/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2264 [GMT 11:00]
.
AV: CA Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: CA Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AutoMate 5\AM5HkWnd.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\AutoMate 5\AutoMate5Svc.exe
C:\SOFTWARE\TimesheetAssistant.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Notepad++\nppIExplorerShell.exe
C:\WINDOWS\system32\wuauclt.exe
C:\temp\AV\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CA Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: CA Anti-Phishing Toolbar: {0123b506-0ad9-43aa-b0cf-916c122ad4c5} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DIMDownloading your update...1285781003180] "c:\program files\corel\coreldraw graphics suite x5\photo-paint\dim.exe" "c:\documents and settings\all users\application data\corel\downloads\540215253_807001\1285781003180\dim_params.xml" -launch=3 -uibase="c:\documents and settings\administrator\application data\corel\messages\540215253_807001\en\messagecache1\workflow"
uRun: [pronto] "c:\program files\wimba\pronto\pronto.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AutoMate5] c:\program files\automate 5\AM5HkWnd.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\custom~1.lnk - c:\program files\ultravnc\vncviewer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timesh~1.lnk - c:\software\TimesheetAssistant.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open With GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://wsus.bne-staff.rpdata.net.au:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://wsus.bne-staff.rpdata.net.au:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1297055890000
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1297055882421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: UmxSbxExw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0flgfuuu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\firefox\components\CAFxToolBar.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0flgfuuu.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: CA Anti-Phishing Toolbar: caaphishtoolbar@ca.com - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\Firefox
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2010-9-24 61008]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2010-9-24 115792]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2011-2-25 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2011-2-25 212992]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2011-2-25 206160]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2010-9-24 146000]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2010-9-24 61008]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2011-2-17 10688]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-23 136176]
S2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2011-3-7 712704]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-03-07 04:09:01 625664 ----a-w- c:\temp\av\dds.scr
2011-03-04 03:06:23 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-03-04 03:06:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 03:06:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-04 03:06:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 03:06:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-04 03:03:33 36744 ----a-w- c:\windows\system32\msdnldr.exe
2011-03-02 00:03:57 -------- d-----w- c:\windows\system32\appmgmt
2011-03-01 23:39:01 -------- d-----w- c:\program files\UltraVNC
2011-03-01 23:29:26 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Installer3224
2011-03-01 23:19:20 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Installer3280
2011-03-01 04:56:35 3080237 ----a-w- c:\windows\system32\Msowc.dll
2011-03-01 04:24:19 -------- d-----w- c:\program files\Cityscope Publications
2011-03-01 04:23:32 74000 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLRES.DLL
2011-03-01 04:23:32 213264 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLPROV.DLL
