Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS and Google keeps redirecting


  • This topic is locked This topic is locked
2 replies to this topic

#1 penman1949

penman1949

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 06 May 2011 - 12:18 PM

Here is the text from GMER program:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dave at 11:38:58.01 on Fri 05/06/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.856 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\GreenPrint\GPSRHT01.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\GreenPrint\gpsrdg01.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WeatherMate\WeatherMate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\MWSnap\MWSnap.exe
C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Live365\Radio365\Radio365TrayAgent.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Intuit\QuickBooks 2011\qbw32.exe
C:\Program Files\Live365\Radio365\Radio365_Dlg.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Dave\My Documents\Temp\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
mWindow Title = Thomas L Lambert, PC - 227 Mulberry Ave, Muscatine, IA 52761
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: CabinBoy.CabinBoyIeBho: {9a8a89b3-1eed-4cc0-b50c-51d6ed71d5d2} - mscoree.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5825.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: CCH@Hand: {b8d08682-1259-47fe-a309-fefd1dbda42a} - mscoree.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
uRun: [MWSnap] "c:\program files\mwsnap\MWSnap.exe"
uRun: [BackgroundSwitcher] "c:\program files\johnsadventures.com\john's background switcher\BackgroundSwitcher.exe"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Radio365Agent] c:\program files\live365\radio365\Radio365TrayAgent.exe
mRun: [WeatherMate] "c:\program files\weathermate\WeatherMate.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Search highlighted text on &IRN - file:///c:\program files\cch\athand\desktop\bin\SearchIRN.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C7BDBDD-3F00-4DBB-997B-88377E1B33FF} - hxxp://install.cch.com/athandrelease/install.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} - hxxp://www.live365.com/players/p365vip.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://tax.cchgroup.com/primesrc/apps/cfcom/iftwclix.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206040020968
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206040313359
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c1/v22.163/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-latest.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\e5ofczzm.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://mail.live.com/default.aspx?wa=wsignin1.0
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-11 64288]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-3-21 13496]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsla1eb95e4;MpKsla1eb95e4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{357fc57c-4f0e-4eae-b14d-d856942f4974}\mpksla1eb95e4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{357fc57c-4f0e-4eae-b14d-d856942f4974}\MpKsla1eb95e4.sys [?]
R1 MpKslec9b1d5d;MpKslec9b1d5d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4a340968-7c3b-4d47-876c-300a9eab2eb2}\MpKslec9b1d5d.sys [2011-5-6 28752]
R2 GreenPrint;GreenPrint;c:\program files\greenprint\gpsrht01.exe [2010-4-26 427048]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-12-14 312592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1405384]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-4-5 196912]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-3-5 1257760]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2009-10-7 44776]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-11 15232]
S1 MpKsl04bb55ca;MpKsl04bb55ca;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dc04df63-0e3f-4556-a29a-df46a8d4dc61}\mpksl04bb55ca.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dc04df63-0e3f-4556-a29a-df46a8d4dc61}\MpKsl04bb55ca.sys [?]
S1 MpKsl10a011f0;MpKsl10a011f0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f145d5e8-e96e-4f37-8de8-87a93b41909b}\mpksl10a011f0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f145d5e8-e96e-4f37-8de8-87a93b41909b}\MpKsl10a011f0.sys [?]
S1 MpKsl43196e20;MpKsl43196e20;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fbd9ec56-d33f-4d66-97ee-23f4b741dd2e}\mpksl43196e20.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fbd9ec56-d33f-4d66-97ee-23f4b741dd2e}\MpKsl43196e20.sys [?]
S1 MpKsl5269f1ce;MpKsl5269f1ce;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3007a32b-f8c4-40a7-9100-21315e43b82f}\mpksl5269f1ce.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3007a32b-f8c4-40a7-9100-21315e43b82f}\MpKsl5269f1ce.sys [?]
S1 MpKsl739a22e4;MpKsl739a22e4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{832dd10a-3f27-4168-b102-ca4e500ccb6a}\mpksl739a22e4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{832dd10a-3f27-4168-b102-ca4e500ccb6a}\MpKsl739a22e4.sys [?]
S1 MpKsl9cb38b60;MpKsl9cb38b60;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{530c51fc-2201-4c39-b942-4532d1da0c98}\mpksl9cb38b60.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{530c51fc-2201-4c39-b942-4532d1da0c98}\MpKsl9cb38b60.sys [?]
S1 MpKslf9922920;MpKslf9922920;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed34ab62-cfae-4b26-8fc2-423ba65c5790}\mpkslf9922920.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed34ab62-cfae-4b26-8fc2-423ba65c5790}\MpKslf9922920.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-6-16 7808]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-12-3 11520]
.
=============== Created Last 30 ================
.
2011-05-06 14:56:47 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4a340968-7c3b-4d47-876c-300a9eab2eb2}\MpKslec9b1d5d.sys
2011-05-06 14:56:25 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4a340968-7c3b-4d47-876c-300a9eab2eb2}\mpengine.dll
2011-05-05 19:26:54 -------- d-sha-r- C:\cmdcons
2011-05-05 19:14:49 98816 ----a-w- c:\windows\sed.exe
2011-05-05 19:14:49 89088 ----a-w- c:\windows\MBR.exe
2011-05-05 19:14:49 256512 ----a-w- c:\windows\PEV.exe
2011-05-05 19:14:49 161792 ----a-w- c:\windows\SWREG.exe
2011-05-05 18:45:57 -------- d-----w- c:\docume~1\dave\applic~1\Malwarebytes
2011-05-05 18:45:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 18:45:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-05-05 18:45:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-05 18:45:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 13:45:05 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-22 13:45:05 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-21 20:20:49 0 ----a-w- c:\windows\ativpsrm.bin
2011-04-21 20:11:51 -------- d-----w- c:\program files\ATI Stream
2011-04-21 20:10:31 -------- d-----w- c:\program files\ATI
2011-04-21 20:09:31 -------- d-----w- C:\ATI
2011-04-21 19:49:44 -------- d-----w- C:\dell
2011-04-17 05:18:46 -------- d-----w- c:\windows\system32\NtmsData
2011-04-15 13:32:29 30720 ----a-r- c:\docume~1\dave\applic~1\microsoft\installer\{0b701622-589f-4f5e-926c-41403abb866a}\Icon0B701622.exe
2011-04-15 13:32:18 -------- d-----w- c:\program files\Live365
2011-04-15 13:20:09 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-04-11 13:14:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Windows Home Server
2011-04-09 15:18:57 -------- d-----w- c:\docume~1\dave\applic~1\Windows Home Server
2011-04-09 15:18:07 -------- d-----w- c:\program files\Windows Home Server
2011-04-09 15:17:52 15460352 ------w- c:\docume~1\alluse~1\applic~1\microsoft\windows home server\WHSConnector.msi
2011-04-07 13:53:25 -------- d-----w- c:\program files\common files\Nitro PDF
.
==================== Find3M ====================
.
2011-04-06 02:55:56 17712 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-04-06 02:55:54 26416 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 21:54:12 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600AAJS-22WAA0 rev.58.01D58 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7154F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a71b7d0]; MOV EAX, [0x8a71b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A72FAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006d[0x8A6D59E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A6D5D98]
\Driver\atapi[0x8A78C248] -> IRP_MJ_CREATE -> 0x8A7154F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A71533B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:40:49.11 ===============

Note:DDS.zip contains both DDS.txt and ARK.txt

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:36 PM

Posted 07 May 2011 - 12:17 AM

Hello penman1949 ,

Posted Image


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. <_<

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to .exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:36 PM

Posted 12 June 2011 - 01:44 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users