Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, Popping up New Tabs to adsites in Firefox


  • This topic is locked This topic is locked
10 replies to this topic

#1 frenchkriss

frenchkriss

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 17 May 2011 - 12:57 AM

I'm definitely infected with some sort of malware that pops up an advertisement in a new tab whenever I first startup firefox. The adsites are completely random each time. When I boot windows sometimes the background will show after loading, for my desktop, but the icons never appear - windows never fully loads (this is only sometimes). Everytime I boot my machine now, a screen asking which version of Windows XP to run appears (black, grey text) - this didn't happen before. At first I saw an error msg after windows loaded my desktop - something about a missing .dll, but I haven't had that message since (after about 5 reboots since). Please help, any help would be greatly appreciated this malware is truly a nuisance!

EDIT: I have run Defogger, disabled any emulating drives (didn't have any anyway), DDS, and GMER as per request in the forum help sections

DDS:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Customer at 1:39:14.90 on Tue 05/17/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.734 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Apps\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Customer\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "e:\apps\itunes\iTunesHelper.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257393767546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257393739312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\customer\applic~1\mozilla\firefox\profiles\dxxb5pck.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - plugin: e:\apps\itunes\mozilla plugins\npitunes.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-5 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-5 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
R3 a2djavs;a2djavs;c:\windows\system32\drivers\a2djavs.sys [2010-11-4 35216]
R3 a2djusb;a2djusb;c:\windows\system32\drivers\a2djusb.sys [2010-11-4 226576]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
RUnknown SASDIFSV;SASDIFSV; [x]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2010-2-6 32384]
S3 MAUSBXPONENT;Service for M-Audio Xponent;c:\windows\system32\drivers\maudioxponent.sys --> c:\windows\system32\drivers\MAudioXponent.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-2-1 18432]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [2009-11-17 18048]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-17 04:08:27 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-17 02:45:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-14 22:48:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-30 17:26:26 -------- d-----w- c:\windows\OPTIONS
2011-04-30 17:15:23 -------- d-----w- c:\program files\RALINK
2011-04-30 17:15:13 32768 ------w- c:\program files\common files\installshield\professional\runtime\ObjA7.tmp
2011-04-29 01:00:40 -------- d-----w- c:\docume~1\customer\applic~1\M-Audio
2011-04-29 00:52:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 02:08:29 -------- d-----w- c:\docume~1\customer\locals~1\applic~1\SKIDROW
2011-04-21 07:31:56 -------- d-----w- c:\program files\common files\HP
2011-04-21 07:31:38 966656 ----a-w- c:\windows\system32\hpost_p02c.dll
2011-04-21 07:31:38 712704 ----a-w- c:\windows\system32\hposwia_p02c.dll
2011-04-21 07:31:38 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-04-21 07:31:38 315392 ----a-w- c:\windows\system32\hposc_p02a.dll
2011-04-21 07:31:38 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-04-20 07:35:31 -------- d-sha-r- C:\cmdcons
2011-04-20 06:55:23 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-04-20 04:04:53 -------- d-----w- c:\program files\iPod
2011-04-20 04:03:34 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD10EADS-00L5B1 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7F76F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a7fda10]; MOV EAX, [0x8a7fda8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A8C1568]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000075[0x8A855948]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A89AD98]
\Driver\atapi[0x8A8592B8] -> IRP_MJ_CREATE -> 0x8A7F76F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7F753B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 1:40:28.85 ===============

Attached Files


Edited by frenchkriss, 17 May 2011 - 01:05 AM.


BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 17 May 2011 - 02:24 AM

:welcome: to BC!

Something I should point out, regarding CCleaner, Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of our colleagues, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 frenchkriss

frenchkriss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 17 May 2011 - 09:07 PM

First and foremost thank you for the quick response you have no idea how much this means to me!

I've attached combofix.txt, it ran fine with Avast off of course. Early in the scan a msg popped up stating that a rootkit was detected, be patient msg included. Then combofix detected a presence of a rootkit activity and needed to restart, so it did, ran all 50 stages, and the attached log file resulted.

edit: nvm, still getting popups (in new tabs) and I just had an error msg saying AXWIN - Svchost.exe failed to do something something or other, typical dll error message. sigh.

