Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Pro infected


  • This topic is locked This topic is locked
4 replies to this topic

#1 darnthemalware

darnthemalware

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 21 October 2011 - 10:41 AM

Hello,

I've cleaned up this pc enough to be able to run various scans and generate the logs recommended in the prep guide. I'm going to go ahead and attach the logs that seem likely to be relevant. Your help is appreciated.

Jonathan

From DDS.TXT:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by john at 11:19:00 on 2011-10-21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2685 [GMT -4:00]

.

FW: AVG Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://google.com/

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll

BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk"&"inst=NzctODM3ODYxNTc0LVFJWDErNC1YMjAxMCsyLUZMMTArMS1TVVArNC1TUDFTNCsxLUREVCszNzQ2MC1ERDEwRisxLVNUMTBGQVBQKzEtUzEwRkRERisxLUYxME0xMkFOKzMzLUVVTEErMS1TVDEyRkFQUCsx"&"prod=90"&"ver=2012.0.1831"&"mid=2cccbc10033347d6b752d156a72a97eb-bc3170be152376071b4f2d39ba4007a4a92f770b

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{02F113DC-BBF7-45C6-9FA8-17C0FA3652DF} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{AC998266-E9F8-4F82-84BC-EB4DDC83B339} : DhcpNameServer = 66.75.164.89 10.10.1.150

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jeanie\application data\mozilla\firefox\profiles\3gdrjfx7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\aestaud.sys --> c:\windows\system32\drivers\AESTAud.sys [?]

.

=============== Created Last 30 ================

.

2011-10-21 14:44:38 98816 ----a-w- c:\windows\sed.exe

2011-10-21 14:44:38 518144 ----a-w- c:\windows\SWREG.exe

2011-10-21 14:44:38 256000 ----a-w- c:\windows\PEV.exe

2011-10-21 14:44:38 208896 ----a-w- c:\windows\MBR.exe

2011-10-21 14:16:21 4268137 ----a-r- C:\ComboFix.exe

2011-10-21 14:09:18 -------- d-----w- C:\spoolerlogs

2011-10-21 04:17:09 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2011-10-21 04:16:40 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-10-21 04:16:38 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-10-21 03:19:23 -------- d--h--w- c:\windows\$hf_mig$

2011-10-21 03:16:16 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2011-10-20 21:59:09 -------- d-sh--w- c:\documents and settings\jeanie\PrivacIE

2011-10-20 21:47:48 -------- d-----w- c:\windows\system32\XPSViewer

2011-10-20 21:46:39 -------- d-----w- C:\e2c02bf39cd1e6f20e6a75

2011-10-20 21:46:34 -------- d-----w- C:\e17fd55c877e83528dd8

2011-10-20 21:45:57 -------- d-sh--w- c:\documents and settings\jeanie\IETldCache

2011-10-20 20:48:02 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-10-20 20:47:43 -------- d-----w- c:\windows\ie8updates

2011-10-20 20:47:37 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-10-20 20:47:37 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-10-20 20:47:37 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-10-20 20:47:37 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-10-20 20:47:37 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-10-20 20:47:37 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-10-20 20:47:37 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-10-20 20:46:13 -------- dc-h--w- c:\windows\ie8

2011-10-20 18:34:27 -------- d-----w- c:\windows\system32\scripting

2011-10-20 18:34:27 -------- d-----w- c:\windows\l2schemas

2011-10-20 18:34:26 -------- d-----w- c:\windows\system32\en

2011-10-20 18:34:26 -------- d-----w- c:\windows\system32\bits

2011-10-20 18:26:35 -------- d-----w- c:\windows\network diagnostic

2011-10-20 18:02:09 -------- d-sha-r- C:\cmdcons

2011-10-20 16:40:28 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-10-20 16:40:10 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-10-20 16:40:10 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-10-20 16:40:10 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-10-20 16:40:10 117760 ------w- c:\windows\system32\prntvpt.dll

2011-10-20 16:40:09 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-10-20 16:40:09 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-10-20 16:40:08 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2011-10-20 16:40:08 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-10-20 16:40:08 -------- d-----w- C:\36380b30a9a7677ab62dc73431f3dd

2011-10-20 16:33:59 -------- d-----w- C:\ef1000be271bb297feb325b3e04278bd

2011-10-20 16:30:45 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-10-20 16:15:33 -------- d-----w- C:\af49b58cfcf127b141305287e8df3391

