Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with anti-malware lab


  • Please log in to reply
12 replies to this topic

#1 Johnny_V

Johnny_V

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 05 September 2011 - 08:08 PM

Hi,

I need help with my daughter's PC. It is running Windows XP Professional SP3 32-bit. It has a 3 GHz processor and 1 GB of RAM. My daughter says that she had some viruses and instead of telling me she took it upon herself to try and fix them. She ran Adaware, Spybot S&D, Malewarebytes anti malware, and combofix. Afterwards she did a sfc /scannow. In the short time that I've been looking at this system I've noticed that IE occasionally gets redirected to advertising sites. Other than that the system seems to be running pretty good. My daughter has complained that occasionally the system will start running very sluggishly and her sound and microphone stop working. I told her that she should not be using combofix, but she said that all she did was let it scan and nothing else. she did mention that combofix complained that anti-malware lab was running before it did the scan and that she did not know how to disable it so she let combofix do the scan anyway. Anyway she said that all of the scans found and cleaned a lot of stuff. I am still concerned about the broswer redirects so I'm posting my DDS and gmer logs. Hopefully somebody here can help me out. Thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Melissa at 16:46:21 on 2011-09-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.259 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Anti-Malware Lab *Enabled/Updated* {42F81387-D91F-4826-BC28-D124A3299C14}
FW: Anti-Malware Lab *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ooVoo\oovoo.exe
C:\Program Files\Logitech\Vid\Vid.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [Logitech Vid HD] "c:\program files\logitech\vid\vid.exe" -bootmode
uRun: [Logitech Vid] "c:\program files\logitech\vid\Vid.exe" -bootmode
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [Facebook Update] "c:\documents and settings\melissa\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\melissa\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\melissa\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245946203303
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{AA24188D-D8B4-4C64-920F-0A278BC46C34} : DhcpNameServer = 192.168.1.1 71.243.0.12
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
S1 MpKslde639083;MpKslde639083;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7dcb0895-d948-4c23-a364-383b8eb10bb5}\mpkslde639083.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7dcb0895-d948-4c23-a364-383b8eb10bb5}\MpKslde639083.sys [?]
S1 MpKslecf2c290;MpKslecf2c290;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{471d5d40-625d-4f10-a083-2cc2ca1363c4}\mpkslecf2c290.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{471d5d40-625d-4f10-a083-2cc2ca1363c4}\MpKslecf2c290.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-9-4 41272]
.
=============== Created Last 30 ================
.
2011-09-05 01:10:23 -------- d-s---w- C:\ComboFix
2011-09-05 01:08:42 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{457529dc-be12-4408-afb8-ee251ccc4166}\mpengine.dll
2011-09-04 23:59:28 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-04 23:59:24 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-04 23:41:40 -------- d-sha-r- C:\cmdcons
2011-09-04 23:08:38 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-09-04 23:08:36 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-09-04 23:08:12 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-09-04 23:08:08 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-09-04 23:08:06 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2011-09-04 23:07:49 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2011-09-04 23:07:46 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2011-09-04 23:07:30 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2011-09-04 23:07:29 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2011-09-04 23:07:24 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2011-09-04 23:07:23 19551 -c--a-w- c:\windows\system32\dllcache\watv02nt.sys
2011-09-04 23:07:22 29311 -c--a-w- c:\windows\system32\dllcache\watv01nt.sys
2011-09-04 23:07:20 11775 -c--a-w- c:\windows\system32\dllcache\wadv05nt.sys
2011-09-04 23:07:18 12127 -c--a-w- c:\windows\system32\dllcache\wadv02nt.sys
2011-09-04 23:07:17 12415 -c--a-w- c:\windows\system32\dllcache\wadv01nt.sys
2011-09-04 23:07:03 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2011-09-04 23:06:49 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2011-09-04 23:06:48 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-09-04 23:06:46 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2011-09-04 23:06:44 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys
2011-09-04 23:06:16 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-09-04 23:05:59 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2011-09-04 23:05:08 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2011-09-04 23:04:12 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2011-09-04 23:04:11 16000 -c--a-w- c:\windows\system32\dllcache\smbbatt.sys
2011-09-04 23:04:00 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2011-09-04 23:03:54 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys
2011-09-04 23:02:20 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-09-04 23:01:20 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2011-09-04 23:01:02 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2011-09-04 23:01:01 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2011-09-04 23:00:50 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2011-09-04 22:59:10 6016 -c--a-w- c:\windows\system32\dllcache\qic157.sys
2011-09-04 22:59:04 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2011-09-04 22:58:57 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2011-09-04 22:58:55 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2011-09-04 22:58:41 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2011-09-04 22:58:40 28032 -c--a-w- c:\windows\system32\dllcache\perm3.sys
2011-09-04 22:58:39 211584 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll
2011-09-04 22:58:38 27904 -c--a-w- c:\windows\system32\dllcache\perm2.sys
2011-09-04 22:58:33 169984 -c--a-w- c:\windows\system32\dllcache\pcx500.sys
2011-09-04 22:58:28 29502 -c--a-w- c:\windows\system32\dllcache\pca200e.sys
2011-09-04 22:58:01 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2011-09-04 22:56:45 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2011-09-04 22:56:37 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-09-04 22:56:00 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2011-09-04 22:55:51 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2011-09-04 22:55:13 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2011-09-04 22:54:36 20864 -c--a-w- c:\windows\system32\dllcache\lwadihid.sys
2011-09-04 22:54:33 7040 -c--a-w- c:\windows\system32\dllcache\ltotape.sys
2011-09-04 22:54:32 420992 -c--a-w- c:\windows\system32\dllcache\ltmdmntt.sys
2011-09-04 22:54:31 606684 -c--a-w- c:\windows\system32\dllcache\ltmdmnt.sys
2011-09-04 22:54:19 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2011-09-04 22:54:11 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2011-09-04 22:54:10 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2011-09-04 22:53:50 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-09-04 22:53:41 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2011-09-04 22:53:39 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2011-09-04 22:53:39 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2011-09-04 22:52:53 702845 -c--a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2011-09-04 22:52:53 161020 -c--a-w- c:\windows\system32\dllcache\i81xnt5.sys