ComboFix 11-05-17.01 - Customer 05/17/2011 21:51:03.6.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1614 [GMT -4:00]
Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-17 04:08 . 2011-05-17 04:08 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-17 02:45 . 2011-05-17 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-16 21:17 . 2011-05-16 21:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-05-14 22:48 . 2011-05-14 22:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-03 06:07 . 2011-05-03 06:07 -------- d-----w- c:\documents and settings\Default User
2011-04-30 17:26 . 2011-04-30 17:26 -------- d-----w- c:\windows\OPTIONS
2011-04-30 17:26 . 2011-04-30 17:26 -------- d-----w- c:\documents and settings\Customer\Application Data\InstallShield
2011-04-30 17:15 . 2011-04-30 17:15 -------- d-----w- c:\program files\RALINK
2011-04-30 17:15 . 2004-04-19 03:36 32768 ------w- c:\program files\Common Files\InstallShield\Professional\RunTime\ObjA7.tmp
2011-04-29 01:00 . 2011-04-29 01:00 -------- d-----w- c:\documents and settings\Customer\Application Data\M-Audio
2011-04-29 00:52 . 2011-05-17 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 02:08 . 2011-04-25 02:08 -------- d-----w- c:\documents and settings\Customer\Local Settings\Application Data\SKIDROW
2011-04-21 07:31 . 2011-04-21 07:31 -------- d-----w- c:\program files\Common Files\HP
2011-04-21 07:31 . 2009-02-11 11:03 966656 ----a-w- c:\windows\system32\hpost_p02c.dll
2011-04-21 07:31 . 2009-02-11 11:03 712704 ----a-w- c:\windows\system32\hposwia_p02c.dll
2011-04-21 07:31 . 2009-02-11 11:03 315392 ----a-w- c:\windows\system32\hposc_p02a.dll
2011-04-21 07:31 . 2008-10-29 00:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-04-21 07:31 . 2008-10-29 00:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-04-20 06:55 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-04-20 04:04 . 2011-04-20 04:04 -------- d-----w- c:\program files\iPod
2011-04-20 04:03 . 2011-04-20 04:03 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2009-11-04 22:45 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2007-01-01 00:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2007-01-01 00:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2007-01-01 00:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2007-01-01 00:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2007-01-01 00:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2007-01-01 00:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 20:36 . 2010-02-11 06:43 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 20:36 . 2010-02-11 06:43 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2007-01-01 00:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2007-01-01 00:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-11-05 04:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-04-29 21:25 . 2011-04-11 05:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"iTunesHelper"="e:\apps\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-12 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Apps\\uTorrent.exe"=
"e:\\Games\\Steam\\Steam.exe"=
"e:\\Apps\\Orb\\bin\\Orb.exe"=
"e:\\Apps\\Orb\\bin\\OrbLauncher.exe"=
"e:\\Apps\\Orb\\bin\\OrbSetupWizard.exe"=
"e:\\Apps\\Orb\\bin\\OrbControlPanel.exe"=
"e:\\Apps\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Games\\Steam\\steamapps\\common\\grand theft auto san andreas\\gta-sa.exe"=
"e:\\Games\\Steam\\steamapps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"e:\\Games\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Apps\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"e:\\Games\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"e:\\Games\\Steam\\steamapps\\chris_montana\\counter-strike source\\hl2.exe"=
"e:\\Games\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"e:\\Games\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/5/2010 6:58 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/5/2010 6:58 AM 17744]
R3 a2djavs;a2djavs;c:\windows\system32\drivers\a2djavs.sys [11/4/2010 11:31 PM 35216]
R3 a2djusb;a2djusb;c:\windows\system32\drivers\a2djusb.sys [11/4/2010 11:31 PM 226576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2/6/2010 2:49 AM 32384]
S3 MAUSBXPONENT;Service for M-Audio Xponent;c:\windows\system32\DRIVERS\MAudioXponent.sys --> c:\windows\system32\DRIVERS\MAudioXponent.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2/1/2011 11:08 PM 18432]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [11/17/2009 3:34 PM 18048]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2010-08-15 c:\windows\Tasks\Defraggler Volume E Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Customer\Application Data\Mozilla\Firefox\Profiles\dxxb5pck.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 21:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD10EADS-00L5B1 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7F953B
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-602162358-682003330-1001\Software\SecuROM\License information*]
"datasecu"=hex:99,29,b4,27,d5,ae,e7,e9,d3,f4,9d,f2,13,14,35,e6,f5,ad,8a,d9,0b,
a0,df,a4,55,e1,50,97,e5,66,1b,6c,00,d7,e5,ee,1e,30,b7,cb,83,94,0b,6c,e2,33,\
"rkeysecu"=hex:e6,0b,cf,9d,d3,83,e9,01,cc,63,28,ed,52,3a,aa,95
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\WININET.dll
.
Completion time: 2011-05-17 22:00:29
ComboFix-quarantined-files.txt 2011-05-18 02:00
.
Pre-Run: 298,389,938,176 bytes free
Post-Run: 298,541,780,992 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F6FA44CB1C56480734F37EFA3BC07594