2011-03-01 04:23:32 127248 ----a-w- c:\program files\common files\microsoft shared\database replication\REPLREC.DLL
2011-03-01 04:23:16 56832 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2DBUI.DLL
2011-03-01 04:23:16 53760 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2QDUI.DLL
2011-03-01 04:23:16 14336 ----a-w- c:\program files\common files\microsoft shared\msdesigners98\resources\1033\MDT2DDUI.DLL
2011-03-01 04:23:15 20080 ----a-w- c:\windows\system32\WINSSPI.DLL
2011-03-01 04:23:14 32768 ----a-w- c:\windows\system32\hlinkprx.dll
2011-03-01 04:23:12 68080 ----a-w- c:\windows\system32\DIMM.DLL
2011-03-01 04:22:55 31744 ----a-w- c:\windows\system32\hlp95en.dll
2011-03-01 04:22:55 -------- d-----w- c:\program files\Snapshot Viewer
2011-03-01 02:03:50 -------- d-----w- c:\docume~1\admini~1\applic~1\PrimoPDF
2011-02-28 04:31:07 -------- d-----w- c:\program files\PeerBlock
2011-02-28 03:59:10 -------- d-----w- c:\docume~1\admini~1\applic~1\HorizonWimba
2011-02-28 03:56:22 -------- d-----w- c:\program files\Wimba
2011-02-27 23:03:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-27 23:03:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-27 23:03:12 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-27 23:03:12 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-27 22:11:58 -------- d-----w- c:\docume~1\admini~1\applic~1\UltraVNC
2011-02-25 05:55:11 -------- d-----w- c:\program files\ultravnc(NewButRemoved)
2011-02-25 05:45:57 -------- d-----w- c:\program files\ISSThirdParty
2011-02-25 05:45:47 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-25 05:45:47 201968 ----a-w- c:\windows\system32\Isafprod.dll
2011-02-25 05:45:47 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-25 05:44:36 -------- d-----w- c:\program files\CA
2011-02-25 05:40:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA
2011-02-25 04:28:20 55800 ----a-w- c:\temp\ca stuff\amrt\policystorage\ProductAppSign.exe
2011-02-25 04:28:20 453112 ----a-w- c:\temp\ca stuff\UmxAmrtSettings.dll
2011-02-25 04:28:20 135248 ----a-w- c:\temp\ca stuff\KmxAMRT.sys
2011-02-25 03:54:59 7 ----a-w- c:\windows\system32\mkghj.dll
2011-02-25 03:27:02 1445888 ----a-w- c:\documents and settings\administrator\DesktopWinsockxpFix.exe
2011-02-25 03:26:40 186368 ----a-w- c:\documents and settings\administrator\DesktopLSPFix.exe
2011-02-25 03:26:35 36864 ----a-w- c:\documents and settings\administrator\DesktopSafeMSI.exe
2011-02-24 03:58:26 73728 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut6_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 73728 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut4_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 143360 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\NewShortcut5_FA22C8B36029437A9646719DBA760EAE.exe
2011-02-24 03:58:26 143360 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{006deade-e12e-4da0-ab65-134f0de9af9a}\ARPPRODUCTICON.exe
2011-02-24 03:58:20 -------- d-----w- c:\program files\Electric Rain
2011-02-24 03:54:25 -------- d-----w- c:\program files\Serena Software Inc
2011-02-24 03:41:07 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Ahead
2011-02-24 03:35:04 -------- d-----w- c:\program files\Nero
2011-02-24 01:36:48 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-02-24 01:36:43 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-02-24 01:36:15 -------- d-----w- c:\windows\system32\RsFx
2011-02-24 01:33:45 -------- d-----w- c:\program files\Microsoft SQL Server
2011-02-24 01:33:34 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-02-24 01:33:34 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-02-24 01:33:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2011-02-24 01:31:19 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-02-24 01:31:17 -------- d-----w- c:\program files\IIS
2011-02-24 01:30:40 18368 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vsa\9.0\1033\ResourceCache.dll
2011-02-24 01:30:38 2377696 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\visualstudio\10.0\1033\ResourceCache.dll