2011-09-04 22:52:51 18560 -c--a-w- c:\windows\system32\dllcache\i2omp.sys
2011-09-04 22:52:50 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2011-09-04 22:52:01 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-09-04 22:52:00 20352 -c--a-w- c:\windows\system32\dllcache\hidbatt.sys
2011-09-04 22:51:54 28288 -c--a-w- c:\windows\system32\dllcache\grserial.sys
2011-09-04 22:51:49 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2011-09-04 22:51:49 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2011-09-04 22:51:27 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys
2011-09-04 22:50:58 137088 -c--a-w- c:\windows\system32\dllcache\essm2e.sys
2011-09-04 22:50:02 206976 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2011-09-04 22:49:56 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2011-09-04 22:49:05 48640 -c--a-w- c:\windows\system32\dllcache\cwrwdm.sys
2011-09-04 22:47:59 223232 -c--a-w- c:\windows\system32\dllcache\camdrv21.sys
2011-09-04 22:46:59 36096 -c--a-w- c:\windows\system32\dllcache\avcaudio.sys
2011-09-04 22:45:43 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-09-04 20:41:52 -------- d-----w- c:\program files\vGrabber
2011-09-04 02:26:14 -------- d-----w- c:\documents and settings\melissa\local settings\application data\Facebook
2011-09-02 16:59:32 -------- d-----w- c:\program files\Realtek Sound Manager
2011-09-02 16:59:30 -------- d-----w- c:\program files\AvRack
2011-09-02 16:59:26 391424 ------w- c:\windows\system32\drivers\alcxsens.sys
2011-09-02 16:59:16 208896 ------w- c:\windows\alcupd.exe
2011-09-02 16:59:16 139264 ------w- c:\windows\alcrmv.exe
2011-09-02 16:51:32 135168 ----a-w- c:\windows\system32\igfxres.dll
2011-09-01 23:41:23 -------- d-----w- c:\program files\2K Games
2011-09-01 20:00:22 -------- d-----w- c:\program files\Bazooka Scanner
2011-09-01 19:16:49 -------- d-----w- c:\documents and settings\melissa\application data\Malwarebytes
2011-09-01 19:16:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-01 19:16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-01 19:06:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-28 03:17:16 -------- d-----w- c:\program files\softendo.com
2011-08-27 03:55:29 -------- d-----w- C:\msorb3
2011-08-26 04:41:54 -------- d-----w- c:\documents and settings\melissa\application data\Search Settings
2011-08-26 04:41:42 -------- d-----w- c:\program files\Application Updater
2011-08-26 04:41:41 -------- d-----w- c:\program files\YouTube Downloader Toolbar
2011-08-26 04:41:41 -------- d-----w- c:\program files\common files\Spigot
2011-08-14 03:53:57 -------- d-----w- c:\documents and settings\melissa\application data\YouTube Downloader
2011-08-12 08:01:51 -------- d-----w- c:\program files\Download Manager
2011-08-10 20:22:05 -------- d-----w- c:\documents and settings\melissa\application data\.minecraft
2011-08-09 03:35:14 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
.
==================== Find3M ====================
.
2011-09-01 20:27:52 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 16:47:01.28 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/25/2009 12:26:00 AM
System Uptime: 9/5/2011 3:46:46 PM (1 hours ago)
.
Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7131
Processor: Intel® Pentium® 4 CPU 3.06GHz | Socket 478 | 3058/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 52.816 GiB free.
D: is CDROM (UDF)
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description:
Device ID: ROOT\IMAGE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\IMAGE\0000
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
ABC (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Ahriman's Prophecy
Amazon Kindle
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
Aveyond
Bazooka Scanner
Big Fish Games: Game Manager
BioShock
Bonjour
CameraHelperMsi
CCleaner
Clue
ClueFinders® Search & Solve Adventures™
Critical Update for Windows Media Player 11 (KB959772)
Delaware St. John - The Curse of Midnight Manor
DirectX Media Runtime 5.1
Download Manager 2.3.10
EAX Unified
erLT
EVEREST Home Edition v2.20
Facebook Video Calling 1.0.0.8177
Façade
FrostWire 4.20.9
GhostMaster
Google Chrome
Google Earth
Google Update Helper
Happyland Adventures - Xmas Edition v1.3.1
Harry Potter
Harry Potter and the Goblet of Fire™
Harry Potter and the Order of the Phoenix™
Harry Potter and the Prisoner of Azkaban™
Harry Potter II
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
House of Night Screensaver Screensaver
Icy Tower v1.5
Intel A/V Codecs V2.0
Intel® Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 26
LEGO® Harry Potter™: Years 1-4
LEGO® Harry Potter™: Years 1-4 DEMO
LimeWire 5.5.16
Logitech Vid
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes' Anti-Malware version 1.51.1.1800
ManyCam 2.6.43 (remove only)
Mario Forever 5.05
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.3
Microsoft IntelliType Pro 6.3
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Music Oasis
Nancy Drew: Danger by Design
Nancy Drew: Danger on Deception Island
Nancy Drew: Last Train to Blue Moon Canyon
Nancy Drew: Legend of the Crystal Skull
Nancy Drew: Ransom of the Seven Ships
Nancy Drew: Secret of Shadow Ranch
Nancy Drew: Secret of the Old Clock
Nancy Drew: The Creature of Kapu Cave
Nancy Drew: The Curse of Blackmoor Manor
Nancy Drew: The Haunting of Castle Malloy
Nancy Drew: The Phantom of Venice
Nancy Drew: Treasure in the Royal Tower
Nikon Message Center
ooVoo
OpenOffice.org 3.2
Operation
Origin
PictureProject
PictureProject In Touch Downloader 1.0
QuickTime
RealArcade
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek AC'97 Audio
RealUpgrade 1.1
Safari
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype Toolbars
Skype™ 5.1
Stupid Invaders
System Requirements Lab
The ClueFinders' 4th Grade Adventures
The ClueFinders 5th Grade Adventures
The ClueFinders 6th Grade Adventures
The Game Of Life
The Sims 2
The Sims 2 Pets
The Sims 2 University
The Sims™ 3
The Sims™ 3 Ambitions
The Sims™ 3 Late Night
The Sims™ 3 World Adventures
The Weather Channel Desktop 6
The White Wolf of Icicle Creek
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Camera Software
vGrabber
Virtual Villagers
WebFldrs XP
WildTangent Games
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
Windows XP Service Pack 3
WinRAR archiver
Xvid Video Codec
Yahoo! Detect
YouTube Downloader 3.2
YouTube Downloader Toolbar v4.6
.
==== Event Viewer Messages From Past Week ========
.
9/4/2011 9:56:23 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/4/2011 8:49:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/4/2011 7:49:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
9/4/2011 7:48:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/2/2011 5:24:27 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the UMVPFSrv service.
9/1/2011 7:36:58 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
9/1/2011 7:36:56 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
9/1/2011 7:36:56 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
9/1/2011 4:37:01 PM, error: Service Control Manager [7000] - The Lbd service failed to start due to the following error: The system cannot find the file specified.
9/1/2011 2:22:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
9/1/2011 2:22:18 PM, error: Service Control Manager [7003] - The AVGIDSAgent service depends on the following nonexistent service: AVGIDSDriver
9/1/2011 2:08:15 PM, error: Service Control Manager [7034] - The Application Updater service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-05 20:40:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e SAMSUNG_SP1614C rev.SW100-34
Running: gmer.exe; Driver: C:\DOCUME~1\Melissa\LOCALS~1\Temp\kwrdypod.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Melissa\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Real\RealPlayer\update\realsched.exe[864] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Threads - GMER 1.0.15 ----