Attached Files


Edited by frenchkriss, 17 May 2011 - 11:14 PM.


#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 18 May 2011 - 01:41 AM

We need to use another tool for this.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

Have you set these policies?

Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
CFSCript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller from step 1.
  • The content of C:\ComboFix.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 frenchkriss

frenchkriss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 18 May 2011 - 02:09 AM

Hello, In response no, I have not modified policies registry as you have asked

TDSKiller log:


2011/05/18 02:54:11.0859 1108 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/18 02:54:12.0281 1108 ================================================================================
2011/05/18 02:54:12.0281 1108 SystemInfo:
2011/05/18 02:54:12.0281 1108
2011/05/18 02:54:12.0281 1108 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/18 02:54:12.0281 1108 Product type: Workstation
2011/05/18 02:54:12.0281 1108 ComputerName: MALAC
2011/05/18 02:54:12.0281 1108 UserName: Customer
2011/05/18 02:54:12.0281 1108 Windows directory: C:\WINDOWS
2011/05/18 02:54:12.0281 1108 System windows directory: C:\WINDOWS
2011/05/18 02:54:12.0281 1108 Processor architecture: Intel x86
2011/05/18 02:54:12.0281 1108 Number of processors: 4
2011/05/18 02:54:12.0281 1108 Page size: 0x1000
2011/05/18 02:54:12.0281 1108 Boot type: Normal boot
2011/05/18 02:54:12.0281 1108 ================================================================================
2011/05/18 02:54:12.0546 1108 Initialize success
2011/05/18 02:54:59.0640 3972 ================================================================================
2011/05/18 02:54:59.0640 3972 Scan started
2011/05/18 02:54:59.0640 3972 Mode: Manual;
2011/05/18 02:54:59.0640 3972 ================================================================================
2011/05/18 02:55:01.0187 3972 a2djavs (2307eca25fa851a6f5c0bebe959d8fe9) C:\WINDOWS\system32\Drivers\a2djavs.sys
2011/05/18 02:55:01.0234 3972 a2djusb (560a268c1e3e6953ba91e9ef8e347bd4) C:\WINDOWS\system32\Drivers\a2djusb.sys
2011/05/18 02:55:01.0328 3972 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/05/18 02:55:01.0593 3972 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/18 02:55:01.0671 3972 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/18 02:55:01.0734 3972 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/05/18 02:55:01.0781 3972 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/18 02:55:01.0890 3972 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/18 02:55:01.0921 3972 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/18 02:55:01.0984 3972 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/18 02:55:02.0062 3972 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/05/18 02:55:02.0093 3972 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/05/18 02:55:02.0125 3972 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/05/18 02:55:02.0171 3972 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2011/05/18 02:55:02.0203 3972 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/05/18 02:55:02.0234 3972 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/18 02:55:02.0265 3972 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/18 02:55:02.0296 3972 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/18 02:55:02.0312 3972 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/18 02:55:02.0328 3972 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/18 02:55:02.0453 3972 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/18 02:55:02.0468 3972 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/18 02:55:02.0515 3972 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/18 02:55:02.0531 3972 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/18 02:55:02.0578 3972 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/18 02:55:02.0671 3972 DELTA (b34dafa517f838b82a4256b08346917f) C:\WINDOWS\system32\DRIVERS\delta.sys
2011/05/18 02:55:02.0718 3972 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/18 02:55:02.0765 3972 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/18 02:55:02.0796 3972 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/05/18 02:55:02.0828 3972 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/18 02:55:02.0859 3972 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/18 02:55:02.0890 3972 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/18 02:55:02.0937 3972 e1express (c31a349d80ab6e8e9a54d3899c864823) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/05/18 02:55:02.0953 3972 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/18 02:55:02.0953 3972 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/18 02:55:02.0984 3972 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/18 02:55:03.0015 3972 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/18 02:55:03.0046 3972 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/18 