Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rundll32.exe runs at startup and points to files that were "infected"


  • This topic is locked This topic is locked
16 replies to this topic

#1 Falneth

Falneth

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:01:38 AM

Posted 03 May 2011 - 05:03 PM

I had an encounter with a rogue anti-virus. I removed it with MalwareBytes AntiMalware and CCleaner, only to find that the Windows Security Center Service and Microsoft Security Essentials would not start. I soon discovered that Security Essentials would not run while in normal Windows mode, but it would launch, update, and perform a scan in Safe Mode with Networking. When I attempted to manually start the Windows Security Center in Normal Mode, the service would turn on for about 30 seconds, then turn itself off. Also, if I performed a web search (Google or Yahoo), when I clicked on a search result link, I was redirected to a different website. The redirection was never to the same website. I researched the problem online, only to find another anti-spyware called SuperAntiSpyware. I downloaded it and ran it to discover a file named "DSndUpc.dll" located in my H:\Program Files\Movie Maker and my H:\Windows\system32\ folders. The program removed the files from both folders. After removing them and rebooting, my Security Essentials and Windows Security Center service began to run like normal and I was able to go to the search results from a search engine. I then found an issue with some games I had installed. When launching these games, they would run as a Low Priority instead of a Normal priority. I would set them to Normal Priority only to find them go back to Low Priority. I used a program called procexp.exe (Process Explorer) to look at what processes were running when I launched my computer. I discovered, using the Process Explorer program, that upon booting up my computer, I had two rundll32.exe files running. When I examined these rundll32.exe processes, each one's command line would point to one of the files that SuperAntiSpyware removed. After further testing, my games would not revert to Low Priority once the two rundll32.exe processes were killed.

I have ran numerous scans with MalwareBytes and Security Essentials but have not found anything. As per the preparation guide, I managed to run everything EXCEPT the gmer.exe file. When I run that program, it begins to scan, only to suddenly cause my computer to stop functioning and go to a BLUE screen with an error message. I have attempted to run the program three different times and only two of the attempts gave the same message: Windows was stopped to prevent damage to the operating system. At the bottom of the screen, it says beginning physical memory dump. The last time I ran the program was in Safe Mode but it still took me to a BLUE screen after a minute of scanning. Therefore, it will not run on my computer.

I have also attempted to perform a system restore to a date before all the infections, but all my attempts at running a system restore have failed. I have the restore points, but when my computer reboots after launching the system restore, I receive a notice saying: System Restore Failed. No files have been changed.


DDS.txt log is as follows:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Samual at 15:50:20.20 on Tue 05/03/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1070 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\system32\rundll32.exe
svchost.exe
H:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\Program Files\TVersity\Media Server\MediaServer.exe
H:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
H:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
H:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Microsoft Security Client\msseces.exe
H:\Program Files\Real\RealPlayer\update\realsched.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
H:\Program Files\Micro Innovations\Internet Keyboard Elite\KEMailKb.EXE
H:\Documents and Settings\Samual\Desktop\procexp.exe
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
H:\Program Files\Mozilla Firefox\plugin-container.exe
H:\Documents and Settings\Samual\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - h:\program files\freecorder\prxtbFre0.dll
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - h:\program files\freecorder\prxtbFre0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - h:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - h:\program files\conduitengine\prxConduitEngine.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - h:\program files\freecorder\prxtbFre0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - h:\program files\conduitengine\prxConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [uTorrent] "h:\program files\utorrent\uTorrent.exe"
uRun: [Yahoo! Pager] "h:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] h:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MSC] "h:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [TkBellExe] "h:\program files\real\realplayer\update\realsched.exe" -osboot
dRun: [DWQueuedReporting] "h:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: h:\docume~1\samual\startm~1\programs\startup\intern~1.lnk - h:\program files\micro innovations\internet keyboard elite\KEMailKb.EXE
StartupFolder: h:\docume~1\samual\startm~1\programs\startup\procex~1.lnk - h:\documents and settings\samual\desktop\procexp.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - h:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - h:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {10E6E681-4ED1-43CF-A624-2BC3576DC117} = 167.142.225.3,167.142.225.5
TCP: {8D62A40B-727A-41BA-8386-1DD83ECAFDF0} = 67.210.57.254,206.246.28.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - h:\docume~1\samual\applic~1\mozilla\firefox\profiles\u22oscau.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: h:\documents and settings\samual\application data\mozilla\firefox\profiles\u22oscau.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko19.dll
FF - component: h:\documents and settings\samual\application data\mozilla\firefox\profiles\u22oscau.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: h:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: h:\documents and settings\samual\application data\mozilla\firefox\profiles\u22oscau.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: h:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: h:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npmozax.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;h:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslec3a3141;MpKslec3a3141;h:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d603b115-30ba-4dd3-8707-713b37238dc8}\MpKslec3a3141.sys [2011-5-3 28752]
R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;h:\windows\system32\drivers\HIDKbFlt.sys [2005-7-25 23680]
R2 WDDMService;WDDMService;h:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-3-9 238592]
R2 WDFME;WD File Management Engine;h:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-3-9 1060864]
R2 WDSC;WD File Management Shadow Engine;h:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-3-9 484352]
R3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [2011-4-6 11520]
S0 axghu;axghu;h:\windows\system32\drivers\ethqvvsl.sys --> h:\windows\system32\drivers\ethqvvsl.sys [?]
S0 Lbd;Lbd;h:\windows\system32\drivers\lbd.sys --> h:\windows\system32\drivers\Lbd.sys [?]
S2 dnscon;DNS Connection;h:\windows\system32\svchost.exe -k LocalServices [2004-8-4 14336]
S2 NetManager;Network Manager Service;h:\windows\system32\svchost.exe -k netm [2004-8-4 14336]
S3 cpuz129;cpuz129;\??\h:\docume~1\samual\locals~1\temp\cpuz_x32.sys --> h:\docume~1\samual\locals~1\temp\cpuz_x32.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;h:\windows\system32\drivers\ivusb.sys --> h:\windows\system32\drivers\ivusb.sys [?]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);h:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-1-14 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);h:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-1-14 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);h:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-1-14 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);h:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-1-14 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);h:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-1-14 25704]
S3 XDva020;XDva020;\??\h:\windows\system32\xdva020.sys --> h:\windows\system32\XDva020.sys [?]
S4 npggsvc;nProtect GameGuard Service;h:\windows\system32\gamemon.des -service --> h:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2072-04-03 18:13:14 607296 ------w- h:\program files\microsoft games\age of empires iii\deformerdllyD.dll
2011-05-03 20:46:56 28752 ----a-w- h:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{d603b115-30ba-4dd3-8707-713b37238dc8}\MpKslec3a3141.sys
2011-05-03 20:44:18 -------- d-----w- h:\program files\Cobian Backup 8
2011-05-03 20:03:28 28752 ----a-w- h:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{d603b115-30ba-4dd3-8707-713b37238dc8}\MpKsl70898a9f.sys
2011-05-03 20:01:41 -------- d-----w- h:\program files\Uniblue
2011-05-03 20:01:41 -------- d-----w- h:\program files\Trend Micro
2011-05-03 20:01:41 -------- d-----w- h:\docume~1\samual\locals~1\applic~1\PackageAware
2011-05-03 20:01:38 -------- d-----w- h:\program files\Hitman Pro 3.5
2011-05-03 20:01:38 -------- d-----w- h:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-03 20:01:32 -------- d-----w- h:\docume~1\samual\locals~1\applic~1\Microsoft Help
2011-05-03 20:01:30 -------- d-----w- h:\program files\ACW
2011-05-03 04:23:08 28752 ----a-w- h:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{d603b115-30ba-4dd3-8707-713b37238dc8}\MpKslb91a1c34.sys
2011-05-03 04:22:54 7071056 ----a-w- h:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{d603b115-30ba-4dd3-8707-713b37238dc8}\mpengine.dll
2011-04-30 04:36:37 7071056 ----a-w- h:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-29 03:28:12 -------- d-----w- h:\docume~1\samual\applic~1\Uniblue
2011-04-29 03:14:41 388096 ----a-r- h:\docume~1\samual\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-28 05:08:47 12872 ----a-w- h:\windows\system32\bootdelete.exe
2011-04-28 05:03:50 -------- d-----w- h:\docume~1\samual\applic~1\SUPERAntiSpyware.com
2011-04-28 05:02:54 -------- d-----w- h:\program files\SUPERAntiSpyware
2011-04-28 05:02:11 16968 ----a-w- h:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 05:00:49 -------- d-----w- h:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-28 04:27:57 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-04-28 04:27:57 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-04-28 04:27:57 472808 ----a-w- h:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-28 04:24:21 -------- d-----w- h:\program files\Microsoft Security Client
2011-04-27 21:12:21 -------- d-----w- h:\program files\Guild Wars
2011-04-27 19:26:16 -------- d-----w- h:\docume~1\samual\applic~1\PriceGong
2011-04-21 14:49:56 -------- d-----w- h:\program files\Reality Pump
2011-04-21 14:48:57 -------- d-----w- h:\windows\system32\AGEIA
2011-04-21 02:08:47 80384 --sha-r- h:\windows\system32\DSndUpc.dll
2011-04-07 02:45:11 -------- d-----w- h:\docume~1\samual\locals~1\applic~1\Western_Digital
2011-04-07 02:40:04 11520 ----a-w- h:\windows\system32\drivers\wdcsam.sys
2011-04-07 02:39:33 -------- d-----w- h:\docume~1\samual\locals~1\applic~1\Western Digital
2011-04-07 02:39:18 -------- d-----w- h:\docume~1\alluse~1\applic~1\Western Digital
2011-04-05 19:36:05 -------- d-----w- h:\program files\Prima Games
.
==================== Find3M ====================
.
2011-04-27 19:27:27 0 ----a-w- h:\windows\system32\ConduitEngine.tmp
2011-04-02 20:52:49 0 ----a-w- h:\windows\ativpsrm.bin
2011-03-07 05:33:50 692736 ----a-w- h:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- h:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- h:\windows\system32\win32k.sys
2011-02-17 19:00:29 832512 ----a-w- h:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ----a-w- h:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ------w- h:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ----a-w- h:\windows\system32\corpol.dll
2011-02-17 12:32:12 5120 ----a-w- h:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ----a-w- h:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- h:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- h:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- h:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- h:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- h:\windows\system32\mfc42u.dll
2011-02-07 03:45:17 348160 ----a-w- h:\windows\system32\msvcr71.dll
2011-02-07 03:45:16 499712 ----a-w- h:\windows\system32\msvcp71.dll
2011-02-02 23:11:20 222080 ------w- h:\windows\system32\MpSigStub.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WD______ rev.2019 -> Harddisk3\DR5 -> \Device\00000098
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; }
user != kernel MBR !!!
error: Read The parameter is incorrect.
.
============= FINISH: 15:52:03.18 ===============

Edited by Falneth, 03 May 2011 - 05:06 PM.