2011-02-24 01:25:44 -------- d-----w- c:\program files\Microsoft F#
2011-02-24 01:25:44 -------- d-----w- c:\program files\HTML Help Workshop
2011-02-24 01:25:43 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-02-24 01:25:43 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-02-24 01:25:43 -------- d-----w- c:\program files\common files\Merge Modules
2011-02-24 00:31:19 -------- d-----w- c:\program files\common files\Control Panels
2011-02-24 00:12:19 -------- d-----w- c:\program files\MagicISO
2011-02-23 22:58:17 -------- d-----w- c:\windows\pss
2011-02-23 01:22:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\ALM
2011-02-23 01:22:14 -------- d-----w- c:\program files\Bonjour
2011-02-23 01:17:35 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-02-23 00:11:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Qurb4
2011-02-22 23:53:49 -------- d-----w- c:\program files\PowerISO
2011-02-22 23:32:50 50152 ----a-w- c:\program files\windows nt\accessories\imagevue\wangimg.exe
2011-02-22 23:32:50 50152 ----a-w- c:\program files\windows nt\accessories\imagevue\kodakimg.exe
2011-02-22 23:32:48 -------- d-----w- c:\program files\Imaging
2011-02-22 23:32:34 304128 ----a-w- c:\windows\IsUninst.exe
2011-02-22 23:30:13 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Temp
2011-02-22 23:30:09 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Google
2011-02-22 23:13:33 -------- d-----w- c:\program files\GetRight
2011-02-22 22:44:32 -------- d-----w- c:\program files\Mach5 Mailer 4
2011-02-22 21:43:32 -------- d-----w- c:\program files\InstantDemo
2011-02-22 01:17:49 -------- d-----w- c:\program files\common files\Corel
2011-02-22 01:17:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\CorelDRAW Graphics Suite X5
2011-02-22 01:12:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Protexis
2011-02-22 01:08:47 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Axialis
2011-02-22 01:08:44 -------- d-----w- c:\program files\My Company Name
2011-02-22 00:37:16 348256 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vstahost\corelphotopaint\9.0\1033\ResourceCache.dll
2011-02-22 00:37:02 348256 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vstahost\coreldraw\9.0\1033\ResourceCache.dll
2011-02-22 00:36:19 416 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\msdn\9.0\1033\ResourceCache.dll
2011-02-22 00:34:30 -------- d-----w- c:\program files\common files\Protexis
2011-02-22 00:34:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Corel
2011-02-22 00:29:56 -------- d-----w- c:\program files\Corel
2011-02-22 00:13:03 -------- d-----w- c:\documents and settings\administrator\log
2011-02-21 05:37:23 -------- d-----w- c:\windows\Internet Logs
2011-02-21 05:37:00 127376 ----a-w- c:\windows\system32\drivers\dne2000.sys
2011-02-21 05:37:00 101904 ----a-w- c:\windows\system32\dneinobj.dll
2011-02-21 05:36:51 -------- d-----w- c:\program files\Cisco Systems
2011-02-21 05:23:58 -------- d-----w- c:\program files\AutoMate 5
2011-02-21 05:23:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Network Automation
2011-02-21 05:23:51 210000 ----a-w- c:\windows\system32\amsco32.dll
2011-02-21 05:10:10 -------- d-----w- c:\documents and settings\administrator\WINDOWS
2011-02-18 17:00:49 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-02-18 17:00:30 -------- d-----w- c:\program files\MSXML 4.0
2011-02-18 11:43:52 25 ----a-w- C:\testtask.bat
2011-02-18 11:39:57 112616 ----a-w- c:\temp\ra1004.exe
2011-02-18 11:39:55 538624 ----a-w- c:\temp\pim4dearbhla\omnisres.dll
2011-02-18 11:39:52 2595328 ----a-w- c:\temp\pim4dearbhla\OMNIS7.exe
2011-02-18 11:39:52 216576 ----a-w- c:\temp\pim4dearbhla\OMNI2UI.DLL
2011-02-18 11:39:51 953856 ----a-w- c:\temp\pim4dearbhla\DGDSC32.DLL
2011-02-18 11:39:51 20308 ----a-w- c:\temp\pim4dearbhla\O7TK16.DLL
2011-02-18 11:39:51 15872 ----a-w- c:\temp\pim4dearbhla\O7TK32.DLL
2011-02-18 11:39:24 94352 ----a-w- c:\temp\oldtemp2\whitepages annoying files\MHRUN400.DLL
2011-02-18 11:39:24 45108 ----a-w- c:\temp\oldtemp2\whitepages annoying files\WPPD.DLL