02:55:03.0062 3972 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/18 02:55:03.0093 3972 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/18 02:55:03.0109 3972 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/18 02:55:03.0125 3972 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/18 02:55:03.0156 3972 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/05/18 02:55:03.0171 3972 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/18 02:55:03.0203 3972 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/18 02:55:03.0250 3972 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/18 02:55:03.0265 3972 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/18 02:55:03.0281 3972 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/18 02:55:03.0312 3972 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/18 02:55:03.0359 3972 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/18 02:55:03.0375 3972 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/18 02:55:03.0406 3972 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/18 02:55:03.0437 3972 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/18 02:55:03.0468 3972 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/18 02:55:03.0500 3972 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/18 02:55:03.0515 3972 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/18 02:55:03.0546 3972 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/18 02:55:03.0609 3972 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/18 02:55:03.0625 3972 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/18 02:55:03.0656 3972 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/18 02:55:03.0687 3972 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/18 02:55:03.0703 3972 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/18 02:55:03.0718 3972 KLSIENET (24bb6ca00ed8c91dae2fd13e5f6eec39) C:\WINDOWS\system32\DRIVERS\usb101et.sys
2011/05/18 02:55:03.0750 3972 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/18 02:55:03.0781 3972 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/18 02:55:03.0843 3972 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/18 02:55:03.0875 3972 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/18 02:55:03.0906 3972 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/18 02:55:03.0921 3972 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/18 02:55:03.0953 3972 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/18 02:55:03.0984 3972 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/18 02:55:04.0062 3972 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/18 02:55:04.0093 3972 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/18 02:55:04.0125 3972 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/18 02:55:04.0125 3972 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/18 02:55:04.0156 3972 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/18 02:55:04.0187 3972 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/18 02:55:04.0234 3972 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/18 02:55:04.0265 3972 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/18 02:55:04.0296 3972 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/18 02:55:04.0328 3972 NAL (cbbbbcace1abda7336410df4ab3c74d7) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/05/18 02:55:04.0390 3972 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/18 02:55:04.0406 3972 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/18 02:55:04.0437 3972 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/18 02:55:04.0453 3972 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/18 02:55:04.0468 3972 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/18 02:55:04.0484 3972 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/18 02:55:04.0500 3972 Netaapl (7afd0e39ab15cb355487b7cc19f4e2c5) C:\WINDOWS\system32\DRIVERS\netaapl.sys
2011/05/18 02:55:04.0531 3972 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/18 02:55:04.0609 3972 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/18 02:55:04.0640 3972 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/18 02:55:04.0671 3972 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/18 02:55:04.0703 3972 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/18 02:55:04.0734 3972 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/05/18 02:55:04.0750 3972 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/18 02:55:04.0953 3972 nv (b9b1bb146eb9a83dcf0f5635b09d3d43) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/18 02:55:05.0140 3972 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/18 02:55:05.0171 3972 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/18 02:55:05.0203 3972 OHCI1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/18 02:55:05.0234 3972 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/18 02:55:05.0250 3972 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/18 02:55:05.0265 3972 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/18 02:55:05.0312 3972 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/18 02:55:05.0343 3972 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/18 02:55:05.0359 3972 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/18 02:55:05.0406 3972 PL-40R (e27087ed87311dc130e55a63e890615d) C:\WINDOWS\system32\Drivers\pl40rwdm.sys