A.A.S in Computer and Network Support from Crowder College


BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 12 May 2011 - 03:17 AM

:welcome: to BC!

Do you still need help.

If so please post a fresh set of logs from DDS and GMER.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:01:38 AM

Posted 13 May 2011 - 09:42 AM

I'm attaching a screenshot showing the issue of the rundll32.exe command line.

GMER will not run on my computer. When I attempt to launch the program, my computer suddenly goes to a blue screen saying that windows was shut down to prevent damage to the operating system.

Today's DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Samual at 9:39:12.59 on Fri 05/13/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1021 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *Disabled*
.
============== Running Processes ===============
.
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
H:\WINDOWS\system32\svchost.exe -k netsvcs
H:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\system32\rundll32.exe
svchost.exe
H:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
H:\Documents and Settings\Samual\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\Program Files\TVersity\Media Server\MediaServer.exe
H:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
H:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
H:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Microsoft Security Client\msseces.exe
H:\Program Files\Freecorder\FLVSrvc.exe
H:\PROGRA~1\Eraser\Eraser.exe
H:\Program Files\COMODO\COMODO Internet Security\cfp.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
H:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
H:\Program Files\Micro Innovations\Internet Keyboard Elite\KEMailKb.EXE
H:\Documents and Settings\Samual\Desktop\procexp.exe
H:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Mozilla Firefox\plugin-container.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Documents and Settings\Samual\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - h:\program files\freecorder\prxtbFre0.dll
mURLSearchHooks: H - No File
mWinlogon: Userinit=h:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - h:\program files\freecorder\prxtbFre0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - h:\program files\conduitengine\prxConduitEngine.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - h:\program files\freecorder\prxtbFre0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - h:\program files\conduitengine\prxConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "h:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [uTorrent] "h:\program files\utorrent\uTorrent.exe"
mRun: [MSC] "h:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Freecorder FLV Service] "h:\program files\freecorder\FLVSrvc.exe" /run
mRun: [Eraser] "h:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [COMODO Internet Security] "h:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [DWQueuedReporting] "h:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: h:\docume~1\samual\startm~1\programs\startup\intern~1.lnk - h:\program files\micro innovations\internet keyboard

elite\KEMailKb.EXE
StartupFolder: h:\docume~1\samual\startm~1\programs\startup\procex~1.lnk - h:\documents and settings\samual\desktop\procexp.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - h:\program files\apc\apc powerchute personal

edition\Display.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - h:\program files\western digital\wd smartware\wd drive

manager\WDDMStatus.exe
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - h:\program files\skype\toolbars\internet

explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {10E6E681-4ED1-43CF-A624-2BC3576DC117} = 167.142.225.3,167.142.225.5
TCP: {8D62A40B-727A-41BA-8386-1DD83ECAFDF0} = 67.210.57.254,206.246.28.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: h:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli
IFEO: taskmgr.exe - "h:\documents and settings\samual\desktop\PROCEXP.EXE"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - h:\docume~1\samual\applic~1\mozilla\firefox\profiles\u22oscau.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: h:\documents and settings\samual\application

data\mozilla\firefox\profiles\u22oscau.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko19.dll
FF - component: h:\documents and settings\samual\application

data\mozilla\firefox\profiles\u22oscau.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: h:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: h:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: h:\documents and settings\samual\application

data\mozilla\firefox\profiles\u22oscau.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: h:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: h:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npmozax.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;h:\windows\system32\drivers\cmdGuard.sys [2011-5-2 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;h:\windows\system32\drivers\cmdhlp.sys [2011-5-2 29400]
R1 MpFilter;Microsoft Malware Protection Driver;h:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl7e61c655;MpKsl7e61c655;h:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{0658b817-4da1-44cf-92e8-7438101e4ef1}\MpKsl7e61c655.sys [2011-5-13 28752]
R2 cmdAgent;COMODO Internet Security Helper Service;h:\program files\comodo\comodo internet security\cmdagent.exe [2011-5-2 1779792]
R2 CrossLoopService;CrossLoop Service;h:\documents and settings\samual\local settings\application data\crossloop\CrossLoopService.exe

[2011-5-6 560880]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;h:\windows\system32\drivers\HIDKbFlt.sys [2005-7-25 23680]
R2 WDDMService;WDDMService;h:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-3-9 238592]
R2 WDFME;WD File Management Engine;h:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-3-9 1060864]
R2 WDSC;WD File Management Shadow Engine;h:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-3-9 484352]
R3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [2011-4-6 11520]
S0 axghu;axghu;h:\windows\system32\drivers\ethqvvsl.sys --> h:\windows\system32\drivers\ethqvvsl.sys [?]
S0 Lbd;Lbd;h:\windows\system32\drivers\lbd.sys --> h:\windows\system32\drivers\Lbd.sys [?]
S2 dnscon;DNS Connection;h:\windows\system32\svchost.exe -k LocalServices [2004-8-4 14336]
S2 NetManager;Network Manager Service;h:\windows\system32\svchost.exe -k netm [2004-8-4 14336]
S3 cpuz129;cpuz129;\??\h:\docume~1\samual\locals~1\temp\cpuz_x32.sys --> h:\docume~1\samual\locals~1\temp\cpuz_x32.sys [?]
S3 cpuz135;cpuz135;\??\h:\docume~1\samual\locals~1\temp\cpuz135\cpuz135_x32.sys -->

h:\docume~1\samual\locals~1\temp\cpuz135\cpuz135_x32.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;h:\windows\system32\drivers\ivusb.sys --> h:\windows\system32\drivers\ivusb.sys [?]
S3 tvnserver;TightVNC Server;h:\documents and settings\samual\local settings\application data\crossloop\tvnserver.exe [2011-5-6 814080]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);h:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-1-14 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);h:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-1-14 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);h:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-1-14 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);h:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-1-14 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);h:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-1-14 25704]
S3 XDva020;XDva020;\??\h:\windows\system32\xdva020.sys --> h:\windows\system32\XDva020.sys [?]
S4 npggsvc;nProtect GameGuard Service;h:\windows\system32\gamemon.des -service --> h:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2072-04-03 18:13:14 607296 ------w- h:\program files\microsoft games\age of empires iii\deformerdllyD.dll
2011-05-13 11:56:50 28752 ----a-w- h:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition

updates\{0658b817-4da1-44cf-92e8-7438101e4ef1}\MpKsl7e61c655.sys
2011-05-13 11:55:56 7071056 ----a-w- h:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition

updates\{0658b817-4da1-44cf-92e8-7438101e4ef1}\mpengine.dll
2011-05-07 12:28:23 -------- d-----w- h:\program files\Free M4a to MP3 Converter
2011-05-07 03:43:50 -------- d-----w- h:\docume~1\samual\locals~1\applic~1\CrossLoop
2011-05-07 02:46:37 -------- d-----w- h:\docume~1\samual\applic~1\UltraVNC
2011-05-07 02:39:22 -------- d-----w- h:\program files\UltraVNC
2011-05-06 20:48:47 -------- d-----w- h:\program files\SyncToy 2.1
2011-05-06 20:04:04 -------- d-----w- h:\windows\UltraDefrag
2011-05-06 14:49:25 -------- d-----w- h:\program files\COMODO
2011-05-06 14:47:25 -------- d-----w- h:\docume~1\alluse~1\applic~1\Comodo Downloader
2011-05-06 14:46:41 -------- d-----w- h:\docume~1\alluse~1\applic~1\Comodo
2011-05-06 14:29:31 -------- d-----w- h:\docume~1\samual\locals~1\applic~1\Eraser 6
2011-05-06 14:10:10 -------- d-----w- h:\program files\Soluto
2011-05-06 14:08:58 -------- d-----w- h:\program files\Eraser
2011-05-06 14:01:04 -------- d-----w- h:\docume~1\alluse~1\applic~1\Soluto
2011-05-05 23:33:48 -------- d-----w- h:\program files\Europa Universalis III
2011-05-04 03:31:03 -------- d-----w- h:\program files\common files\xing shared
2011-05-04 03:28:00 105472 ----a-w- h:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-05-03 20:44:18 -------- d-----w- h:\program files\Cobian Backup 8
2011-05-03 20:01:41 -------- d-----w- h:\program files\Uniblue
2011-05-03 20:01:41 -------- d-----w- h:\program files\Trend Micro
2011-05-03 20:01:41 -------- d-----w- h:\docume~1\samual\locals~1\applic~1\PackageAware
2011-05-03 20:01:38 -------- d-----w- h:\program files\Hitman Pro 3.5
2011-05-03 20:01:38 -------- d-----w- h:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-03 20:01:32 -------- d-----w- h:\docume~1\samual\locals~1\applic~1\Microsoft Help
2011-05-03 20:01:30 -------- d-----w- h:\program files\ACW
2011-05-03 01:36:54 29400 ----a-w- h:\windows\system32\drivers\cmdhlp.sys
2011-05-03 01:36:52 242472 ----a-w- h:\windows\system32\drivers\cmdGuard.sys
2011-05-03 01:36:52 17416 ----a-w- h:\windows\system32\drivers\cmderd.sys
2011-05-03 01:36:04 284744 ----a-w- h:\windows\system32\guard32.dll
2011-04-30 04:36:37 7071056 ----a-w- h:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition

updates\backup\mpengine.dll
2011-04-29 03:28:12 -------- d-----w- h:\docume~1\samual\applic~1\Uniblue
2011-04-29 03:14:41 388096 ----a-r-

h:\docume~1\samual\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-28 05:08:47 12872 ----a-w- h:\windows\system32\bootdelete.exe
2011-04-28 05:02:11 16968 ----a-w- h:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 05:00:49 -------- d-----w- h:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-28 04:27:57 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-04-28 04:27:57 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-04-28 04:27:57 472808 ----a-w- h:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-28 04:24:21 -------- d-----w- h:\program files\Microsoft Security Client
2011-04-27 21:12:21 -------- d-----w- h:\program files\Guild Wars
2011-04-27 19:26:16 -------- d-----w- h:\docume~1\samual\applic~1\PriceGong
2011-04-21 14:49:56 -------- d-----w- h:\program files\Reality Pump
2011-04-21 14:48:57 -------- d-----w- h:\windows\system32\AGEIA
2011-04-21 02:08:47 80384 --sha-r- h:\windows\system32\DSndUpc.dll
.
==================== Find3M ====================
.
2011-05-04 03:24:11 348160 ----a-w- h:\windows\system32\msvcr71.dll
2011-05-04 03:24:10 499712 ----a-w- h:\windows\system32\msvcp71.dll
2011-04-27 19:27:27 0 ----a-w- h:\windows\system32\ConduitEngine.tmp
2011-04-02 20:52:49 0 ----a-w- h:\windows\ativpsrm.bin
2011-03-07 05:33:50 692736 ----a-w- h:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- h:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- h:\windows\system32\win32k.sys
2011-02-17 19:00:29 832512 ----a-w- h:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ----a-w- h:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ------w- h:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ----a-w- h:\windows\system32\corpol.dll
2011-02-17 12:32:12 5120 ----a-w- h:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ----a-w- h:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- h:\windows\system32\atmfd.dll
.
============= FINISH: 9:40:21.90 ===============

Attached Files


A.A.S in Computer and Network Support from Crowder College


#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 13 May 2011 - 02:02 PM

Something I should point out, regarding CCleaner, Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of my colleagues, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.