2011-10-20 16:15:24 -------- d-----w- c:\program files\MSXML 6.0

2011-10-20 16:11:33 -------- d-----w- C:\43d0bb7cb0f9cb5f4989df3f

2011-10-20 16:11:29 -------- d-----w- C:\2bedf086674c462b549b9d94

2011-10-20 14:47:43 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-10-20 14:47:42 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-10-20 14:47:23 138496 -c----w- c:\windows\system32\dllcache\afd.sys

2011-10-20 14:47:14 357248 -c----w- c:\windows\system32\dllcache\srv.sys

2011-10-20 14:46:48 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-10-20 14:46:33 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2011-10-20 14:46:01 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-10-20 14:41:02 -------- d-----w- c:\windows\ServicePackFiles

2011-10-20 14:35:16 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2011-10-20 14:33:08 -------- d-----w- c:\program files\MSXML 4.0

2011-10-20 06:10:56 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE

2011-10-20 05:51:49 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2011-10-20 05:47:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-10-20 05:47:14 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2011-10-20 05:39:55 -------- d-----w- c:\windows\system32\PreInstall

2011-10-20 05:39:54 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2011-10-20 05:05:39 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll

2011-10-20 04:04:30 -------- d-----w- c:\windows\system32\SoftwareDistribution

2011-10-20 02:55:40 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-10-19 02:54:25 -------- d-----w- c:\documents and settings\jeanie\application data\Malwarebytes

2011-10-19 02:54:13 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-10-19 01:22:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-10-19 01:22:31 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-10-19 00:52:13 -------- d--h--w- c:\windows\PIF

.

==================== Find3M ====================

.

2011-09-19 00:54:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-06 01:04:30 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD2500BEVS-75UST0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B0874D0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b08d7d0]; MOV EAX, [0x8b08d84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B095AB8]

3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AFA8820]

\Driver\atapi[0x8B07DB08] -> IRP_MJ_CREATE -> 0x8B0874D0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8B08731B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 11:21:37.21 ===============





From ARK.TXT:

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-10-21 11:34:55

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD2500BEVS-75UST0 rev.01.01A01

Running: 6j1bj31l.exe; Driver: C:\WINDOWS\TEMP\uwtdypog.sys





---- Kernel code sections - GMER 1.0.15 ----



? C:\WINDOWS\TEMP\mbr.sys The system cannot find the file specified. !



---- User code sections - GMER 1.0.15 ----



.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A

.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A

.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

.text C:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A

.text C:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A

.text C:\WINDOWS\Explorer.EXE[1936] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BB000C

.text C:\WINDOWS\system32\wuauclt.exe[2924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A

.text C:\WINDOWS\system32\wuauclt.exe[2924] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C8000A

.text C:\WINDOWS\system32\wuauclt.exe[2924] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C6000C



---- Devices - GMER 1.0.15 ----



Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B08731B

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8B08731B

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B08731B

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8B08731B



---- Registry - GMER 1.0.15 ----



Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xBD 0x28 0x84 ...

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x19 0x15 0xF0 ...

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4E 0x02 0x7A 0x77 ...



---- Disk sectors - GMER 1.0.15 ----



Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior



---- Files - GMER 1.0.15 ----



File C:\Documents and Settings\NetworkService\Cookies\VQ2IYILY.txt 0 bytes



---- EOF - GMER 1.0.15 ----






From LOG.TXT (combofix run as c:\svchost.exe):


ComboFix 11-10-20.08 - john 10/21/2011 10:46:44.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2679 [GMT -4:00]

Running from: C:\ComboFix.exe

FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

.

((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))

.

.

2011-10-21 14:09 . 2011-10-21 14:09 -------- d-----w- C:\spoolerlogs

2011-10-21 04:17 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2011-10-21 04:16 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-10-21 04:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-10-21 03:19 . 2011-10-21 05:17 -------- d--h--w- c:\windows\$hf_mig$

2011-10-21 03:16 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2011-10-20 22:57 . 2011-10-20 22:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-10-20 22:07 . 2011-10-20 22:07 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-10-20 21:59 . 2011-10-20 21:59 -------- d-sh--w- c:\documents and settings\Jeanie\PrivacIE

2011-10-20 21:53 . 2011-10-20 21:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-10-20 21:47 . 2011-10-20 22:13 -------- d-----w- c:\windows\system32\XPSViewer