2011/05/18 02:55:05.0421 3972 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/18 02:55:05.0437 3972 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/18 02:55:05.0468 3972 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/18 02:55:05.0531 3972 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/18 02:55:05.0531 3972 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/18 02:55:05.0562 3972 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/18 02:55:05.0593 3972 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/18 02:55:05.0640 3972 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/18 02:55:05.0656 3972 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/18 02:55:05.0671 3972 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/18 02:55:05.0687 3972 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/18 02:55:05.0734 3972 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/18 02:55:05.0781 3972 rspndr (0e11b35e972796042044bc27ce13b065) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2011/05/18 02:55:05.0828 3972 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/05/18 02:55:05.0859 3972 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/18 02:55:05.0875 3972 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/18 02:55:05.0906 3972 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/18 02:55:05.0953 3972 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/18 02:55:06.0000 3972 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/18 02:55:06.0031 3972 smwdm (bf208c85119770e6a9b6577019a3d810) C:\WINDOWS\system32\drivers\smwdm.sys
2011/05/18 02:55:06.0078 3972 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/18 02:55:06.0140 3972 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/18 02:55:06.0187 3972 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/18 02:55:06.0250 3972 STHDA (228519217a88c2f6b0cf8c022e6d669c) C:\WINDOWS\system32\drivers\sthda.sys
2011/05/18 02:55:06.0296 3972 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/05/18 02:55:06.0328 3972 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/18 02:55:06.0359 3972 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/18 02:55:06.0375 3972 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/18 02:55:06.0453 3972 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/18 02:55:06.0531 3972 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/18 02:55:06.0578 3972 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/18 02:55:06.0593 3972 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/18 02:55:06.0625 3972 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/18 02:55:06.0671 3972 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/18 02:55:06.0703 3972 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/18 02:55:06.0750 3972 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/18 02:55:06.0765 3972 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/18 02:55:06.0781 3972 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/18 02:55:06.0796 3972 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/18 02:55:06.0812 3972 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/18 02:55:06.0843 3972 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/18 02:55:06.0859 3972 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/18 02:55:06.0875 3972 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/18 02:55:06.0906 3972 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/18 02:55:06.0953 3972 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/05/18 02:55:06.0968 3972 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/18 02:55:07.0015 3972 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/18 02:55:07.0046 3972 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/18 02:55:07.0062 3972 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/18 02:55:07.0078 3972 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/18 02:55:07.0156 3972 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/18 02:55:07.0171 3972 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/18 02:55:07.0187 3972 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/18 02:55:07.0234 3972 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/18 02:55:07.0406 3972 ================================================================================
2011/05/18 02:55:07.0406 3972 Scan finished
2011/05/18 02:55:07.0406 3972 ================================================================================
2011/05/18 02:55:07.0421 3420 Detected object count: 1
2011/05/18 02:55:13.0531 3420 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/18 02:55:13.0531 3420 \HardDisk1 - ok
2011/05/18 02:55:13.0531 3420 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/05/18 02:55:25.0500 3256 Deinitialize success