Step 1.
Uninstall software:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

µTorrent
CCleaner
Conduit Engine



Optional removals
CCleaner <<< --- Registry cleaner
µTorrent and P2P programs in general are legal themselves, but much of the content downloaded with them is downloaded illegally. They are also a great way to infect yourself with malware.
It's up to you if you want to remove the above programs, however I recommend you do.

Step 2.
RKU:

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Step 3.
aswMBR:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply


Step 4.
Things I would like to see in your reply:

  • Which programs were removed in step 1.
  • The content of the log from RKU in step 2.
  • The content of the log from aswMBR in step 3.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:01:38 AM

Posted 13 May 2011 - 03:06 PM

1. Software Removal
I removed Conduit Engine. I did not remove cCleaner because I primarily use it to delete excess temp files and unnecessary junk files that it can scan.

2. RKU Log:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB6A49000 H:\WINDOWS\system32\DRIVERS\ati2mtag.sys 3891200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBD1CD000 H:\WINDOWS\System32\ati3duag.dll 3821568 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBD572000 H:\WINDOWS\System32\ativvaxx.dll 2670592 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 H:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 H:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBD065000 H:\WINDOWS\System32\ati2cqag.dll 626688 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xB7E42000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBD0FE000 H:\WINDOWS\System32\atikvmag.dll 540672 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0x9E629000 H:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA7F71000 H:\WINDOWS\system32\drivers\Senfilt.sys 393216 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xB6575000 H:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0x9E73E000 H:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9C170000 H:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBD012000 H:\WINDOWS\System32\ati2dvag.dll 339968 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xA80AC000 H:\WINDOWS\system32\drivers\ADIHdAud.sys 311296 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0xBD182000 H:\WINDOWS\System32\atiok3x2.dll 307200 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xB6967000 H:\WINDOWS\system32\DRIVERS\NVNRM.SYS 307200 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xBD7FE000 H:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9ACF6000 H:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA4A20000 H:\WINDOWS\System32\DRIVERS\cmdguard.sys 233472 bytes (COMODO, COMODO Internet Security Sandbox Driver)
0xB6930000 H:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9C268000 H:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7DFF000 H:\WINDOWS\System32\DRIVERS\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9A676000 H:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0x9E699000 H:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x9E5D5000 H:\WINDOWS\system32\DRIVERS\atinavt2.sys 172032 bytes (ATI Technologies Inc., ATI T200 Unified AVStream Driver)
0xB69B2000 H:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0x9E6E6000 H:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA590B000 H:\WINDOWS\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0x9E718000 H:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x9BE04000 H:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA8088000 H:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB69FD000 H:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB69DA000 H:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0x9E6C4000 H:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 H:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7EF8000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB7DE5000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x9E5FF000 H:\WINDOWS\System32\Drivers\dump_nvata.sys 102400 bytes
0xB7F18000 nvata.sys 102400 bytes (NVIDIA Corporation, NVIDIA® nForce™ IDE Performance Driver)
0xB7F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB65D3000 H:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xA7FD1000 H:\WINDOWS\system32\drivers\AEAudio.sys 94208 bytes (Andrea Electronics Corporation, Audio Noise Filtering Driver (32-bit))
0xB7ECF000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB65FC000 H:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB7E2C000 inspect.sys 90112 bytes (COMODO, COMODO Internet Security Firewall Driver)
0x9BDEF000 H:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB6A21000 H:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB6A35000 H:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x9E797000 H:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBD000000 H:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7EE6000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB65EB000 H:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0x9E618000 H:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0x9FCAD000 H:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB8218000 H:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB80A8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB81F8000 H:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB7615000 H:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB8228000 H:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0x9BF80000 H:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0x9FCFD000 H:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xB8188000 H:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB80B8000 H:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB81E8000 H:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xB8108000 H:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xA03EE000 H:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xB6E0F000 H:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB82D8000 H:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA040E000 H:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB8208000 H:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB6DFF000 H:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB8308000 H:\WINDOWS\system32\DRIVERS\VClone.sys 45056 bytes (Elaborate Bytes AG, VirtualCloneCD Driver)
0xB80C8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB8318000 H:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB82F8000 H:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB80F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA5441000 H:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xA03FE000 H:\WINDOWS\system32\drivers\LVUSBSta.sys 36864 bytes (Logitech Inc., USB Statistic Driver)
0xB82E8000 H:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA042E000 H:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9A4C4000 H:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB8178000 H:\WINDOWS\system32\DRIVERS\NVENETFD.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xA043E000 H:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA160D000 H:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB8448000 H:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB8468000 H:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB8458000 H:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xA981C000 H:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB83C0000 H:\DOCUME~1\Samual\LOCALS~1\Temp\mbr.sys 28672 bytes
0xB8328000 H:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xA15F5000 H:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xA15FD000 H:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xA1605000 H:\WINDOWS\System32\DRIVERS\cmdhlp.sys 24576 bytes (COMODO, COMODO Internet Security Helper Driver)
0xB8470000 H:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xA617A000 H:\WINDOWS\system32\DRIVERS\HIDKbFlt.sys 24576 bytes (Dritek System Inc., Dritek USB Keyboard HID Filter Driver)
0xA15ED000 H:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xB8370000 H:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB8378000 H:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xA05BC000 H:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0658B817-4DA1-44CF-92E8-7438101E4EF1}\MpKsl7e61c655.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xB8478000 H:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA161D000 H:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA0604000 H:\WINDOWS\System32\Drivers\ElbyCDIO.sys 20480 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xB8388000 H:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xA1615000 H:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xA536E000 H:\WINDOWS\system32\Drivers\PROCEXP141.SYS 20480 bytes
0xB8360000 H:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8368000 H:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB8338000 H:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB8460000 H:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x9F62B000 H:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB84C0000 H:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xA0325000 H:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xA0339000 H:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB8580000 H:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA6F07000 H:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB75F1000 H:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xB75FD000 H:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xA0345000 H:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xB7D85000 H:\WINDOWS\system32\DRIVERS\BdaSup.SYS 12288 bytes (Microsoft Corporation, Microsoft BDA Driver Support Library)
0xB84B8000 H:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB84BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xA59D5000 H:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA59E5000 H:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA0341000 H:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB75DD000 H:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA175D000 H:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9F697000 H:\WINDOWS\system32\DRIVERS\wdcsam.sys 12288 bytes (Western Digital Technologies, WD SCSI Architecture Model (SAM) driver)
0xA1739000 H:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xB85F4000 H:\WINDOWS\system32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)
0xB85D6000 H:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xA5B7B000 H:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xB85D4000 H:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85A8000 H:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB85D8000 H:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB8614000 H:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xB85DE000 H:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB8612000 H:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB8634000 H:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85AA000 H:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB87D6000 H:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA4BF2000 H:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA018D000 H:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x01070000 Hidden Image-->WDFMEIPC.dll [ EPROCESS 0x89D01718 ] PID: 1848, 110592 bytes
0x00C60000 Hidden Image-->WDFMEIPC.dll [ EPROCESS 0x899F7DA0 ] PID: 2312, 110592 bytes
0x01270000 Hidden Image-->Microsoft.VisualC.Dll [ EPROCESS 0x89D01718 ] PID: 1848, 16384 bytes
0x00D00000 Hidden Image-->msvcm90.dll [ EPROCESS 0x89D01718 ] PID: 1848, 270336 bytes
0x03290000 Hidden Image-->msvcm90.dll [ EPROCESS 0x89D01718 ] PID: 1848, 270336 bytes
0x03BE0000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x89D01718 ] PID: 1848, 270336 bytes
0x00C10000 Hidden Image-->msvcm90.dll [ EPROCESS 0x899F7DA0 ] PID: 2312, 270336 bytes
0x032E0000 Hidden Image-->System.Data.dll [ EPROCESS 0x89D01718 ] PID: 1848, 2961408 bytes
0x03B90000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x89D01718 ] PID: 1848, 307200 bytes
0x00F60000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x899F7DA0 ] PID: 2312, 307200 bytes
0x04790000 Hidden Image-->System.dll [ EPROCESS 0x89BF9020 ] PID: 3900, 3190784 bytes
0x042C0000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x89BF9020 ] PID: 3900, 5033984 bytes
0x03C20000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x89BF9020 ] PID: 3900, 634880 bytes
0x03E70000 Hidden Image-->System.Data.SQLite.dll [ EPROCESS 0x89D01718 ] PID: 1848, 905216 bytes


3. aswMBR Log:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-13 15:01:32
-----------------------------
15:01:32.875 OS Version: Windows 5.1.2600 Service Pack 3
15:01:32.875 Number of processors: 2 586 0x4303
15:01:32.875 ComputerName: OFFICE UserName: Samual
15:01:33.390 Initialize success
15:01:52.328 Service scanning
15:01:54.046 Disk 0 trace - called modules:
15:01:54.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
15:01:54.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac44ab8]
15:01:54.062 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000071[0x8ac92ac0]
15:01:54.062 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\0000006f[0x8ac44030]
15:01:54.062 Scan finished successfully
15:02:12.203 The log file has been saved successfully to "H:\Documents and Settings\Samual\Desktop\aswMBR.txt"


I hope this helps.

A.A.S in Computer and Network Support from Crowder College


#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 14 May 2011 - 06:06 AM

Looks as something is hiding the MBR.