2011-02-18 11:39:24 220832 ----a-w- c:\temp\oldtemp2\whitepages annoying files\WPCDAZ.DLL
2011-02-18 11:38:31 112802954 ----a-w- c:\temp\oldtemp2\setupPD.exe
2011-02-18 11:38:17 18389504 ----a-w- c:\temp\oldtemp2\pm\PM_72.exe
2011-02-18 11:26:38 149222 ----a-w- c:\temp\oldtemp2\oldtemp\testingEXEfileLauncher.exe
2011-02-18 11:26:34 7083364 ----a-w- c:\temp\oldtemp2\oldtemp\signwizard\sw51demo.exe
2011-02-18 11:26:33 1849677 ----a-w- c:\temp\oldtemp2\oldtemp\setup patch\setup_patch.exe
2011-02-18 11:26:33 149504 ----a-w- c:\temp\oldtemp2\oldtemp\setup patch\UNWISE.EXE
2011-02-18 11:26:02 20795904 ----a-w- c:\temp\oldtemp2\oldtemp\OnlineStorage.exe
2011-02-18 11:26:00 3026989 ----a-w- c:\temp\oldtemp2\oldtemp\Msowc.dll
2011-02-18 11:25:49 16332072 ----a-w- c:\temp\oldtemp2\oldtemp\msnblock\Install_Messenger_nous.exe
2011-02-18 11:25:41 20752672 ----a-w- c:\temp\oldtemp2\oldtemp\msnblock\automate5540-full.exe
2011-02-18 11:25:23 12754672 ----a-w- c:\temp\oldtemp2\oldtemp\MP10Setup.exe
2011-02-18 11:23:51 5538680 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\macdrive_6.1.5_enu_qtd_setup.exe
2011-02-18 11:23:51 13824 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\dmg2iso.exe
2011-02-18 11:23:50 1511320 ----a-w- c:\temp\oldtemp2\oldtemp\dmg2iso\daemon408-x86.exe
2011-02-18 11:23:23 7168 ----a-w- c:\temp\oldtemp2\oldtemp\COLLauncherQBE.exe
2011-02-18 11:23:15 318558 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\SetupPDF6.exe
2011-02-18 11:23:15 1831840 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\snpvw90.exe
2011-02-18 11:23:12 1380352 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\CSCOMMON.exe
2011-02-18 11:23:11 1274886 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\Client500.exe
2011-02-18 11:23:11 1015808 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\site-size-count-au\inhouse\Client495.exe
2011-02-18 11:22:14 50720515 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\setup_upd.exe
2011-02-18 11:21:43 81175064 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\Setup.exe
2011-02-18 11:21:39 1049705 ----a-w- c:\temp\oldtemp2\oldtemp\catfud\DOSBox0[1][1].63-win32-installer.exe
2011-02-18 11:21:19 29058885 ----a-w- c:\temp\oldtemp2\oldtemp\AKsetup_upd.exe
2011-02-18 11:20:51 40693248 ----a-w- c:\temp\oldtemp2\old-sy-updates\SY_95.exe
2011-02-18 11:20:33 40145920 ----a-w- c:\temp\oldtemp2\old-sy-updates\SY_94.exe
2011-02-18 11:19:14 50512131 ----a-w- c:\temp\oldtemp2\MLQIC-setup_upd.exe
2011-02-18 11:19:04 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\SETUP.EXE
2011-02-18 11:19:04 352256 ----a-w- c:\temp\oldtemp2\imagingsoftware\Install.exe
2011-02-18 11:18:59 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\_ISDEL.EXE
2011-02-18 11:18:59 803680 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\axdist.exe
2011-02-18 11:18:59 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\SETUP.EXE
2011-02-18 11:18:59 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\imagingocxs\_SETUP.DLL
2011-02-18 11:18:52 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\_ISDEL.EXE
2011-02-18 11:18:52 803680 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\axdist.exe
2011-02-18 11:18:52 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\imaging\_SETUP.DLL
2011-02-18 11:18:51 8192 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\_ISDEL.EXE
2011-02-18 11:18:51 59904 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\SETUP.EXE
2011-02-18 11:18:51 151552 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\instsrvr.dll
2011-02-18 11:18:51 11264 ----a-w- c:\temp\oldtemp2\imagingsoftware\1xclient\_SETUP.DLL
2011-02-18 11:17:41 33161216 ----a-w- c:\temp\oldtemp2\eiStreamImaging28.exe
2011-02-18 11:17:20 1897408 ----a-w- c:\temp\oldtemp2\backups\nvidia riva tnt2 model 64 model 64 pro (microsoft corporation)\nv4_mini.sys
2011-02-18 11:17:18 8811 ----a-w- c:\temp\oldtemp2\backups\conexant setup api\SetupSys.sys
2011-02-18 11:17:18 4274816 ----a-w- c:\temp\oldtemp2\backups\nvidia riva tnt2 model 64 model 64 pro (microsoft corporation)\nv4_disp.dll