Combofix log:


ComboFix 11-05-17.01 - Customer 05/18/2011 3:00.7.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1554 [GMT -4:00]
Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Customer\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-17 04:08 . 2011-05-17 04:08 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-17 02:45 . 2011-05-17 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-16 21:17 . 2011-05-16 21:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-05-14 22:48 . 2011-05-14 22:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-03 06:07 . 2011-05-03 06:07 -------- d-----w- c:\documents and settings\Default User
2011-04-30 17:26 . 2011-04-30 17:26 -------- d-----w- c:\windows\OPTIONS
2011-04-30 17:26 . 2011-04-30 17:26 -------- d-----w- c:\documents and settings\Customer\Application Data\InstallShield
2011-04-30 17:15 . 2011-04-30 17:15 -------- d-----w- c:\program files\RALINK
2011-04-30 17:15 . 2004-04-19 03:36 32768 ------w- c:\program files\Common Files\InstallShield\Professional\RunTime\ObjA7.tmp
2011-04-29 01:00 . 2011-04-29 01:00 -------- d-----w- c:\documents and settings\Customer\Application Data\M-Audio
2011-04-29 00:52 . 2011-05-17 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 02:08 . 2011-04-25 02:08 -------- d-----w- c:\documents and settings\Customer\Local Settings\Application Data\SKIDROW
2011-04-21 07:31 . 2011-04-21 07:31 -------- d-----w- c:\program files\Common Files\HP
2011-04-21 07:31 . 2009-02-11 11:03 966656 ----a-w- c:\windows\system32\hpost_p02c.dll
2011-04-21 07:31 . 2009-02-11 11:03 712704 ----a-w- c:\windows\system32\hposwia_p02c.dll
2011-04-21 07:31 . 2009-02-11 11:03 315392 ----a-w- c:\windows\system32\hposc_p02a.dll
2011-04-21 07:31 . 2008-10-29 00:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-04-21 07:31 . 2008-10-29 00:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-04-20 06:55 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-04-20 04:04 . 2011-04-20 04:04 -------- d-----w- c:\program files\iPod
2011-04-20 04:03 . 2011-04-20 04:03 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2009-11-04 22:45 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2007-01-01 00:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2007-01-01 00:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2007-01-01 00:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2007-01-01 00:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2007-01-01 00:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2007-01-01 00:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 20:36 . 2010-02-11 06:43 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 20:36 . 2010-02-11 06:43 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2007-01-01 00:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2007-01-01 00:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-11-05 04:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-04-29 21:25 . 2011-04-11 05:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-18_01.57.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-18 06:56 . 2011-05-18 06:56 16384 c:\windows\Temp\Perflib_Perfdata_670.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"iTunesHelper"="e:\apps\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-12 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Apps\\uTorrent.exe"=
"e:\\Games\\Steam\\Steam.exe"=
"e:\\Apps\\Orb\\bin\\Orb.exe"=
"e:\\Apps\\Orb\\bin\\OrbLauncher.exe"=
"e:\\Apps\\Orb\\bin\\OrbSetupWizard.exe"=
"e:\\Apps\\Orb\\bin\\OrbControlPanel.exe"=
"e:\\Apps\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Games\\Steam\\steamapps\\common\\grand theft auto san andreas\\gta-sa.exe"=
"e:\\Games\\Steam\\steamapps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"e:\\Games\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Apps\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"e:\\Games\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"e:\\Games\\Steam\\steamapps\\chris_montana\\counter-strike source\\hl2.exe"=
"e:\\Games\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"e:\\Games\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/5/2010 6:58 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/5/2010 6:58 AM 17744]
R3 a2djavs;a2djavs;c:\windows\system32\drivers\a2djavs.sys [11/4/2010 11:31 PM 35216]
R3 a2djusb;a2djusb;c:\windows\system32\drivers\a2djusb.sys [11/4/2010 11:31 PM 226576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2/6/2010 2:49 AM 32384]
S3 MAUSBXPONENT;Service for M-Audio Xponent;c:\windows\system32\DRIVERS\MAudioXponent.sys --> c:\windows\system32\DRIVERS\MAudioXponent.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2/1/2011 11:08 PM 18432]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [11/17/2009 3:34 PM 18048]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2010-08-15 c:\windows\Tasks\Defraggler Volume E Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Customer\Application Data\Mozilla\Firefox\Profiles\dxxb5pck.default\
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 03:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-602162358-682003330-1001\Software\SecuROM\License information*]
"datasecu"=hex:99,29,b4,27,d5,ae,e7,e9,d3,f4,9d,f2,13,14,35,e6,f5,ad,8a,d9,0b,
a0,df,a4,55,e1,50,97,e5,66,1b,6c,00,d7,e5,ee,1e,30,b7,cb,83,94,0b,6c,e2,33,\
"rkeysecu"=hex:e6,0b,cf,9d,d3,83,e9,01,cc,63,28,ed,52,3a,aa,95
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-18 03:05:37
ComboFix-quarantined-files.txt 2011-05-18 07:05
ComboFix2.txt 2011-05-18 02:00
.
Pre-Run: 298,339,577,856 bytes free
Post-Run: 298,541,932,544 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 75E22AEAA2A50496FB9357FFB23DE1D3

Attached Files


Edited by frenchkriss, 18 May 2011 - 02:13 AM.


#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 18 May 2011 - 03:41 AM

Hello, In response no, I have not modified policies registry as you have asked

OK.