Let's use this tool

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:01:38 AM

Posted 14 May 2011 - 07:52 AM

Here's the report from MBRCheck:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000df9

Kernel Drivers (total 151):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 ohci1394.sys
0xB80B8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB80C8000 isapnp.sys
0xB84BC000 compbatt.sys
0xB84C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7F31000 atapi.sys
0xB7F18000 nvata.sys
0xB80F8000 disk.sys
0xB8108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EF8000 fltmgr.sys
0xB7EE6000 sr.sys
0xB7ECF000 KSecDD.sys
0xB7E42000 Ntfs.sys
0xB7E2C000 inspect.sys
0xB7DFF000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xB8338000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xB7DE5000 Mup.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB6A49000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB6A35000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8458000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB75FD000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB6A21000 \SystemRoot\system32\DRIVERS\parport.sys
0xB8460000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB69FD000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8468000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8208000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8218000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8228000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB69DA000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8470000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB8478000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB69B2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB75F1000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB6967000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB6930000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xB85F4000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB87D6000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB6E0F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB75DD000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB65FC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB6DFF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB82D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB65EB000 \SystemRoot\system32\DRIVERS\psched.sys
0xB82E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8360000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8368000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB82F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8370000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8378000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB8308000 \SystemRoot\system32\DRIVERS\VClone.sys
0xB65D3000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0xB8612000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6575000 \SystemRoot\system32\DRIVERS\update.sys
0xB8580000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8318000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8388000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB8178000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB8188000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB8634000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA80AC000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA8088000 \SystemRoot\system32\drivers\portcls.sys
0xB7615000 \SystemRoot\system32\drivers\drmk.sys
0xA7FD1000 \SystemRoot\system32\drivers\AEAudio.sys
0xA7F71000 \SystemRoot\system32\drivers\Senfilt.sys
0xA590B000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xB8448000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA4A20000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xA59E5000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA5441000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA981C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB85D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA018D000 \SystemRoot\System32\Drivers\Null.SYS
0xB85D6000 \SystemRoot\System32\Drivers\Beep.SYS
0xA161D000 \SystemRoot\System32\drivers\vga.sys
0xB85D8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85DE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA1615000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA160D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA175D000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9E797000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9E73E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA1605000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0x9E718000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9E6E6000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA043E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA1739000 \SystemRoot\System32\drivers\ws2ifsl.sys
0x9E6C4000 \SystemRoot\System32\drivers\afd.sys
0xA042E000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9E699000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9E629000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA040E000 \SystemRoot\System32\Drivers\Fips.SYS
0xA15FD000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA03FE000 \SystemRoot\system32\drivers\LVUSBSta.sys
0xA0345000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xA15F5000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA15ED000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xA0341000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA03EE000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xA0339000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA0604000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0x9FCFD000 \SystemRoot\system32\drivers\usbaudio.sys
0xA0325000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0x9FCAD000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9E618000 \SystemRoot\System32\Drivers\Udfs.SYS
0x9F697000 \SystemRoot\system32\DRIVERS\wdcsam.sys
0x9E5FF000 \SystemRoot\System32\Drivers\dump_nvata.sys
0xA5B7B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA59D5000 \SystemRoot\System32\drivers\Dxapi.sys
0x9F62B000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xA4BF2000 \SystemRoot\System32\drivers\dxgthk.sys
0x9E5D5000 \SystemRoot\system32\DRIVERS\atinavt2.sys
0xB7D85000 \SystemRoot\system32\DRIVERS\BdaSup.SYS
0xBD012000 \SystemRoot\System32\ati2dvag.dll
0xBD065000 \SystemRoot\System32\ati2cqag.dll
0xBD0FE000 \SystemRoot\System32\atikvmag.dll
0xBD182000 \SystemRoot\System32\atiok3x2.dll
0xBD1CD000 \SystemRoot\System32\ati3duag.dll
0xBD572000 \SystemRoot\System32\ativvaxx.dll
0xBD7FE000 \SystemRoot\System32\ATMFD.DLL
0xA6F07000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9C268000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA617A000 \SystemRoot\system32\DRIVERS\HIDKbFlt.sys
0xB8614000 \SystemRoot\System32\Drivers\ParVdm.SYS
0x9C170000 \SystemRoot\system32\DRIVERS\srv.sys
0x9BE04000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x9BDEF000 \SystemRoot\system32\drivers\wdmaud.sys
0x9BF80000 \SystemRoot\system32\drivers\sysaudio.sys
0x9ACF6000 \SystemRoot\System32\Drivers\HTTP.sys
0xA536E000 \??\H:\WINDOWS\system32\Drivers\PROCEXP141.SYS
0xB83C0000 \??\H:\DOCUME~1\Samual\LOCALS~1\Temp\mbr.sys
0x9A676000 \SystemRoot\system32\drivers\kmixer.sys
0x9A3FC000 \??\H:\DOCUME~1\Samual\LOCALS~1\Temp\aswMBR.sys
0xB8428000 \??\H:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7D1B3604-DD35-42E4-8DB1-97EA7C7AD7B0}\MpKsl85e82eb0.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
724 H:\WINDOWS\system32\smss.exe
772 csrss.exe
804 H:\WINDOWS\system32\winlogon.exe
848 H:\WINDOWS\system32\services.exe
888 H:\WINDOWS\system32\lsass.exe
1036 H:\WINDOWS\system32\svchost.exe
1140 svchost.exe
1260 H:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1296 H:\WINDOWS\system32\svchost.exe
1328 H:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1604 svchost.exe
1652 svchost.exe
1736 H:\WINDOWS\system32\spoolsv.exe
636 svchost.exe
712 H:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
1044 H:\Documents and Settings\Samual\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
1832 H:\WINDOWS\system32\svchost.exe
180 H:\Program Files\TVersity\Media Server\MediaServer.exe
1520 H:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
1848 H:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
2312 H:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
2964 alg.exe
3784 H:\WINDOWS\explorer.exe
3880 H:\Program Files\Microsoft Security Client\msseces.exe
3888 H:\Program Files\Freecorder\FLVSrvc.exe
3908 H:\Program Files\COMODO\COMODO Internet Security\cfp.exe
3924 H:\WINDOWS\system32\ctfmon.exe
3932 H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
4036 H:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
4068 H:\Program Files\Micro Innovations\Internet Keyboard Elite\KEMailKb.EXE
4076 H:\Documents and Settings\Samual\Desktop\procexp.exe
2324 H:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
376 H:\Program Files\Mozilla Firefox\firefox.exe
648 H:\Program Files\Mozilla Firefox\plugin-container.exe
2764 H:\Program Files\Windows Media Player\wmplayer.exe
704 H:\Program Files\Mozilla Firefox\plugin-container.exe
2868 H:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
3280 H:\Program Files\uTorrent\uTorrent.exe
3356 H:\downloads\MBRCheck.exe

\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\L: --> \\.\PhysicalDrive3 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive1 Model Number: ST3500320AS, Rev: SD15
PhysicalDrive0 Model Number: ST3250318AS, Rev: CC38
PhysicalDrive2 Model Number: SeagateFreeAgentDesktop, Rev: 100D
PhysicalDrive3 Model Number: WDMy Book 1110, Rev: 2018

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive2 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
930 GB \\.\PhysicalDrive3 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

A.A.S in Computer and Network Support from Crowder College


#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 14 May 2011 - 06:37 PM

Step 1.
Filescan:


Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

    h:\windows\system32\DSndUpc.dll
  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


Step 2.
ComboFix:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 3.
Things I would like to see in your reply:

  • The link to the filescan in step 1.
  • The content of C:\ComboFix.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:01:38 AM

Posted 15 May 2011 - 07:39 AM

When I tried to submit the DSndUpc.dll file, it would not send it. When I tried again to send the file, I was in the Windows\system32 folder but the DSndUpc.dll file was not listed in the folder. Therefore, I do not believe that it will send the file when I do not have the file on my computer. I can not provide a link to the filescan because it would not send the file. When I click the submit file button, it tries to send the file but then just sits on the main VirusTotal page where I try to upload the file.

Any other ideas?

Also, the rundll32.exe files that run when I start my computer are still running after running ComboFix and they are still pointing to the DSndUpc.dll files.

ComboFix.txt log:

ComboFix 11-05-14.01 - Samual 05/15/2011 7:14.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1119 [GMT -5:00]
Running from: h:\documents and settings\Samual\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\documents and settings\Samual\Application Data\.#
h:\documents and settings\Samual\Application Data\Adobe\plugs
h:\documents and settings\Samual\Application Data\Adobe\shed
h:\documents and settings\Samual\Application Data\PriceGong
h:\documents and settings\Samual\Application Data\PriceGong\Data\1.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\a.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\b.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\c.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\d.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\e.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\f.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\g.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\h.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\i.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\J.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\k.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\l.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\m.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\mru.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\n.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\o.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\p.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\q.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\r.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\s.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\t.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\u.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\v.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\w.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\x.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\y.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\z.xml
h:\documents and settings\Samual\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DNSCON
-------\Legacy_NETMANAGER
-------\Service_dnscon
-------\Service_NetManager
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2072-04-03 18:13 . 2008-03-21 19:46 607296 ------w- h:\program files\Microsoft Games\Age of Empires III\deformerdllyD.dll
2011-05-15 06:34 . 2011-04-11 05:04 7071056 ----a-w- h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AD8C69C-D99F-4455-8294-F7D20D0C179D}\mpengine.dll
2011-05-14 23:00 . 2011-05-14 23:00 -------- d-----w- h:\documents and settings\Sonda\Local Settings\Application Data\Western Digital
2011-05-14 22:59 . 2011-05-14 22:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Ubisoft
2011-05-14 22:55 . 2011-05-14 22:55 -------- d-----w- h:\program files\PopCap Games
2011-05-14 22:51 . 2011-05-14 22:54 -------- d-----w- h:\program files\Dogz
2011-05-13 19:56 . 2011-05-13 19:56 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Temp
2011-05-07 12:28 . 2011-05-07 12:28 -------- d-----w- h:\program files\Free M4a to MP3 Converter
2011-05-07 03:45 . 2011-05-07 03:45 -------- d-----w- h:\documents and settings\LocalService\Application Data\TightVNC
2011-05-07 03:43 . 2011-05-15 12:21 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop
2011-05-07 02:46 . 2011-05-07 02:46 -------- d-----w- h:\documents and settings\Samual\Application Data\UltraVNC
2011-05-07 02:39 . 2011-05-07 03:59 -------- d-----w- h:\program files\UltraVNC
2011-05-06 20:48 . 2011-05-06 20:49 -------- d-----w- h:\program files\SyncToy 2.1
2011-05-06 20:43 . 2011-05-06 20:43 -------- d-----w- h:\program files\Microsoft Sync Framework
2011-05-06 20:04 . 2011-05-06 20:04 -------- d-----w- h:\windows\UltraDefrag
2011-05-06 14:49 . 2011-05-06 14:49 -------- d-----w- h:\program files\COMODO
2011-05-06 14:47 . 2011-05-06 14:47 -------- d-----w- h:\documents and settings\All Users\Application Data\Comodo Downloader
2011-05-06 14:46 . 2011-05-13 14:43 -------- d-----w- h:\documents and settings\All Users\Application Data\Comodo
2011-05-06 14:29 . 2011-05-06 14:29 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Eraser 6
2011-05-06 14:10 . 2011-05-06 14:35 -------- d-----w- h:\program files\Soluto
2011-05-06 14:08 . 2011-05-06 14:08 -------- d-----w- h:\program files\Eraser
2011-05-06 14:01 . 2011-05-06 14:35 -------- d-----w- h:\documents and settings\All Users\Application Data\Soluto
2011-05-05 23:33 . 2011-05-06 02:06 -------- d-----w- h:\program files\Europa Universalis III
2011-05-04 03:31 . 2011-05-04 03:31 -------- d-----w- h:\program files\Common Files\xing shared
2011-05-04 03:28 . 2011-05-04 03:28 105472 ----a-w- h:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-05-03 20:44 . 2011-05-03 20:44 -------- d-----w- h:\program files\Cobian Backup 8
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Uniblue
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Trend Micro
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\PackageAware
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Hitman Pro 3.5
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Microsoft Help
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\ACW
2011-05-03 01:36 . 2011-05-10 12:30 97504 ----a-w- h:\windows\system32\drivers\inspect.sys
2011-05-03 01:36 . 2011-05-03 01:36 29400 ----a-w- h:\windows\system32\drivers\cmdhlp.sys
2011-05-03 01:36 . 2011-05-03 01:36 242472 ----a-w- h:\windows\system32\drivers\cmdGuard.sys
2011-05-03 01:36 . 2011-05-03 01:36 17416 ----a-w- h:\windows\system32\drivers\cmderd.sys
2011-05-03 01:36 . 2011-05-03 01:36 284744 ----a-w- h:\windows\system32\guard32.dll
2011-04-30 04:36 . 2011-04-11 05:04 7071056 ----a-w- h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-29 03:28 . 2011-04-29 03:28 -------- d-----w- h:\documents and settings\Samual\Application Data\Uniblue
2011-04-29 03:14 . 2011-04-29 03:14 388096 ----a-r- h:\documents and settings\Samual\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-28 13:01 . 2011-05-08 03:50 -------- d-----w- h:\documents and settings\Samual\Application Data\Media Player Classic
2011-04-28 05:08 . 2011-04-28 05:08 12872 ----a-w- h:\windows\system32\bootdelete.exe
2011-04-28 05:02 . 2011-04-29 04:37 16968 ----a-w- h:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 05:00 . 2011-05-03 19:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-28 04:28 . 2011-04-28 04:28 -------- d-----w- h:\program files\Common Files\Java
2011-04-28 04:27 . 2011-04-28 04:27 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-04-28 04:27 . 2011-04-28 04:27 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-04-28 04:27 . 2011-04-28 04:27 472808 ----a-w- h:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-28 04:24 . 2011-05-03 20:01 -------- d-----w- h:\program files\Microsoft Security Client
2011-04-27 21:12 . 2011-05-07 15:14 -------- d-----w- h:\program files\Guild Wars
2011-04-21 14:49 . 2011-04-21 14:49 -------- d-----w- h:\program files\Reality Pump
2011-04-21 14:48 . 2011-05-03 20:01 -------- d-----w- h:\program files\AGEIA Technologies
2011-04-21 14:48 . 2011-04-21 14:48 -------- d-----w- h:\windows\system32\AGEIA
2011-04-21 02:08 . 2011-04-21 02:08 80384 --sha-r- h:\windows\system32\DSndUpc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 03:24 . 2007-09-06 14:06 348160 ----a-w- h:\windows\system32\msvcr71.dll
2011-05-04 03:24 . 2008-10-21 02:15 499712 ----a-w- h:\windows\system32\msvcp71.dll
2011-04-27 19:27 . 2011-03-06 13:36 0 ----a-w- h:\windows\system32\ConduitEngine.tmp
2011-03-07 05:33 . 2007-09-06 13:25 692736 ----a-w- h:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- h:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-10-22 01:45 1857920 ----a-w- h:\windows\system32\win32k.sys
2011-02-17 19:00 . 2004-08-04 12:00 832512 ----a-w- h:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 12:00 78336 ----a-w- h:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2004-08-04 12:00 1830912 ------w- h:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2004-08-04 12:00 17408 ----a-w- h:\windows\system32\corpol.dll
2011-02-17 13:18 . 2008-10-22 01:45 455936 ----a-w- h:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-10-22 01:45 357888 ----a-w- h:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 07:38 5120 ----a-w- h:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 12:00 389120 ----a-w- h:\windows\system32\html.iec
2011-02-16 21:52 . 2011-04-07 02:40 11520 ----a-w- h:\windows\system32\drivers\wdcsam.sys
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- h:\windows\system32\atmfd.dll
2011-04-29 02:36 . 2011-04-03 00:29 142296 ----a-w- h:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 14:54 175912 ----a-w- h:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="h:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"uTorrent"="h:\program files\uTorrent\uTorrent.exe" [2011-03-25 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="h:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Freecorder FLV Service"="h:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"Eraser"="h:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]
"COMODO Internet Security"="h:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="h:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
h:\documents and settings\Samual\Start Menu\Programs\Startup\
Internet Keyboard Elite.LNK - h:\program files\Micro Innovations\Internet Keyboard Elite\KEMailKb.EXE [2005-8-9 401408]
procexp.exe.lnk - h:\documents and settings\Samual\Desktop\procexp.exe [2011-4-28 3404136]
.
h:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - h:\program files\APC\APC PowerChute Personal Edition\Display.exe [2011-3-14 221247]
WDDMStatus.lnk - h:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=h:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
.
[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=h:\windows\pss\LaunchU3.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- h:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2010-06-26 18:09 167936 ----a-w- h:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 20:21 61952 ------w- h:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 04:32 61440 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-25 04:21 399736 ----a-w- h:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44 85160 ----a-w- h:\program files\SlySoft\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"SQLBrowser"=2 (0x2)
"ose"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"npggsvc"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"idsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"odserv"=3 (0x3)
"nSvcLog"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"h:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"h:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=
"h:\\WINDOWS\\system32\\javaw.exe"=
"k:\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"k:\\C&C First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"h:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"k:\\C&C First Decade\\Command & Conquer™ Generals\\generals.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"h:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"h:\\Program Files\\Rise of Legends\\legends.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"h:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"h:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"h:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=
"h:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=
"h:\\Program Files\\Guild Wars\\Gw.exe"=
"h:\\Documents and Settings\\Samual\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"h:\\Documents and Settings\\Samual\\Local Settings\\Application Data\\CrossLoop\\tvnserver.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:UDP"= 6112:UDP:Rise of Legends
"27901:UDP"= 27901:UDP:Rise of Legends
"17771:UDP"= 17771:UDP:Two Worlds
"6112:TCP"= 6112:TCP:World Of Warcraft: 6112
"6113:TCP"= 6113:TCP:World Of Warcraft: 6113
"6114:TCP"= 6114:TCP:World Of Warcraft: 6114
"4000:TCP"= 4000:TCP:World Of Warcraft: 4000
"1035:TCP"= 1035:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"5910:TCP"= 5910:TCP:vnc5910
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;h:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;h:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
R2 CrossLoopService;CrossLoop Service;h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/6/2011 10:43 PM 560880]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;h:\windows\system32\drivers\HIDKbFlt.sys [7/25/2005 5:13 AM 23680]
R2 WDDMService;WDDMService;h:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [3/9/2011 11:07 AM 238592]
R2 WDFME;WD File Management Engine;h:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [3/9/2011 11:18 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;h:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [3/9/2011 11:16 AM 484352]
R3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [4/6/2011 9:40 PM 11520]
S0 axghu;axghu;h:\windows\system32\drivers\ethqvvsl.sys --> h:\windows\system32\drivers\ethqvvsl.sys [?]
S0 Lbd;Lbd;h:\windows\system32\DRIVERS\Lbd.sys --> h:\windows\system32\DRIVERS\Lbd.sys [?]
S1 MpKsl1819d6b2;MpKsl1819d6b2;\??\h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AD8C69C-D99F-4455-8294-F7D20D0C179D}\MpKsl1819d6b2.sys --> h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AD8C69C-D99F-4455-8294-F7D20D0C179D}\MpKsl1819d6b2.sys [?]
S3 cpuz129;cpuz129;\??\h:\docume~1\Samual\LOCALS~1\Temp\cpuz_x32.sys --> h:\docume~1\Samual\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 cpuz135;cpuz135;\??\h:\docume~1\Samual\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys --> h:\docume~1\Samual\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;h:\windows\system32\DRIVERS\ivusb.sys --> h:\windows\system32\DRIVERS\ivusb.sys [?]
S3 tvnserver;TightVNC Server;h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop\tvnserver.exe [5/6/2011 10:44 PM 814080]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);h:\windows\system32\drivers\WsAudio_DeviceS(1).sys [1/14/2011 4:40 PM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);h:\windows\system32\drivers\WsAudio_DeviceS(2).sys [1/14/2011 4:40 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);h:\windows\system32\drivers\WsAudio_DeviceS(3).sys [1/14/2011 4:41 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);h:\windows\system32\drivers\WsAudio_DeviceS(4).sys [1/14/2011 4:41 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);h:\windows\system32\drivers\WsAudio_DeviceS(5).sys [1/14/2011 4:41 PM 25704]
S3 XDva020;XDva020;\??\h:\windows\system32\XDva020.sys --> h:\windows\system32\XDva020.sys [?]
S4 npggsvc;nProtect GameGuard Service;h:\windows\system32\GameMon.des -service --> h:\windows\system32\GameMon.des -service [?]
S4 sptd;sptd;h:\windows\system32\drivers\sptd.sys [12/21/2007 10:59 AM 715248]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-11 h:\windows\Tasks\Malwarebytes' Anti-Malware.job
- h:\progra~1\MALWAR~1\mbam.exe [2009-03-15 00:08]
.
2011-05-15 h:\windows\Tasks\MP Scheduled Scan.job
- h:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {10E6E681-4ED1-43CF-A624-2BC3576DC117} = 167.142.225.3,167.142.225.5
TCP: {8D62A40B-727A-41BA-8386-1DD83ECAFDF0} = 67.210.57.254,206.246.28.254
FF - ProfilePath - h:\documents and settings\Samual\Application Data\Mozilla\Firefox\Profiles\u22oscau.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-SolutoService
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 07:21
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WD______ rev.2019 -> Harddisk3\DR5 -> \Device\0000009d
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
error: Read The parameter is incorrect.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="h:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
h:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(888)
h:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2520)
h:\windows\system32\WININET.dll
h:\windows\system32\guard32.dll
h:\documents and settings\Samual\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
h:\program files\Windows Media Player\wmpband.dll
h:\windows\system32\ieframe.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
h:\program files\COMODO\COMODO Internet Security\cmdagent.exe
h:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
h:\windows\system32\rundll32.exe
h:\windows\system32\rundll32.exe
h:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
h:\program files\TVersity\Media Server\MediaServer.exe
h:\windows\system32\wscntfy.exe
h:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
h:\program files\Microsoft Office\Office12\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2011-05-15 07:28:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 12:28
.
Pre-Run: 138,798,530,560 bytes free
Post-Run: 140,649,656,320 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
Current=5 Default=5 Failed=1 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - FDA0DB766930631102AF70B9307FE960

Edited by Falneth, 15 May 2011 - 07:40 AM.

A.A.S in Computer and Network Support from Crowder College


#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 15 May 2011 - 12:13 PM

I was in the Windows\system32 folder but the DSndUpc.dll file was not listed in the folder.

It's a hidden file, but it should be unhidden now.

We might need to create a bootable media to collect some off-line information from your computer. I need answer to these questions to find out what tool we can use.

Do you have access to a computer with a working CD-burner?
Do you have some blank CD's?
Can you boot from CD and/or USB?
Do you have a USB-flashdrive we could use?