Thread System [4:396] 86197B8C

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 10 September 2011 - 08:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/417657 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Johnny_V

Johnny_V
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 11 September 2011 - 01:58 PM

Hi,

This computer was infected with anti-malware lab. It was scanned with ad-aware, spybot s&d, malwarebytes anti-malware, combofix. My daughter did the scans so I'm not sure what was fixed. She claimed that the scans found and fixe "a lot of stuff." I ran aswMBR and it showed some yellow and red items, but did NOT explicitely say that there was a rootkit infection. I did not fix anything with aswMBR.

I do not have the original Windows XP Professional CD nor do I have any recovery disks for this PC.

The PC seems to be running fine, but there are website redirections in both Internet Explorer and Google Chrome. My daughter also says that the sound stops working sometimes and she has to reboot to get it back.

Here is the dds log. The attach and gmer log (ark) logs are attached.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Melissa at 10:13:42 on 2011-09-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.615 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Anti-Malware Lab *Enabled/Updated* {42F81387-D91F-4826-BC28-D124A3299C14}
FW: Anti-Malware Lab *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ooVoo\oovoo.exe
C:\Program Files\Logitech\Vid\Vid.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [Logitech Vid HD] "c:\program files\logitech\vid\vid.exe" -bootmode
uRun: [Logitech Vid] "c:\program files\logitech\vid\Vid.exe" -bootmode
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [Facebook Update] "c:\documents and settings\melissa\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\melissa\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245946203303
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AA24188D-D8B4-4C64-920F-0A278BC46C34} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
S1 MpKslde639083;MpKslde639083;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7dcb0895-d948-4c23-a364-383b8eb10bb5}\mpkslde639083.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7dcb0895-d948-4c23-a364-383b8eb10bb5}\MpKslde639083.sys [?]
S1 MpKslecf2c290;MpKslecf2c290;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{471d5d40-625d-4f10-a083-2cc2ca1363c4}\mpkslecf2c290.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{471d5d40-625d-4f10-a083-2cc2ca1363c4}\MpKslecf2c290.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-9-4 41272]
.
=============== Created Last 30 ================
.
2011-09-10 17:58:44 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e3fa808a-b399-4cfd-a72d-d91183e7b5c2}\mpengine.dll
2011-09-08 17:37:48 -------- d-----w- c:\program files\trend micro
2011-09-05 01:10:23 -------- d-s---w- C:\ComboFix
2011-09-04 23:59:28 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-04 23:59:24 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-04 23:41:40 -------- d-sha-r- C:\cmdcons
2011-09-04 23:08:38 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-09-04 23:08:36 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-09-04 23:08:12 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-09-04 23:08:08 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-09-04 23:08:06 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2011-09-04 23:07:49 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2011-09-04 23:07:46 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2011-09-04 23:07:30 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2011-09-04 23:07:29 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2011-09-04 23:07:24 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2011-09-04 23:07:23 19551 -c--a-w- c:\windows\system32\dllcache\watv02nt.sys
2011-09-04 23:07:22 29311 -c--a-w- c:\windows\system32\dllcache\watv01nt.sys
2011-09-04 23:07:20 11775 -c--a-w- c:\windows\system32\dllcache\wadv05nt.sys
2011-09-04 23:07:18 12127 -c--a-w- c:\windows\system32\dllcache\wadv02nt.sys
2011-09-04 23:07:17 12415 -c--a-w- c:\windows\system32\dllcache\wadv01nt.sys
2011-09-04 23:07:03 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2011-09-04 23:06:49 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2011-09-04 23:06:48 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-09-04 23:06:46 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2011-09-04 23:06:44 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys
2011-09-04 23:06:16 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-09-04 23:05:59 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2011-09-04 23:05:08 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2011-09-04 23:04:12 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2011-09-04 23:04:11 16000 -c--a-w- c:\windows\system32\dllcache\smbbatt.sys
2011-09-04 23:04:00 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2011-09-04 23:03:54 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys
2011-09-04 23:02:20 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-09-04 23:01:20 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2011-09-04 23:01:02 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2011-09-04 23:01:01 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2011-09-04 23:00:50 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2011-09-04 22:59:10 6016 -c--a-w- c:\windows\system32\dllcache\qic157.sys
2011-09-04 22:59:04 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2011-09-04 22:58:57 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2011-09-04 22:58:55 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2011-09-04 22:58:41 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2011-09-04 22:58:40 28032 -c--a-w- c:\windows\system32\dllcache\perm3.sys
2011-09-04 22:58:39 211584 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll
2011-09-04 22:58:38 27904 -c--a-w- c:\windows\system32\dllcache\perm2.sys
2011-09-04 22:58:33 169984 -c--a-w- c:\windows\system32\dllcache\pcx500.sys