Step 1.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\3.tmp 
Driver::
MEMSWEEP2

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step 2.
Scan with MBAM:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Step 4.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from Step 1.
  • The content of the report from MBAM from Step 2.
  • The content of the report from ESET Online Scanner from Step 3.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 frenchkriss

frenchkriss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 18 May 2011 - 09:46 PM

Combofix:

ComboFix 11-05-17.02 - Customer 05/18/2011 9:25.8.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1449 [GMT -4:00]
Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Customer\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\3.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-17 04:08 . 2011-05-17 04:08 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-17 02:45 . 2011-05-17 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-16 21:17 . 2011-05-16 21:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-05-14 22:48 . 2011-05-14 22:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-03 06:07 . 2011-05-03 06:07 -------- d-----w- c:\documents and settings\Default User
2011-04-30 17:26 . 2011-04-30 17:26 -------- d-----w- c:\windows\OPTIONS
2011-04-30 17:26 . 2011-04-30 17:26 -------- d-----w- c:\documents and settings\Customer\Application Data\InstallShield
2011-04-30 17:15 . 2011-04-30 17:15 -------- d-----w- c:\program files\RALINK
2011-04-30 17:15 . 2004-04-19 03:36 32768 ------w- c:\program files\Common Files\InstallShield\Professional\RunTime\ObjA7.tmp
2011-04-29 01:00 . 2011-04-29 01:00 -------- d-----w- c:\documents and settings\Customer\Application Data\M-Audio
2011-04-29 00:52 . 2011-05-17 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 02:08 . 2011-04-25 02:08 -------- d-----w- c:\documents and settings\Customer\Local Settings\Application Data\SKIDROW
2011-04-21 07:31 . 2011-04-21 07:31 -------- d-----w- c:\program files\Common Files\HP
2011-04-21 07:31 . 2009-02-11 11:03 966656 ----a-w- c:\windows\system32\hpost_p02c.dll
2011-04-21 07:31 . 2009-02-11 11:03 712704 ----a-w- c:\windows\system32\hposwia_p02c.dll
2011-04-21 07:31 . 2009-02-11 11:03 315392 ----a-w- c:\windows\system32\hposc_p02a.dll
2011-04-21 07:31 . 2008-10-29 00:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-04-21 07:31 . 2008-10-29 00:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-04-20 06:55 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-04-20 04:04 . 2011-04-20 04:04 -------- d-----w- c:\program files\iPod
2011-04-20 04:03 . 2011-04-20 04:03 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2009-11-04 22:45 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2007-01-01 00:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2007-01-01 00:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2007-01-01 00:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2007-01-01 00:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2007-01-01 00:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2007-01-01 00:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 20:36 . 2010-02-11 06:43 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 20:36 . 2010-02-11 06:43 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-04-29 21:25 . 2011-04-11 05:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-18_01.57.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-18 13:29 . 2011-05-18 13:29 16384 c:\windows\Temp\Perflib_Perfdata_488.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"iTunesHelper"="e:\apps\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-12 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Apps\\uTorrent.exe"=
"e:\\Games\\Steam\\Steam.exe"=
"e:\\Apps\\Orb\\bin\\Orb.exe"=
"e:\\Apps\\Orb\\bin\\OrbLauncher.exe"=
"e:\\Apps\\Orb\\bin\\OrbSetupWizard.exe"=
"e:\\Apps\\Orb\\bin\\OrbControlPanel.exe"=
"e:\\Apps\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Games\\Steam\\steamapps\\common\\grand theft auto san andreas\\gta-sa.exe"=
"e:\\Games\\Steam\\steamapps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"e:\\Games\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Apps\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"e:\\Games\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"e:\\Games\\Steam\\steamapps\\chris_montana\\counter-strike source\\hl2.exe"=
"e:\\Games\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"e:\\Games\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/5/2010 6:58 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/5/2010 6:58 AM 17744]
R3 a2djavs;a2djavs;c:\windows\system32\drivers\a2djavs.sys [11/4/2010 11:31 PM 35216]
R3 a2djusb;a2djusb;c:\windows\system32\drivers\a2djusb.sys [11/4/2010 11:31 PM 226576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2/6/2010 2:49 AM 32384]
S3 MAUSBXPONENT;Service for M-Audio Xponent;c:\windows\system32\DRIVERS\MAudioXponent.sys --> c:\windows\system32\DRIVERS\MAudioXponent.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2/1/2011 11:08 PM 18432]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [11/17/2009 3:34 PM 18048]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2010-08-15 c:\windows\Tasks\Defraggler Volume E Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Customer\Application Data\Mozilla\Firefox\Profiles\dxxb5pck.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 09:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-602162358-682003330-1001\Software\SecuROM\License information*]
"datasecu"=hex:99,29,b4,27,d5,ae,e7,e9,d3,f4,9d,f2,13,14,35,e6,f5,ad,8a,d9,0b,
a0,df,a4,55,e1,50,97,e5,66,1b,6c,00,d7,e5,ee,1e,30,b7,cb,83,94,0b,6c,e2,33,\
"rkeysecu"=hex:e6,0b,cf,9d,d3,83,e9,01,cc,63,28,ed,52,3a,aa,95
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-18 09:31:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-18 13:31
ComboFix2.txt 2011-05-18 07:05
ComboFix3.txt 2011-05-18 02:00
.
Pre-Run: 298,426,576,896 bytes free
Post-Run: 298,393,919,488 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 7FBB28FCDD1AA175E88DB8FFE2ACE2D5