Step 1.
Filescan:

Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

    h:\windows\system32\DSndUpc.dll
  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


Please repeat for the following file:
H:\Program Files\Movie Maker\DSndUpc.dll


Step 2.
ComboFix:

Open notepad and copy/paste the text in the codebox below into it:

http://www.bleepingcomputer.com/forums/topic395304.html

Suspect::[103]
h:\windows\system32\DSndUpc.dll
H:\Program Files\Movie Maker\DSndUpc.dll
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"h:\\Program Files\\uTorrent\\uTorrent.exe"=-
Driver::
axghu
cpuz129
cpuz135
File::
h:\windows\system32\drivers\ethqvvsl.sys
h:\docume~1\Samual\LOCALS~1\Temp\cpuz_x32.sys
h:\docume~1\Samual\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys 

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Step 3.
Things I would like to see in your reply:

  • Answers to the questions in the beginning of this post.
  • The links to the results from the filescans in step 1.
  • The content of C:\ComboFix.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:01:38 AM

Posted 15 May 2011 - 01:47 PM

Unfortunately, the only computer I have access to with a working CD-burner is the computer that has the issue. I do have blank CD's and a USB-Flashdrive that I can use as a boot device. The computer with the issues IS able to boot from a CD (I believe although I have not done so for a few years). I believe I can also boot from a USB FlashDrive if I make my flashdrive bootable (I've done it before).

VirusTotal's Results:

When attempting to upload the DSndUpc.dll file from H:\Program Files\Movie Maker\, I was given an error message saying that the file was not found. And again when I try to upload and submit the file from \Windows\system32\, it does nothing. It does not go past the screen with the Browse button to find the file to upload (http://www.virustotal.com/index.html).

ComboFix Report after following the steps given:

ComboFix 11-05-14.03 - Samual 05/15/2011 12:29:46.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1312 [GMT -5:00]
Running from: h:\documents and settings\Samual\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Samual\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"h:\docume~1\Samual\LOCALS~1\Temp\cpuz_x32.sys"
"h:\docume~1\Samual\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys"
"h:\windows\system32\drivers\ethqvvsl.sys"
.
file zipped: h:\windows\system32\DSndUpc.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\documents and settings\Samual\Application Data\PriceGong
h:\documents and settings\Samual\Application Data\PriceGong\Data\1.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\a.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\b.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\c.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\d.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\e.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\f.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\g.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\h.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\i.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\J.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\k.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\l.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\m.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\mru.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\n.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\o.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\p.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\q.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\r.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\s.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\t.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\u.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\v.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\w.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\x.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\y.xml
h:\documents and settings\Samual\Application Data\PriceGong\Data\z.xml
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CPUZ129
-------\Legacy_CPUZ135
-------\Service_axghu
-------\Service_cpuz129
-------\Service_cpuz135
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2072-04-03 18:13 . 2008-03-21 19:46 607296 ------w- h:\program files\Microsoft Games\Age of Empires III\deformerdllyD.dll
2011-05-15 12:32 . 2011-04-11 05:04 7071056 ----a-w- h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03A24480-5FA4-4427-8759-E0B0A7F8FCB4}\mpengine.dll
2011-05-14 23:00 . 2011-05-14 23:00 -------- d-----w- h:\documents and settings\Sonda\Local Settings\Application Data\Western Digital
2011-05-14 22:59 . 2011-05-14 22:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Ubisoft
2011-05-14 22:55 . 2011-05-14 22:55 -------- d-----w- h:\program files\PopCap Games
2011-05-14 22:51 . 2011-05-14 22:54 -------- d-----w- h:\program files\Dogz
2011-05-13 19:56 . 2011-05-13 19:56 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Temp
2011-05-07 12:28 . 2011-05-07 12:28 -------- d-----w- h:\program files\Free M4a to MP3 Converter
2011-05-07 03:45 . 2011-05-07 03:45 -------- d-----w- h:\documents and settings\LocalService\Application Data\TightVNC
2011-05-07 03:43 . 2011-05-15 17:38 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop
2011-05-07 02:46 . 2011-05-07 02:46 -------- d-----w- h:\documents and settings\Samual\Application Data\UltraVNC
2011-05-07 02:39 . 2011-05-07 03:59 -------- d-----w- h:\program files\UltraVNC
2011-05-06 20:48 . 2011-05-06 20:49 -------- d-----w- h:\program files\SyncToy 2.1
2011-05-06 20:43 . 2011-05-06 20:43 -------- d-----w- h:\program files\Microsoft Sync Framework
2011-05-06 20:04 . 2011-05-06 20:04 -------- d-----w- h:\windows\UltraDefrag
2011-05-06 14:49 . 2011-05-06 14:49 -------- d-----w- h:\program files\COMODO
2011-05-06 14:47 . 2011-05-06 14:47 -------- d-----w- h:\documents and settings\All Users\Application Data\Comodo Downloader
2011-05-06 14:46 . 2011-05-13 14:43 -------- d-----w- h:\documents and settings\All Users\Application Data\Comodo
2011-05-06 14:29 . 2011-05-06 14:29 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Eraser 6
2011-05-06 14:10 . 2011-05-06 14:35 -------- d-----w- h:\program files\Soluto
2011-05-06 14:08 . 2011-05-06 14:08 -------- d-----w- h:\program files\Eraser
2011-05-06 14:01 . 2011-05-06 14:35 -------- d-----w- h:\documents and settings\All Users\Application Data\Soluto
2011-05-05 23:33 . 2011-05-06 02:06 -------- d-----w- h:\program files\Europa Universalis III
2011-05-04 03:31 . 2011-05-04 03:31 -------- d-----w- h:\program files\Common Files\xing shared
2011-05-04 03:28 . 2011-05-04 03:28 105472 ----a-w- h:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-05-03 20:44 . 2011-05-03 20:44 -------- d-----w- h:\program files\Cobian Backup 8
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Uniblue
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Trend Micro
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\PackageAware
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Hitman Pro 3.5
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Microsoft Help
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\ACW
2011-05-03 01:36 . 2011-05-10 12:30 97504 ----a-w- h:\windows\system32\drivers\inspect.sys
2011-05-03 01:36 . 2011-05-03 01:36 29400 ----a-w- h:\windows\system32\drivers\cmdhlp.sys
2011-05-03 01:36 . 2011-05-03 01:36 242472 ----a-w- h:\windows\system32\drivers\cmdGuard.sys
2011-05-03 01:36 . 2011-05-03 01:36 17416 ----a-w- h:\windows\system32\drivers\cmderd.sys
2011-05-03 01:36 . 2011-05-03 01:36 284744 ----a-w- h:\windows\system32\guard32.dll
2011-04-30 04:36 . 2011-04-11 05:04 7071056 ----a-w- h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-29 03:28 . 2011-04-29 03:28 -------- d-----w- h:\documents and settings\Samual\Application Data\Uniblue
2011-04-29 03:14 . 2011-04-29 03:14 388096 ----a-r- h:\documents and settings\Samual\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-28 13:01 . 2011-05-08 03:50 -------- d-----w- h:\documents and settings\Samual\Application Data\Media Player Classic
2011-04-28 05:08 . 2011-04-28 05:08 12872 ----a-w- h:\windows\system32\bootdelete.exe
2011-04-28 05:02 . 2011-04-29 04:37 16968 ----a-w- h:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 05:00 . 2011-05-03 19:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-28 04:28 . 2011-04-28 04:28 -------- d-----w- h:\program files\Common Files\Java
2011-04-28 04:27 . 2011-04-28 04:27 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-04-28 04:27 . 2011-04-28 04:27 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-04-28 04:27 . 2011-04-28 04:27 472808 ----a-w- h:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-28 04:24 . 2011-05-03 20:01 -------- d-----w- h:\program files\Microsoft Security Client
2011-04-27 21:12 . 2011-05-07 15:14 -------- d-----w- h:\program files\Guild Wars
2011-04-21 14:49 . 2011-04-21 14:49 -------- d-----w- h:\program files\Reality Pump
2011-04-21 14:48 . 2011-05-03 20:01 -------- d-----w- h:\program files\AGEIA Technologies
2011-04-21 14:48 . 2011-04-21 14:48 -------- d-----w- h:\windows\system32\AGEIA
2011-04-21 02:08 . 2011-04-21 02:08 80384 --sha-r- h:\windows\system32\DSndUpc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 03:24 . 2007-09-06 14:06 348160 ----a-w- h:\windows\system32\msvcr71.dll
2011-05-04 03:24 . 2008-10-21 02:15 499712 ----a-w- h:\windows\system32\msvcp71.dll
2011-04-27 19:27 . 2011-03-06 13:36 0 ----a-w- h:\windows\system32\ConduitEngine.tmp
2011-03-07 05:33 . 2007-09-06 13:25 692736 ----a-w- h:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- h:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-10-22 01:45 1857920 ----a-w- h:\windows\system32\win32k.sys
2011-02-17 19:00 . 2004-08-04 12:00 832512 ----a-w- h:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 12:00 78336 ----a-w- h:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2004-08-04 12:00 1830912 ------w- h:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2004-08-04 12:00 17408 ----a-w- h:\windows\system32\corpol.dll
2011-02-17 13:18 . 2008-10-22 01:45 455936 ----a-w- h:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-10-22 01:45 357888 ----a-w- h:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 07:38 5120 ----a-w- h:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 12:00 389120 ----a-w- h:\windows\system32\html.iec
2011-02-16 21:52 . 2011-04-07 02:40 11520 ----a-w- h:\windows\system32\drivers\wdcsam.sys
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- h:\windows\system32\atmfd.dll
2011-04-29 02:36 . 2011-04-03 00:29 142296 ----a-w- h:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 14:54 175912 ----a-w- h:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="h:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"uTorrent"="h:\program files\uTorrent\uTorrent.exe" [2011-03-25 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="h:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Freecorder FLV Service"="h:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"Eraser"="h:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]
"COMODO Internet Security"="h:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="h:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
h:\documents and settings\Samual\Start Menu\Programs\Startup\
Internet Keyboard Elite.LNK - h:\program files\Micro Innovations\Internet Keyboard Elite\KEMailKb.EXE [2005-8-9 401408]
procexp.exe.lnk - h:\documents and settings\Samual\Desktop\procexp.exe [2011-4-28 3404136]
.
h:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - h:\program files\APC\APC PowerChute Personal Edition\Display.exe [2011-3-14 221247]
WDDMStatus.lnk - h:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=h:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
.
[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=h:\windows\pss\LaunchU3.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- h:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2010-06-26 18:09 167936 ----a-w- h:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 20:21 61952 ------w- h:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 04:32 61440 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-25 04:21 399736 ----a-w- h:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44 85160 ----a-w- h:\program files\SlySoft\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"SQLBrowser"=2 (0x2)
"ose"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"npggsvc"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"idsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"odserv"=3 (0x3)
"nSvcLog"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"h:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"h:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=
"h:\\WINDOWS\\system32\\javaw.exe"=
"k:\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"k:\\C&C First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"h:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"k:\\C&C First Decade\\Command & Conquer™ Generals\\generals.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"h:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"h:\\Program Files\\Rise of Legends\\legends.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"h:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"h:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"h:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=
"h:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=
"h:\\Program Files\\Guild Wars\\Gw.exe"=
"h:\\Documents and Settings\\Samual\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"h:\\Documents and Settings\\Samual\\Local Settings\\Application Data\\CrossLoop\\tvnserver.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:UDP"= 6112:UDP:Rise of Legends
"27901:UDP"= 27901:UDP:Rise of Legends
"17771:UDP"= 17771:UDP:Two Worlds
"6112:TCP"= 6112:TCP:World Of Warcraft: 6112
"6113:TCP"= 6113:TCP:World Of Warcraft: 6113
"6114:TCP"= 6114:TCP:World Of Warcraft: 6114
"4000:TCP"= 4000:TCP:World Of Warcraft: 4000
"1035:TCP"= 1035:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"5910:TCP"= 5910:TCP:vnc5910
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;h:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;h:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
R2 CrossLoopService;CrossLoop Service;h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/6/2011 10:43 PM 560880]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;h:\windows\system32\drivers\HIDKbFlt.sys [7/25/2005 5:13 AM 23680]
R2 WDDMService;WDDMService;h:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [3/9/2011 11:07 AM 238592]
R2 WDFME;WD File Management Engine;h:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [3/9/2011 11:18 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;h:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [3/9/2011 11:16 AM 484352]
R3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [4/6/2011 9:40 PM 11520]
S0 Lbd;Lbd;h:\windows\system32\DRIVERS\Lbd.sys --> h:\windows\system32\DRIVERS\Lbd.sys [?]
S1 MpKsl1819d6b2;MpKsl1819d6b2;\??\h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AD8C69C-D99F-4455-8294-F7D20D0C179D}\MpKsl1819d6b2.sys --> h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AD8C69C-D99F-4455-8294-F7D20D0C179D}\MpKsl1819d6b2.sys [?]
S1 MpKsle7e3d2c2;MpKsle7e3d2c2;\??\h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03A24480-5FA4-4427-8759-E0B0A7F8FCB4}\MpKsle7e3d2c2.sys --> h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03A24480-5FA4-4427-8759-E0B0A7F8FCB4}\MpKsle7e3d2c2.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;h:\windows\system32\DRIVERS\ivusb.sys --> h:\windows\system32\DRIVERS\ivusb.sys [?]
S3 tvnserver;TightVNC Server;h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop\tvnserver.exe [5/6/2011 10:44 PM 814080]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);h:\windows\system32\drivers\WsAudio_DeviceS(1).sys [1/14/2011 4:40 PM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);h:\windows\system32\drivers\WsAudio_DeviceS(2).sys [1/14/2011 4:40 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);h:\windows\system32\drivers\WsAudio_DeviceS(3).sys [1/14/2011 4:41 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);h:\windows\system32\drivers\WsAudio_DeviceS(4).sys [1/14/2011 4:41 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);h:\windows\system32\drivers\WsAudio_DeviceS(5).sys [1/14/2011 4:41 PM 25704]
S3 XDva020;XDva020;\??\h:\windows\system32\XDva020.sys --> h:\windows\system32\XDva020.sys [?]
S4 npggsvc;nProtect GameGuard Service;h:\windows\system32\GameMon.des -service --> h:\windows\system32\GameMon.des -service [?]
S4 sptd;sptd;h:\windows\system32\drivers\sptd.sys [12/21/2007 10:59 AM 715248]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-11 h:\windows\Tasks\Malwarebytes' Anti-Malware.job
- h:\progra~1\MALWAR~1\mbam.exe [2009-03-15 00:08]
.
2011-05-15 h:\windows\Tasks\MP Scheduled Scan.job
- h:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {10E6E681-4ED1-43CF-A624-2BC3576DC117} = 167.142.225.3,167.142.225.5
TCP: {8D62A40B-727A-41BA-8386-1DD83ECAFDF0} = 67.210.57.254,206.246.28.254
FF - ProfilePath - h:\documents and settings\Samual\Application Data\Mozilla\Firefox\Profiles\u22oscau.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 13:23
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
h:\windows\TEMP\etilqs_ccPE65owzOcSrrcEDV1r 0 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WD______ rev.2019 -> Harddisk3\DR5 -> \Device\0000009d
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
error: Read The parameter is incorrect.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="h:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
h:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(896)
h:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3656)
h:\windows\system32\WININET.dll
h:\windows\system32\guard32.dll
h:\documents and settings\Samual\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
h:\program files\Windows Media Player\wmpband.dll
h:\windows\system32\ieframe.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
h:\program files\COMODO\COMODO Internet Security\cmdagent.exe
h:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
h:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
h:\program files\TVersity\Media Server\MediaServer.exe
h:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-15 13:27:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 18:27
ComboFix2.txt 2011-05-15 12:28
.
Pre-Run: 140,596,412,416 bytes free
Post-Run: 140,583,571,456 bytes free
.
Current=5 Default=5 Failed=1 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - AD99E54CE1D5A0784B0382652D4F7451
Upload was successful