2011-09-04 22:58:28 29502 -c--a-w- c:\windows\system32\dllcache\pca200e.sys
2011-09-04 22:58:01 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2011-09-04 22:56:45 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2011-09-04 22:56:37 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-09-04 22:56:00 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2011-09-04 22:55:51 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2011-09-04 22:55:13 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2011-09-04 22:54:36 20864 -c--a-w- c:\windows\system32\dllcache\lwadihid.sys
2011-09-04 22:54:33 7040 -c--a-w- c:\windows\system32\dllcache\ltotape.sys
2011-09-04 22:54:32 420992 -c--a-w- c:\windows\system32\dllcache\ltmdmntt.sys
2011-09-04 22:54:31 606684 -c--a-w- c:\windows\system32\dllcache\ltmdmnt.sys
2011-09-04 22:54:19 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2011-09-04 22:54:11 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2011-09-04 22:54:10 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2011-09-04 22:53:50 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-09-04 22:53:41 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2011-09-04 22:53:39 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2011-09-04 22:53:39 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2011-09-04 22:52:53 702845 -c--a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2011-09-04 22:52:53 161020 -c--a-w- c:\windows\system32\dllcache\i81xnt5.sys
2011-09-04 22:52:51 18560 -c--a-w- c:\windows\system32\dllcache\i2omp.sys
2011-09-04 22:52:50 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2011-09-04 22:52:01 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-09-04 22:52:00 20352 -c--a-w- c:\windows\system32\dllcache\hidbatt.sys
2011-09-04 22:51:54 28288 -c--a-w- c:\windows\system32\dllcache\grserial.sys
2011-09-04 22:51:49 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2011-09-04 22:51:49 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2011-09-04 22:51:27 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys
2011-09-04 22:50:58 137088 -c--a-w- c:\windows\system32\dllcache\essm2e.sys
2011-09-04 22:50:02 206976 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2011-09-04 22:49:56 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2011-09-04 22:49:05 48640 -c--a-w- c:\windows\system32\dllcache\cwrwdm.sys
2011-09-04 22:47:59 223232 -c--a-w- c:\windows\system32\dllcache\camdrv21.sys
2011-09-04 22:46:59 36096 -c--a-w- c:\windows\system32\dllcache\avcaudio.sys
2011-09-04 22:45:43 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-09-04 20:41:52 -------- d-----w- c:\program files\vGrabber
2011-09-04 02:26:14 -------- d-----w- c:\documents and settings\melissa\local settings\application data\Facebook
2011-09-02 16:59:32 -------- d-----w- c:\program files\Realtek Sound Manager
2011-09-02 16:59:30 -------- d-----w- c:\program files\AvRack
2011-09-02 16:59:26 391424 ------w- c:\windows\system32\drivers\alcxsens.sys
2011-09-02 16:59:16 208896 ------w- c:\windows\alcupd.exe
2011-09-02 16:59:16 139264 ------w- c:\windows\alcrmv.exe
2011-09-02 16:51:32 135168 ----a-w- c:\windows\system32\igfxres.dll
2011-09-01 23:41:23 -------- d-----w- c:\program files\2K Games
2011-09-01 20:00:22 -------- d-----w- c:\program files\Bazooka Scanner
2011-09-01 19:16:49 -------- d-----w- c:\documents and settings\melissa\application data\Malwarebytes
2011-09-01 19:16:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-01 19:16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-01 19:06:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-28 03:17:16 -------- d-----w- c:\program files\softendo.com
2011-08-27 03:55:29 -------- d-----w- C:\msorb3
2011-08-26 04:41:54 -------- d-----w- c:\documents and settings\melissa\application data\Search Settings
2011-08-26 04:41:42 -------- d-----w- c:\program files\Application Updater
2011-08-26 04:41:41 -------- d-----w- c:\program files\YouTube Downloader Toolbar
2011-08-26 04:41:41 -------- d-----w- c:\program files\common files\Spigot
2011-08-14 03:53:57 -------- d-----w- c:\documents and settings\melissa\application data\YouTube Downloader
.
==================== Find3M ====================
.
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 20:27:52 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP1614C rev.SW100-34 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF75C7000]<< >>UNKNOWN [0xF75B7000]<< >>UNKNOWN [0xF7458000]<< >>UNKNOWN [0x806D1000]<< >>UNKNOWN [0xF73EA000]<< >>UNKNOWN [0x864BB3F1]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86584AB8]
\Driver\Disk[0x86587A08] -> IRP_MJ_CREATE -> 0xF75CDBB0
3 [0xF75C7FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000061[0x865509E8]
\Driver\ACPI[0x865E3360] -> IRP_MJ_CREATE -> 0xF745ECB8
5 [0xF745E620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IdeDeviceP2T0L0-e[0x86587D98]
\Driver\atapi[0x8658D788] -> IRP_MJ_CREATE -> 0xF73F46F2
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0xF73F1864
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendHandler -> 0x862251a8
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:14:31.64 ===============

Attached Files



#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 PM

Posted 11 September 2011 - 04:27 PM

hi,

Download and run tdsskiller:

Please download TDSS Killer.exe and save it to your desktop

Double click to launch the utility. Vista and Windows 7 right click and "run as admin.." After it initializes click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.


A report can also be found in your Root drive Local Disk © as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log report

How Can I Reduce My Risk to Malware?


#5 Johnny_V

Johnny_V
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 11 September 2011 - 04:53 PM

Hi,

TDSS Kller has been sitting at initialization: 80% for over 10 minutes. Is this normal?

#6 Johnny_V

Johnny_V
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 11 September 2011 - 06:41 PM

TDSS Killer stayed at initializing 80% for over an hour so I booted into safe mode and got the same result. It appears that TDSS Killer will not run on this system.