MBAM:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6609

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2011 9:38:45 AM
mbam-log-2011-05-18 (09-38-45).txt

Scan type: Quick scan
Objects scanned: 140395
Time elapsed: 2 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=004b8450cc54e54c8f71bab54f493527
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-18 02:55:46
# local_time=2011-05-18 10:55:46 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=770 16774141 100 100 20717123 81514602 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=262349
# found=13
# cleaned=13
# scan_time=4215
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Customer\Application Data\Uniblue\Registry Booster2\RB_Setup_5_31_2010.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8685CA7F-1BC8-4FC7-82A1-61642C348B42}\RP1\A0001444.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\Native_Instruments_Massive_1.1.3+1.1.4_Update_AiR\Native_Instruments_Massive_1.1.3+1.1.4_Update_AiR\Massive 1.1.4 Update.exe probably a variant of Win32/Agent.IRISVRM trojan (deleted - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\Sony Cinescore 1.0c Build 271 Full License\keygen.exe a variant of Win32/Keygen.AQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\Sony.ACID.Pro.v6.0c.Incl.Keygen-SSG\keygen.exe a variant of Win32/Keygen.AQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\soundforgepro10\Keygen.exe a variant of Win32/Keygen.AR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\vsti\Native Instruments\Intakt 1.01\Setup.exe a variant of Win32/Keygen.AA application (deleted - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\vsti\Native Instruments\Reaktor 4\reaktor_keygen.exe a variant of Win32/Keygen.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\vsti\VST Bundle\FMJSoft.Awave.Studio.v9.3-H2O\setup.exe probably a variant of Win32/Agent.KLPDSVX trojan (deleted - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\vsti\VST Bundle\GForce.ImpOSCar.VSTi.RTAS.v1.0.1.incl.Keygen.READNFO-AiR\keygen.exe a variant of Win32/Keygen.AD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\Music Proggies\vsti\VST Bundle\GoldWave v5.18 Incl Keygen\keygen.exe a variant of Win32/Keygen.AD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Attached Files


Edited by frenchkriss, 18 May 2011 - 09:50 PM.


#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 19 May 2011 - 04:16 AM

How is the computer running now?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 frenchkriss

frenchkriss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 19 May 2011 - 12:48 PM

To be honest I haven't seen the pop-up-new-tab issue at all anymore, and windows seems to be running absolutely fine (knock on wood right?), so is it safe to assume the virus/malware/adware/evil-pain-in-the-bum file has been eliminated? If so, I really appreciate all of this. Love this forum, definitely going to work on becoming an active member (and not just a log reporter).

No error DLL messages, no ads, seems like it all worked out.

#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 19 May 2011 - 01:02 PM

Hey there, frenchkriss !

OK! Well done, your log is clean again! :thumbsup:

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image

Second:
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any tools/logs that is left over after you ran OTC.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to download an update.

http://www.adobe.com/products/acrobat/readstep2.html

Remove the older versions and install the latest.

----------------

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 25 .
  • Click the JDK 6 Update 25 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u25-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u25-windows-i586.exe and select "Run as an Administrator.")

Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the Internet.
  • Click Apply then OK.


Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls
Fifth:
Nearly done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 22 May 2011 - 10:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users