A.A.S in Computer and Network Support from Crowder College


#12 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 15 May 2011 - 03:00 PM

Open notepad and copy/paste the text in the codebox below into it:

http://www.bleepingcomputer.com/forums/topic395304.html

Collect::
h:\windows\system32\DSndUpc.dll

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#13 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:01:38 AM

Posted 15 May 2011 - 06:22 PM

I've noticed that EVERY time that ComboFix is run, my computer is forced to reboot. Any chance I can have that explained to me? Also, just before the log was created, I was told that ComboFix needed to submit files for review, which I allowed. It submitted the files, then generated the ComboFix.txt log seen below.

One more thing: upon rebooting by ComboFix the last few times, I've noticed that in the Process Explorer (which starts when I log in) that the rundll32.exe files that have been running when I start my computer up are no longer showing up. So I think at least something is working since I don't see a RUNDLL32.EXE file in the list of running processes upon bootup.

ComboFix.txt log using script from your last post:

ComboFix 11-05-15.03 - Samual 05/15/2011 16:21:35.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1423 [GMT -5:00]
Running from: h:\documents and settings\Samual\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Samual\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
file zipped: h:\windows\system32\DSndUpc.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\docume~1\Samual\LOCALS~1\Temp\rd5.tmp\____mmfp.ocx
h:\documents and settings\Samual\Local Settings\temp\rd5.tmp\____mmfp.ocx
h:\windows\system32\DSndUpc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2072-04-03 18:13 . 2008-03-21 19:46 607296 ------w- h:\program files\Microsoft Games\Age of Empires III\deformerdllyD.dll
2011-05-15 20:33 . 2011-05-15 20:33 -------- d-----w- h:\documents and settings\Samual\.dvdcss
2011-05-15 19:03 . 2011-04-11 05:04 7071056 ----a-w- h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{840A3C02-051C-412D-97E2-B3E951453544}\mpengine.dll
2011-05-14 23:00 . 2011-05-14 23:00 -------- d-----w- h:\documents and settings\Sonda\Local Settings\Application Data\Western Digital
2011-05-14 22:59 . 2011-05-14 22:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Ubisoft
2011-05-14 22:55 . 2011-05-14 22:55 -------- d-----w- h:\program files\PopCap Games
2011-05-14 22:51 . 2011-05-14 22:54 -------- d-----w- h:\program files\Dogz
2011-05-13 19:56 . 2011-05-13 19:56 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Temp
2011-05-07 12:28 . 2011-05-07 12:28 -------- d-----w- h:\program files\Free M4a to MP3 Converter
2011-05-07 03:45 . 2011-05-07 03:45 -------- d-----w- h:\documents and settings\LocalService\Application Data\TightVNC
2011-05-07 03:43 . 2011-05-15 21:30 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop
2011-05-07 02:46 . 2011-05-07 02:46 -------- d-----w- h:\documents and settings\Samual\Application Data\UltraVNC
2011-05-07 02:39 . 2011-05-07 03:59 -------- d-----w- h:\program files\UltraVNC
2011-05-06 20:48 . 2011-05-06 20:49 -------- d-----w- h:\program files\SyncToy 2.1
2011-05-06 20:43 . 2011-05-06 20:43 -------- d-----w- h:\program files\Microsoft Sync Framework
2011-05-06 20:04 . 2011-05-06 20:04 -------- d-----w- h:\windows\UltraDefrag
2011-05-06 14:49 . 2011-05-06 14:49 -------- d-----w- h:\program files\COMODO
2011-05-06 14:47 . 2011-05-06 14:47 -------- d-----w- h:\documents and settings\All Users\Application Data\Comodo Downloader
2011-05-06 14:46 . 2011-05-13 14:43 -------- d-----w- h:\documents and settings\All Users\Application Data\Comodo
2011-05-06 14:29 . 2011-05-06 14:29 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Eraser 6
2011-05-06 14:10 . 2011-05-06 14:35 -------- d-----w- h:\program files\Soluto
2011-05-06 14:08 . 2011-05-06 14:08 -------- d-----w- h:\program files\Eraser
2011-05-06 14:01 . 2011-05-06 14:35 -------- d-----w- h:\documents and settings\All Users\Application Data\Soluto
2011-05-05 23:33 . 2011-05-06 02:06 -------- d-----w- h:\program files\Europa Universalis III
2011-05-04 03:31 . 2011-05-04 03:31 -------- d-----w- h:\program files\Common Files\xing shared
2011-05-04 03:28 . 2011-05-04 03:28 105472 ----a-w- h:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-05-03 20:44 . 2011-05-03 20:44 -------- d-----w- h:\program files\Cobian Backup 8
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Uniblue
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Trend Micro
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\PackageAware
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\Hitman Pro 3.5
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\documents and settings\Samual\Local Settings\Application Data\Microsoft Help
2011-05-03 20:01 . 2011-05-03 20:01 -------- d-----w- h:\program files\ACW
2011-05-03 01:36 . 2011-05-10 12:30 97504 ----a-w- h:\windows\system32\drivers\inspect.sys
2011-05-03 01:36 . 2011-05-03 01:36 29400 ----a-w- h:\windows\system32\drivers\cmdhlp.sys
2011-05-03 01:36 . 2011-05-03 01:36 242472 ----a-w- h:\windows\system32\drivers\cmdGuard.sys
2011-05-03 01:36 . 2011-05-03 01:36 17416 ----a-w- h:\windows\system32\drivers\cmderd.sys
2011-05-03 01:36 . 2011-05-03 01:36 284744 ----a-w- h:\windows\system32\guard32.dll
2011-04-30 04:36 . 2011-04-11 05:04 7071056 ----a-w- h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-29 03:28 . 2011-04-29 03:28 -------- d-----w- h:\documents and settings\Samual\Application Data\Uniblue
2011-04-29 03:14 . 2011-04-29 03:14 388096 ----a-r- h:\documents and settings\Samual\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-28 13:01 . 2011-05-08 03:50 -------- d-----w- h:\documents and settings\Samual\Application Data\Media Player Classic
2011-04-28 05:08 . 2011-04-28 05:08 12872 ----a-w- h:\windows\system32\bootdelete.exe
2011-04-28 05:02 . 2011-04-29 04:37 16968 ----a-w- h:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 05:00 . 2011-05-03 19:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-28 04:28 . 2011-04-28 04:28 -------- d-----w- h:\program files\Common Files\Java
2011-04-28 04:27 . 2011-04-28 04:27 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-04-28 04:27 . 2011-04-28 04:27 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-04-28 04:27 . 2011-04-28 04:27 472808 ----a-w- h:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-28 04:24 . 2011-05-03 20:01 -------- d-----w- h:\program files\Microsoft Security Client
2011-04-27 21:12 . 2011-05-07 15:14 -------- d-----w- h:\program files\Guild Wars
2011-04-21 14:49 . 2011-04-21 14:49 -------- d-----w- h:\program files\Reality Pump
2011-04-21 14:48 . 2011-05-03 20:01 -------- d-----w- h:\program files\AGEIA Technologies
2011-04-21 14:48 . 2011-04-21 14:48 -------- d-----w- h:\windows\system32\AGEIA
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 03:24 . 2007-09-06 14:06 348160 ----a-w- h:\windows\system32\msvcr71.dll
2011-05-04 03:24 . 2008-10-21 02:15 499712 ----a-w- h:\windows\system32\msvcp71.dll
2011-04-27 19:27 . 2011-03-06 13:36 0 ----a-w- h:\windows\system32\ConduitEngine.tmp
2011-03-07 05:33 . 2007-09-06 13:25 692736 ----a-w- h:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- h:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-10-22 01:45 1857920 ----a-w- h:\windows\system32\win32k.sys
2011-02-17 19:00 . 2004-08-04 12:00 832512 ----a-w- h:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 12:00 78336 ----a-w- h:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2004-08-04 12:00 1830912 ------w- h:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2004-08-04 12:00 17408 ----a-w- h:\windows\system32\corpol.dll
2011-02-17 13:18 . 2008-10-22 01:45 455936 ----a-w- h:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-10-22 01:45 357888 ----a-w- h:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 07:38 5120 ----a-w- h:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 12:00 389120 ----a-w- h:\windows\system32\html.iec
2011-02-16 21:52 . 2011-04-07 02:40 11520 ----a-w- h:\windows\system32\drivers\wdcsam.sys
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- h:\windows\system32\atmfd.dll
2011-04-29 02:36 . 2011-04-03 00:29 142296 ----a-w- h:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 14:54 175912 ----a-w- h:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "h:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Freecorder FLV Service"="h:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="h:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
h:\documents and settings\Samual\Start Menu\Programs\Startup\
Internet Keyboard Elite.LNK - h:\program files\Micro Innovations\Internet Keyboard Elite\KEMailKb.EXE [2005-8-9 401408]
procexp.exe.lnk - h:\documents and settings\Samual\Desktop\procexp.exe [2011-4-28 3404136]
.
h:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - h:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=h:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
.
[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=h:\windows\pss\APC UPS Status.lnkCommon Startup
.
[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=h:\windows\pss\LaunchU3.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-05-10 12:20 2552648 ----a-w- h:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- h:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2010-11-05 03:09 980368 ----a-w- h:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2010-06-26 18:09 167936 ----a-w- h:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 20:21 61952 ------w- h:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2010-11-30 18:20 997408 ----a-w- h:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 04:32 61440 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-25 04:21 399736 ----a-w- h:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44 85160 ----a-w- h:\program files\SlySoft\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 23:43 4670704 ----a-w- h:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"SQLBrowser"=2 (0x2)