#7 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 PM

Posted 11 September 2011 - 07:31 PM

ok We will get another download to use. Its called combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log. After you run combofix try running tdsskiller again. If tdsskiller hangs again, boot into safe mode and try running it.

Guide to using Combofix

i wont be back on line for 18 hrs or so

Edited by shelf life, 11 September 2011 - 08:00 PM.

How Can I Reduce My Risk to Malware?


#8 Johnny_V

Johnny_V
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 11 September 2011 - 08:45 PM

OK. I ran combofix and after that TDSS Killer ran and found something:

ComboFix 11-09-11.06 - Melissa 09/11/2011 21:16:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.426 [GMT -4:00]
Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
AV: Anti-Malware Lab *Enabled/Updated* {42F81387-D91F-4826-BC28-D124A3299C14}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Anti-Malware Lab *Enabled* {101A17B0-3AD2-441D-A576-4B5B74B7D2E2}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-12 to 2011-09-12 )))))))))))))))))))))))))))))))
.
.
2011-09-11 18:05 . 2011-08-12 02:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91AEF56B-1F7D-4433-8326-6E00054D38E3}\mpengine.dll
2011-09-08 17:37 . 2011-09-08 18:22 -------- d-----w- c:\program files\trend micro
2011-09-08 17:37 . 2011-09-08 17:40 -------- d-----w- C:\rsit
2011-09-04 23:59 . 2011-07-08 11:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-04 23:59 . 2011-07-08 11:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-04 23:08 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-09-04 23:08 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-09-04 23:08 . 2004-08-04 02:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-09-04 23:08 . 2004-08-04 02:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-09-04 23:08 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2011-09-04 23:07 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2011-09-04 23:07 . 2004-08-04 02:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2011-09-04 23:07 . 2004-08-04 02:29 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2011-09-04 23:07 . 2008-04-13 18:45 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2011-09-04 23:07 . 2004-08-04 02:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2011-09-04 23:07 . 2004-08-04 02:29 19551 -c--a-w- c:\windows\system32\dllcache\watv02nt.sys
2011-09-04 23:07 . 2004-08-04 02:29 29311 -c--a-w- c:\windows\system32\dllcache\watv01nt.sys
2011-09-04 23:07 . 2004-08-04 02:29 11775 -c--a-w- c:\windows\system32\dllcache\wadv05nt.sys
2011-09-04 23:07 . 2004-08-04 02:29 12127 -c--a-w- c:\windows\system32\dllcache\wadv02nt.sys
2011-09-04 23:07 . 2004-08-04 02:29 12415 -c--a-w- c:\windows\system32\dllcache\wadv01nt.sys
2011-09-04 23:07 . 2008-04-13 18:40 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2011-09-04 23:06 . 2008-04-13 18:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2011-09-04 23:06 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-09-04 23:06 . 2008-04-13 18:45 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2011-09-04 23:06 . 2004-08-04 02:31 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys
2011-09-04 23:06 . 2008-04-14 00:12 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-09-04 23:05 . 2008-04-13 18:40 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2011-09-04 23:05 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2011-09-04 23:04 . 2008-04-13 18:36 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2011-09-04 23:04 . 2008-04-13 18:36 16000 -c--a-w- c:\windows\system32\dllcache\smbbatt.sys
2011-09-04 23:04 . 2004-08-04 02:31 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2011-09-04 23:03 . 2004-08-04 02:31 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys
2011-09-04 23:02 . 2008-04-13 18:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-09-04 23:01 . 2008-04-13 18:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2011-09-04 23:01 . 2008-04-14 00:12 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2011-09-04 23:01 . 2008-04-14 00:12 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2011-09-04 23:00 . 2008-04-13 18:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2011-09-04 22:59 . 2008-04-13 18:40 6016 -c--a-w- c:\windows\system32\dllcache\qic157.sys
2011-09-04 22:59 . 2008-04-14 00:12 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2011-09-04 22:58 . 2008-04-13 18:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2011-09-04 22:58 . 2008-04-13 18:40 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2011-09-04 22:58 . 2008-04-14 00:10 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2011-09-04 22:58 . 2008-04-13 18:44 28032 -c--a-w- c:\windows\system32\dllcache\perm3.sys
2011-09-04 22:58 . 2008-04-14 00:10 211584 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll
2011-09-04 22:58 . 2008-04-13 18:44 27904 -c--a-w- c:\windows\system32\dllcache\perm2.sys
2011-09-04 22:58 . 2004-08-04 02:06 169984 -c--a-w- c:\windows\system32\dllcache\pcx500.sys
2011-09-04 22:58 . 2004-08-04 02:31 29502 -c--a-w- c:\windows\system32\dllcache\pca200e.sys
2011-09-04 22:58 . 2008-04-13 18:46 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2011-09-04 22:56 . 2008-04-13 18:54 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2011-09-04 22:56 . 2004-08-04 02:31 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-09-04 22:56 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2011-09-04 22:55 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2011-09-04 22:55 . 2008-04-13 18:41 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2011-09-04 22:54 . 2004-08-04 02:39 20864 -c--a-w- c:\windows\system32\dllcache\lwadihid.sys
2011-09-04 22:54 . 2008-04-13 18:40 7040 -c--a-w- c:\windows\system32\dllcache\ltotape.sys
2011-09-04 22:54 . 2004-08-04 02:41 420992 -c--a-w- c:\windows\system32\dllcache\ltmdmntt.sys
2011-09-04 22:54 . 2004-08-04 02:41 606684 -c--a-w- c:\windows\system32\dllcache\ltmdmnt.sys
2011-09-04 22:54 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2011-09-04 22:54 . 2008-04-14 00:11 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2011-09-04 22:54 . 2008-04-14 00:11 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2011-09-04 22:53 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-09-04 22:53 . 2008-04-14 00:11 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2011-09-04 22:53 . 2008-04-14 00:12 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2011-09-04 22:53 . 2008-04-13 18:54 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2011-09-04 22:52 . 2008-04-14 00:11 702845 -c--a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2011-09-04 22:52 . 2004-08-04 02:29 161020 -c--a-w- c:\windows\system32\dllcache\i81xnt5.sys
2011-09-04 22:52 . 2008-04-13 18:41 18560 -c--a-w- c:\windows\system32\dllcache\i2omp.sys
2011-09-04 22:52 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2011-09-04 22:52 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-09-04 22:52 . 2008-04-13 18:36 20352 -c--a-w- c:\windows\system32\dllcache\hidbatt.sys
2011-09-04 22:51 . 2008-04-13 18:40 28288 -c--a-w- c:\windows\system32\dllcache\grserial.sys