2011-02-18 11:15:08 149504 ----a-w- c:\temp\melbcityrecd2k\UNWISE.EXE
2011-02-18 11:04:26 563200 ----a-w- c:\temp\melbcityrecd2k\Ads.exe
2011-02-18 11:04:18 153104 ----a-w- c:\temp\ext18866\install.exe
2011-02-18 11:04:18 1065480 ----a-w- c:\temp\ext18866\install.res.dll
2011-02-18 10:51:37 121206136 ----a-w- c:\temp\chris virusfixtools\ca - anti-virus plus (rp data account)\cd files\en\SETUP.EXE
2011-02-18 10:51:36 874292 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\xpboot.exe
2011-02-18 10:51:36 700781 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\task40.exe
2011-02-18 10:51:33 197233 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\rest2514.exe
2011-02-18 10:51:32 553687 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\jv16regc.exe
2011-02-18 10:51:31 1420962 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\jv16ptv1.exe
2011-02-18 10:51:28 477308 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\doscdrom.exe
2011-02-18 10:51:28 1290938 ----a-w- c:\temp\chris virusfixtools\bootdisk.com files\drdos703.exe
2011-02-18 10:51:17 27386280 ----a-w- c:\temp\chris virusfixtools\acrobat reader\AdbeRdr920_en_US.exe
2011-02-18 10:50:20 5760288 ----a-w- c:\temp\ar405eng.exe
2011-02-18 08:54:34 339968 ----a-w- c:\windows\system32\hpbicoin.dll
2011-02-18 08:46:02 -------- d-----w- c:\docume~1\admini~1\applic~1\Eqpy
2011-02-18 07:45:30 63 ----a-w- C:\reminder_timesheet.bat
2011-02-18 07:45:30 527 ----a-w- C:\Reset.cmd
2011-02-18 07:01:57 269 ----a-w- C:\ftpdownload.bat
2011-02-18 07:01:57 266 ----a-w- C:\ftpupload.bat
2011-02-18 06:50:40 72 ----a-w- C:\connectme3.bat
2011-02-18 06:50:40 67 ----a-w- C:\connectme2.bat
2011-02-18 06:50:40 266 ----a-w- C:\Copy of ftpupload.bat
2011-02-18 06:50:40 0 ----a-w- C:\connectme.bat
2011-02-17 15:24:48 358 ----a-w- C:\AcrE02B.tmp
2011-02-17 15:24:48 358 ----a-w- C:\Acr334C.tmp
2011-02-17 11:15:54 -------- d-----w- C:\NICKY
2011-02-17 11:14:59 -------- d-----w- C:\== RPDATA ==
2011-02-17 11:14:36 -------- d-----w- C:\== CPM ==
2011-02-17 11:14:22 -------- d-----w- C:\== Cityscope ==
2011-02-17 06:09:23 20672 ----a-w- c:\windows\system32\mv2.dll
2011-02-17 06:09:23 10688 ----a-w- c:\windows\system32\drivers\mv2.sys
2011-02-17 05:40:15 1341176 ----a-w- c:\temp\2010\issdm_ca_en.exe
2011-02-17 05:40:14 144648 ----a-w- c:\temp\2010\removal tool\SupportBridge.exe
2011-02-17 05:30:52 -------- d-----w- c:\windows\system32\winsflte.dl1
2011-02-17 05:30:52 -------- d-----w- c:\windows\system32\winsflt.dl1
2011-02-17 05:29:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA-SupportBridge
2011-02-17 04:18:31 -------- d-----w- c:\program files\FreeFileSync
2011-02-15 19:45:26 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-15 00:52:28 -------- d-----w- c:\windows\system32\winrm
2011-02-15 00:52:24 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-15 00:48:25 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\ApplicationHistory
2011-02-15 00:37:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-15 00:37:56 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-02-15 00:35:51 -------- d-----w- C:\temp
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-07 05:05:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-07 05:05:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD50 rev.12.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A40C439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4127b8]; MOV EAX, [0x8a412834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ADC8AB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A0268B8]
\Driver\iastor[0x8A42A558] -> IRP_MJ_CREATE -> 0x8A40C439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD5000AAKS-75TMA0___________________12.01C01#4&d9859c0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 976773166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 10:37:47.93 ===============
Attached Files
-
Attach.txt 24.58KB
0 downloads
-
Ark.zip 47.95KB
1 downloads
Edited by Stanbridge, 09 March 2011 - 09:34 PM.
Back to top