"ose"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"npggsvc"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"idsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"odserv"=3 (0x3)
"nSvcLog"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"h:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"h:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=
"h:\\WINDOWS\\system32\\javaw.exe"=
"k:\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"k:\\C&C First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"h:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"k:\\C&C First Decade\\Command & Conquer™ Generals\\generals.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"h:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"h:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"h:\\Program Files\\Rise of Legends\\legends.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"h:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"h:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"h:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=
"h:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=
"h:\\Program Files\\Guild Wars\\Gw.exe"=
"h:\\Documents and Settings\\Samual\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"h:\\Documents and Settings\\Samual\\Local Settings\\Application Data\\CrossLoop\\tvnserver.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:UDP"= 6112:UDP:Rise of Legends
"27901:UDP"= 27901:UDP:Rise of Legends
"17771:UDP"= 17771:UDP:Two Worlds
"6112:TCP"= 6112:TCP:World Of Warcraft: 6112
"6113:TCP"= 6113:TCP:World Of Warcraft: 6113
"6114:TCP"= 6114:TCP:World Of Warcraft: 6114
"4000:TCP"= 4000:TCP:World Of Warcraft: 4000
"1035:TCP"= 1035:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"5910:TCP"= 5910:TCP:vnc5910
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;h:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;h:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
R2 CrossLoopService;CrossLoop Service;h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/6/2011 10:43 PM 560880]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;h:\windows\system32\drivers\HIDKbFlt.sys [7/25/2005 5:13 AM 23680]
R2 WDDMService;WDDMService;h:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [3/9/2011 11:07 AM 238592]
R2 WDFME;WD File Management Engine;h:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [3/9/2011 11:18 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;h:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [3/9/2011 11:16 AM 484352]
R3 WDC_SAM;WD SCSI Pass Thru driver;h:\windows\system32\drivers\wdcsam.sys [4/6/2011 9:40 PM 11520]
S0 Lbd;Lbd;h:\windows\system32\DRIVERS\Lbd.sys --> h:\windows\system32\DRIVERS\Lbd.sys [?]
S1 MpKsl1819d6b2;MpKsl1819d6b2;\??\h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AD8C69C-D99F-4455-8294-F7D20D0C179D}\MpKsl1819d6b2.sys --> h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AD8C69C-D99F-4455-8294-F7D20D0C179D}\MpKsl1819d6b2.sys [?]
S1 MpKsle7e3d2c2;MpKsle7e3d2c2;\??\h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03A24480-5FA4-4427-8759-E0B0A7F8FCB4}\MpKsle7e3d2c2.sys --> h:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03A24480-5FA4-4427-8759-E0B0A7F8FCB4}\MpKsle7e3d2c2.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;h:\windows\system32\DRIVERS\ivusb.sys --> h:\windows\system32\DRIVERS\ivusb.sys [?]
S3 tvnserver;TightVNC Server;h:\documents and settings\Samual\Local Settings\Application Data\CrossLoop\tvnserver.exe [5/6/2011 10:44 PM 814080]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);h:\windows\system32\drivers\WsAudio_DeviceS(1).sys [1/14/2011 4:40 PM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);h:\windows\system32\drivers\WsAudio_DeviceS(2).sys [1/14/2011 4:40 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);h:\windows\system32\drivers\WsAudio_DeviceS(3).sys [1/14/2011 4:41 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);h:\windows\system32\drivers\WsAudio_DeviceS(4).sys [1/14/2011 4:41 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);h:\windows\system32\drivers\WsAudio_DeviceS(5).sys [1/14/2011 4:41 PM 25704]
S3 XDva020;XDva020;\??\h:\windows\system32\XDva020.sys --> h:\windows\system32\XDva020.sys [?]
S4 npggsvc;nProtect GameGuard Service;h:\windows\system32\GameMon.des -service --> h:\windows\system32\GameMon.des -service [?]
S4 sptd;sptd;h:\windows\system32\drivers\sptd.sys [12/21/2007 10:59 AM 715248]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-11 h:\windows\Tasks\Malwarebytes' Anti-Malware.job
- h:\progra~1\MALWAR~1\mbam.exe [2009-03-15 00:08]
.
2011-05-15 h:\windows\Tasks\MP Scheduled Scan.job
- h:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {10E6E681-4ED1-43CF-A624-2BC3576DC117} = 167.142.225.3,167.142.225.5
TCP: {8D62A40B-727A-41BA-8386-1DD83ECAFDF0} = 67.210.57.254,206.246.28.254
FF - ProfilePath - h:\documents and settings\Samual\Application Data\Mozilla\Firefox\Profiles\u22oscau.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 18:08
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WD______ rev.2019 -> Harddisk3\DR5 -> \Device\0000009a
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
error: Read The parameter is incorrect.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="h:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
h:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(868)
h:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(1088)
h:\windows\system32\WININET.dll
h:\windows\system32\guard32.dll
h:\documents and settings\Samual\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
h:\program files\Windows Media Player\wmpband.dll
h:\windows\system32\ieframe.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
h:\program files\COMODO\COMODO Internet Security\cmdagent.exe
h:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
h:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
h:\program files\TVersity\Media Server\MediaServer.exe
h:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-15 18:12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 23:12
ComboFix2.txt 2011-05-15 18:28
ComboFix3.txt 2011-05-15 12:28
.
Pre-Run: 141,031,858,176 bytes free
Post-Run: 140,984,881,152 bytes free
.
Current=5 Default=5 Failed=1 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 49257E5975652BE1109CBA162A04D6C7
Upload was successful

A.A.S in Computer and Network Support from Crowder College


#14 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 16 May 2011 - 12:21 AM

I've noticed that EVERY time that ComboFix is run, my computer is forced to reboot. Any chance I can have that explained to me?

That's normal behavior of the tool. When needed it will reboot the computer.

Let's scan for leftovers.

Step 1.
Clean temp locations:

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2.
Scan with MBAM:

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Step 4.
Things I would like to see in your reply:

  • The content of the report from MBAM from Step 2.
  • The content of the report from ESET Online Scanner from Step 3.
  • Information on how your computer is running after those steps.

Edited by heir, 16 May 2011 - 12:21 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#15 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:01:38 AM

Posted 16 May 2011 - 01:39 PM

MBAM LOG:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6591

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/16/2011 11:55:31 AM
mbam-log-2011-05-16 (11-55-31).txt

Scan type: Quick scan
Objects scanned: 171476
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Scanner Log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=d06059cf07b2374cb820ca25f22fe585
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-16 06:35:26
# local_time=2011-05-16 01:35:26 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1026760 1026760 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777213 80 75 0 7770439 0 0
# compatibility_mode=5891 16776869 42 87 0 16670923 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=199743
# found=23
# cleaned=23
# scan_time=4865
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP0\A0000088.ini Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP14\A0002639.exe Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP17\A0004757.rbf Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP17\A0004758.rbf Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP17\A0004759.rbf Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP17\A0004760.rbf Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP17\A0004761.rbf Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP17\A0004776.rbf Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP17\A0004793.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP23\A0005211.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP23\A0005212.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP23\A0005213.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP23\A0005214.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP23\A0005215.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP23\A0005216.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP23\A0005243.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP25\A0006707.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP25\A0006708.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP25\A0006709.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP25\A0006710.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP25\A0006711.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP25\A0006712.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\System Volume Information\_restore{E6966EEC-E12B-4330-A0AA-3F122A79AB6A}\RP25\A0006739.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C



So far, my computer seems to be running quite well since I began receiving help with this issue. Thank you very much for your assistance.

A.A.S in Computer and Network Support from Crowder College





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users