2011-09-04 22:51 . 2008-04-13 18:45 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2011-09-04 22:51 . 2008-04-13 18:45 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2011-09-04 22:51 . 2004-08-04 02:31 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys
2011-09-04 22:50 . 2004-08-04 02:32 137088 -c--a-w- c:\windows\system32\dllcache\essm2e.sys
2011-09-04 22:50 . 2008-04-13 18:39 206976 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2011-09-04 22:49 . 2008-04-13 18:40 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2011-09-04 22:49 . 2004-08-04 02:32 48640 -c--a-w- c:\windows\system32\dllcache\cwrwdm.sys
2011-09-04 22:47 . 2001-08-17 18:04 223232 -c--a-w- c:\windows\system32\dllcache\camdrv21.sys
2011-09-04 22:46 . 2008-04-13 18:46 13696 -c--a-w- c:\windows\system32\dllcache\avcstrm.sys
2011-09-04 22:45 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-09-04 20:41 . 2011-09-04 20:42 -------- d-----w- c:\program files\vGrabber
2011-09-04 02:26 . 2011-09-04 02:27 -------- d-----w- c:\documents and settings\Melissa\Local Settings\Application Data\Facebook
2011-09-02 16:59 . 2011-09-02 16:59 -------- d-----w- c:\program files\Realtek Sound Manager
2011-09-02 16:59 . 2011-09-02 16:59 -------- d-----w- c:\program files\AvRack
2011-09-02 16:59 . 2004-08-19 12:21 391424 ------w- c:\windows\system32\drivers\alcxsens.sys
2011-09-02 16:59 . 2004-08-19 12:21 208896 ------w- c:\windows\alcupd.exe
2011-09-02 16:59 . 2004-08-19 12:21 139264 ------w- c:\windows\alcrmv.exe
2011-09-02 16:51 . 2005-06-02 19:28 135168 ----a-w- c:\windows\system32\igfxres.dll
2011-09-02 00:16 . 2011-09-05 02:07 -------- d-----w- c:\documents and settings\Melissa\Application Data\Bioshock
2011-09-01 23:41 . 2011-09-01 23:41 -------- d-----w- c:\program files\2K Games
2011-09-01 20:00 . 2011-09-01 20:00 -------- d-----w- c:\program files\Bazooka Scanner
2011-09-01 19:16 . 2011-09-01 19:16 -------- d-----w- c:\documents and settings\Melissa\Application Data\Malwarebytes
2011-09-01 19:16 . 2011-09-01 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-01 19:16 . 2011-09-04 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-01 19:06 . 2011-09-01 19:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 18:32 . 2011-09-01 18:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2011-09-01 18:32 . 2011-09-01 18:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Search Settings
2011-08-28 03:17 . 2011-08-28 03:17 -------- d-----w- c:\program files\softendo.com
2011-08-27 03:55 . 2011-08-27 03:55 -------- d-----w- C:\msorb3
2011-08-26 04:41 . 2011-08-26 04:41 -------- d-----w- c:\documents and settings\Melissa\Application Data\Search Settings
2011-08-26 04:41 . 2011-09-01 18:08 -------- d-----w- c:\program files\Application Updater
2011-08-26 04:41 . 2011-08-26 04:41 -------- d-----w- c:\program files\YouTube Downloader Toolbar
2011-08-26 04:41 . 2011-08-26 04:41 -------- d-----w- c:\program files\Common Files\Spigot
2011-08-14 03:53 . 2011-08-14 03:54 -------- d-----w- c:\documents and settings\Melissa\Application Data\YouTube Downloader
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 20:27 . 2011-06-04 22:47 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-12 02:44 . 2011-06-06 18:04 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-19 18:22 . 2011-07-19 18:22 53248 ----a-r- c:\documents and settings\Melissa\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-13 03:39 . 2011-08-09 03:35 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2009-06-25 04:19 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2011-05-18 22631608]
"Logitech Vid HD"="c:\program files\Logitech\Vid\vid.exe" [2010-05-11 6061400]
"Logitech Vid"="c:\program files\Logitech\Vid\Vid.exe" [2010-05-11 6061400]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2011-06-08 822456]
"Facebook Update"="c:\documents and settings\Melissa\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-09-04 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-29 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SoundMan"="SOUNDMAN.EXE" [2004-08-19 65024]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-02 114688]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-02 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-02 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
c:\documents and settings\Melissa\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-11-8 118784]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Melissa\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Logitech\\Vid\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"37676:TCP"= 37676:TCP:*:Disabled:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:*:Disabled:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:*:Disabled:ooVoo UDP port 37677
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
.
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [4/1/2011 1:11 AM 428640]
S1 MpKslde639083;MpKslde639083;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7DCB0895-D948-4C23-A364-383B8EB10BB5}\MpKslde639083.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7DCB0895-D948-4C23-A364-383B8EB10BB5}\MpKslde639083.sys [?]
S1 MpKslecf2c290;MpKslecf2c290;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{471D5D40-625D-4F10-A083-2CC2CA1363C4}\MpKslecf2c290.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{471D5D40-625D-4F10-A083-2CC2CA1363C4}\MpKslecf2c290.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 10:02 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 10:02 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/4/2011 7:59 PM 41272]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-09-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1343024091-57989841-839522115-1003Core.job
- c:\documents and settings\Melissa\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-04 02:25]
.
2011-09-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1343024091-57989841-839522115-1003UA.job
- c:\documents and settings\Melissa\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-04 02:25]
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 02:02]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 02:02]
.
2011-09-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-57989841-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-09-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-57989841-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-11 21:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1343024091-57989841-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:60,8f,55,cc,47,f0,80,24,d6,77,e1,a7,82,c0,9c,59,e0,86,0b,a3,db,c1,ba,
f6,a3,48,68,3a,4a,2e,18,0c,4e,42,ae,e6,31,d6,6d,98,7d,0f,72,a5,26,45,db,21,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
[HKEY_USERS\S-1-5-21-1343024091-57989841-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:16,02,85,56,25,77,44,fd,f0,8d,01,b9,8f,13,70,d8,ab,2a,a0,e1,67,
62,3a,06,a4,c4,c9,51,69,1b,0c,39,79,22,9a,4f,1f,f9,15,6a,c0,80,0f,28,11,a0,\
"rkeysecu"=hex:f4,49,c7,c7,8b,67,0b,67,a9,59,96,e2,1f,7a,ea,06
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1408)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-11 21:26:05
ComboFix-quarantined-files.txt 2011-09-12 01:26
ComboFix2.txt 2011-09-05 01:05
.
Pre-Run: 56,248,291,328 bytes free
Post-Run: 56,308,379,648 bytes free
.
- - End Of File - - A463294C4E402183E5293879DCF0DCFB


2011/09/11 21:30:21.0328 3764 TDSS rootkit removing tool 2.5.21.0 Sep 10 2011 21:07:05
2011/09/11 21:30:21.0343 3764 ================================================================================
2011/09/11 21:30:21.0343 3764 SystemInfo:
2011/09/11 21:30:21.0343 3764
2011/09/11 21:30:21.0343 3764 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/11 21:30:21.0343 3764 Product type: Workstation
2011/09/11 21:30:21.0343 3764 ComputerName: MELISSA
2011/09/11 21:30:21.0343 3764 UserName: Melissa
2011/09/11 21:30:21.0343 3764 Windows directory: C:\WINDOWS
2011/09/11 21:30:21.0343 3764 System windows directory: C:\WINDOWS
2011/09/11 21:30:21.0343 3764 Processor architecture: Intel x86
2011/09/11 21:30:21.0343 3764 Number of processors: 1
2011/09/11 21:30:21.0343 3764 Page size: 0x1000
2011/09/11 21:30:21.0343 3764 Boot type: Normal boot
2011/09/11 21:30:21.0343 3764 ================================================================================
2011/09/11 21:30:22.0812 3764 Initialize success
2011/09/11 21:30:35.0734 1876 ================================================================================
2011/09/11 21:30:35.0734 1876 Scan started
2011/09/11 21:30:35.0734 1876 Mode: Manual;
2011/09/11 21:30:35.0734 1876 ================================================================================
2011/09/11 21:30:36.0375 1876 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/11 21:30:36.0375 1876 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
2011/09/11 21:30:36.0390 1876 ACPI - detected Virus.Win32.Rloader.a (0)
2011/09/11 21:30:36.0484 1876 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/11 21:30:36.0593 1876 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/11 21:30:36.0656 1876 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/11 21:30:36.0796 1876 ALCXWDM (391344370018a87a6c478ab76c7a47a8) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/09/11 21:30:37.0015 1876 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/11 21:30:37.0046 1876 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/11 21:30:37.0093 1876 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/11 21:30:37.0156 1876 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/11 21:30:37.0234 1876 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/11 21:30:37.0390 1876 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/11 21:30:37.0453 1876 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/11 21:30:37.0500 1876 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/11 21:30:37.0531 1876 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/11 21:30:37.0562 1876 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/11 21:30:37.0750 1876 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/11 21:30:37.0812 1876 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/11 21:30:37.0875 1876 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/11 21:30:37.0906 1876 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/11 21:30:37.0937 1876 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/11 21:30:38.0000 1876 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/11 21:30:38.0078 1876 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/11 21:30:38.0109 1876 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/11 21:30:38.0156 1876 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/11 21:30:38.0187 1876 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/11 21:30:38.0203 1876 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/11 21:30:38.0234 1876 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/11 21:30:38.0265 1876 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/11 21:30:38.0296 1876 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/09/11 21:30:38.0328 1876 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/11 21:30:38.0375 1876 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/11 21:30:38.0484 1876 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/11 21:30:38.0562 1876 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/11 21:30:38.0656 1876 ialm (d95eb1c9b3a5c2f6fdeab05dd03736fe) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/11 21:30:38.0718 1876 ICAM5USB (252545d3a52f537f6de7db4f3f9f4595) C:\WINDOWS\system32\Drivers\ICAM5D2.sys
2011/09/11 21:30:38.0750 1876 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/11 21:30:38.0812 1876 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/11 21:30:38.0843 1876 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/11 21:30:38.0875 1876 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/11 21:30:38.0921 1876 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/11 21:30:38.0937 1876 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/11 21:30:38.0968 1876 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/11 21:30:39.0000 1876 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/11 21:30:39.0031 1876 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/11 21:30:39.0062 1876 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/11 21:30:39.0109 1876 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/11 21:30:39.0125 1876 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/11 21:30:39.0156 1876 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/11 21:30:39.0218 1876 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/11 21:30:39.0437 1876 LVRS (b6e1ccd6572984adcae68439afd07011) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/09/11 21:30:39.0640 1876 LVUVC (6c42815dd57e397f0cd988304b5eb4b3) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/09/11 21:30:39.0718 1876 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/09/11 21:30:39.0750 1876 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/11 21:30:39.0781 1876 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/11 21:30:39.0843 1876 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/11 21:30:39.0906 1876 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/11 21:30:39.0937 1876 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/11 21:30:39.0968 1876 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/09/11 21:30:40.0187 1876 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/11 21:30:40.0265 1876 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/11 21:30:40.0296 1876 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/11 21:30:40.0328 1876 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/11 21:30:40.0359 1876 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/11 21:30:40.0390 1876 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/11 21:30:40.0421 1876 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/11 21:30:40.0468 1876 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/11 21:30:40.0531 1876 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/11 21:30:40.0562 1876 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/11 21:30:40.0609 1876 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/11 21:30:40.0640 1876 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/11 21:30:40.0656 1876 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/11 21:30:40.0687 1876 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/11 21:30:40.0718 1876 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/11 21:30:40.0750 1876 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/11 21:30:40.0796 1876 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/11 21:30:40.0843 1876 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/11 21:30:40.0906 1876 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/11 21:30:40.0953 1876 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/11 21:30:41.0031 1876 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/09/11 21:30:41.0093 1876 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/11 21:30:41.0156 1876 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/11 21:30:41.0187 1876 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/11 21:30:41.0218 1876 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/11 21:30:41.0250 1876 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/11 21:30:41.0265 1876 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/11 21:30:41.0296 1876 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/11 21:30:41.0359 1876 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/09/11 21:30:41.0390 1876 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/11 21:30:41.0593 1876 Point32 (cf7c1868b90c90a265fc3f60ce46265b) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/09/11 21:30:41.0625 1876 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/11 21:30:41.0671 1876 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/11 21:30:41.0718 1876 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/11 21:30:41.0859 1876 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/11 21:30:41.0890 1876 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/11 21:30:41.0921 1876 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/11 21:30:41.0953 1876 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/11 21:30:41.0984 1876 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/11 21:30:42.0000 1876 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/11 21:30:42.0046 1876 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/11 21:30:42.0125 1876 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/11 21:30:42.0156 1876 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/11 21:30:42.0250 1876 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/09/11 21:30:42.0312 1876 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/09/11 21:30:42.0359 1876 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/11 21:30:42.0421 1876 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/11 21:30:42.0437 1876 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/11 21:30:42.0484 1876 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/11 21:30:42.0578 1876 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/11 21:30:42.0656 1876 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/11 21:30:42.0687 1876 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/11 21:30:42.0781 1876 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/11 21:30:42.0828 1876 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/11 21:30:42.0875 1876 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/11 21:30:42.0937 1876 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/11 21:30:43.0062 1876 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/11 21:30:43.0171 1876 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/11 21:30:43.0218 1876 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/11 21:30:43.0234 1876 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/11 21:30:43.0281 1876 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/11 21:30:43.0359 1876 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/11 21:30:43.0453 1876 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/11 21:30:43.0609 1876 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/11 21:30:43.0687 1876 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/09/11 21:30:43.0750 1876 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/11 21:30:43.0781 1876 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/11 21:30:43.0812 1876 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/11 21:30:43.0828 1876 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/11 21:30:43.0859 1876 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/11 21:30:43.0906 1876 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/09/11 21:30:43.0953 1876 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/11 21:30:44.0000 1876 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/11 21:30:44.0046 1876 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/11 21:30:44.0140 1876 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/09/11 21:30:44.0234 1876 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/11 21:30:44.0359 1876 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/09/11 21:30:44.0406 1876 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/11 21:30:44.0468 1876 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/11 21:30:44.0515 1876 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/11 21:30:44.0562 1876 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/11 21:30:44.0671 1876 Boot (0x1200) (9db77eef418464e9e081296115829c68) \Device\Harddisk0\DR0\Partition0
2011/09/11 21:30:44.0687 1876 ================================================================================
2011/09/11 21:30:44.0687 1876 Scan finished
2011/09/11 21:30:44.0687 1876 ================================================================================
2011/09/11 21:30:44.0703 1256 Detected object count: 1
2011/09/11 21:30:44.0703 1256 Actual detected object count: 1
2011/09/11 21:32:04.0484 1256 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/11 21:32:04.0484 1256 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
2011/09/11 21:32:05.0328 1256 Backup copy found, using it..
2011/09/11 21:32:05.0343 1256 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured after reboot
2011/09/11 21:32:05.0343 1256 Virus.Win32.Rloader.a(ACPI) - User select action: Cure
2011/09/11 21:33:04.0468 1568 Deinitialize success

#9 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 PM

Posted 12 September 2011 - 06:52 PM

ok Good. Redirection should be gone now. Check malwarebytes for any updates and do a full scan with it. I will get a better look at the combofix log.

How Can I Reduce My Risk to Malware?


#10 Johnny_V

Johnny_V
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 September 2011 - 09:09 PM

The redirections have stopped. The sound stopped working again, but came back after a reboot. This may be a driver issue, but I want to make sure that there is no malware on this system before I start messing around with drivers. Thanks for your help. Malwarebytes didn't find anything. I await your diagnosis of the combofix log. Here is the Malwarebytes log:




Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7706

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/12/2011 9:53:32 PM
mbam-log-2011-09-12 (21-53-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 327681
Time elapsed: 45 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 PM

Posted 13 September 2011 - 06:20 PM

hi,

Dont see anything in the combofix log. I do see Frostwire and Limewire, two p2p apps. Lots of malware is distributed via p2p networks, not saying this was the cause as there are plenty of other ways. Malwarebytes log cant look any better. You can remove the tdsskiller icon from the desktop and you can uninstall combofix like this:

start>run and type in combofix /uninstall
click ok or enter
note the space after the x and before the /

Once it all looks good and the sound is working ok you can make a new restore point: the how and the why;

One of the features of Windows XP, Vista and Windows 7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.


2. Reboot.


3. Turn ON System Restore.(creates a new restore points on a clean system)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK, then reboot

How Can I Reduce My Risk to Malware?


#12 Johnny_V

Johnny_V
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 13 September 2011 - 07:57 PM

There are no more redirects and the system is running better. Thanks for your help.

#13 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 PM

Posted 14 September 2011 - 05:54 PM

ok good. Your welcome. Last: Everybody gets this;
'
10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.


No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for web based applications, browser plugins and addons like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source? See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) The why and how for securing your browser for safer surfing.

10) Warez, cracks, keygens and p2p are very popular for carrying malware payloads. A file can be named anything, be nothing but malware or have malware bundled in it. Do you really trust the source of the file?


More info/tips with pictures, links below

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users