2011-10-20 21:47 . 2011-10-20 21:47 -------- d-----w- c:\program files\MSBuild

2011-10-20 21:47 . 2011-10-20 21:47 -------- d-----w- c:\program files\Reference Assemblies

2011-10-20 21:46 . 2011-10-20 21:46 -------- d-----w- C:\e2c02bf39cd1e6f20e6a75

2011-10-20 21:46 . 2011-10-20 22:05 -------- d-----w- C:\e17fd55c877e83528dd8

2011-10-20 21:45 . 2011-10-20 21:45 -------- d-sh--w- c:\documents and settings\Jeanie\IETldCache

2011-10-20 20:48 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-10-20 20:47 . 2011-08-23 21:48 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-10-20 20:47 . 2011-08-22 23:48 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-10-20 20:47 . 2011-08-22 23:48 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-10-20 20:47 . 2011-08-22 23:48 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-10-20 20:47 . 2011-08-22 23:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-10-20 20:47 . 2011-08-22 23:48 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-10-20 20:47 . 2011-08-22 23:48 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-10-20 20:46 . 2011-10-20 20:47 -------- dc-h--w- c:\windows\ie8

2011-10-20 18:34 . 2011-10-20 18:34 -------- d-----w- c:\windows\system32\scripting

2011-10-20 18:34 . 2011-10-20 18:34 -------- d-----w- c:\windows\l2schemas

2011-10-20 18:34 . 2011-10-20 18:34 -------- d-----w- c:\windows\system32\en

2011-10-20 18:34 . 2011-10-20 18:34 -------- d-----w- c:\windows\system32\bits

2011-10-20 16:40 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-10-20 16:40 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-10-20 16:40 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2011-10-20 16:40 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-10-20 16:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-10-20 16:40 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-10-20 16:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-10-20 16:40 . 2011-10-20 16:40 -------- d-----w- C:\36380b30a9a7677ab62dc73431f3dd

2011-10-20 16:40 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2011-10-20 16:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-10-20 16:33 . 2011-10-20 16:40 -------- d-----w- C:\ef1000be271bb297feb325b3e04278bd

2011-10-20 16:30 . 2011-10-20 16:30 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-10-20 16:15 . 2011-10-20 16:15 -------- d-----w- C:\af49b58cfcf127b141305287e8df3391

2011-10-20 16:15 . 2011-10-20 16:15 -------- d-----w- c:\program files\MSXML 6.0

2011-10-20 16:11 . 2011-10-20 16:11 -------- d-----w- C:\43d0bb7cb0f9cb5f4989df3f

2011-10-20 16:11 . 2011-10-20 16:11 -------- d-----w- C:\2bedf086674c462b549b9d94

2011-10-20 14:47 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-10-20 14:47 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-10-20 14:47 . 2011-08-17 13:49 138496 -c----w- c:\windows\system32\dllcache\afd.sys

2011-10-20 14:47 . 2010-08-26 13:39 357248 -c----w- c:\windows\system32\dllcache\srv.sys

2011-10-20 14:46 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-10-20 14:46 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2011-10-20 14:46 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-10-20 14:41 . 2011-10-20 18:30 -------- d-----w- c:\windows\ServicePackFiles

2011-10-20 14:35 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2011-10-20 14:33 . 2011-10-20 14:33 -------- d-----w- c:\program files\MSXML 4.0

2011-10-20 06:10 . 2011-10-20 18:15 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE

2011-10-20 05:51 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2011-10-20 05:47 . 2010-08-26 12:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-10-20 05:47 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2011-10-20 05:39 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2011-10-20 05:05 . 2010-03-05 14:37 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll

2011-10-20 02:55 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-10-19 02:54 . 2011-10-19 02:54 -------- d-----w- c:\documents and settings\Jeanie\Application Data\Malwarebytes

2011-10-19 02:54 . 2011-10-19 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-10-19 01:31 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2011-10-19 01:22 . 2011-10-21 14:42 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-10-19 01:22 . 2011-10-21 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-10-19 00:52 . 2011-10-19 00:52 -------- d--h--w- c:\windows\PIF

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-19 00:54 . 2011-09-19 00:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-06 01:04 . 2011-09-06 01:04 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-08-22 23:48 . 2004-08-03 22:56 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2004-08-03 22:56 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 23:48 . 2004-08-03 22:56 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 11:56 . 2004-08-03 20:59 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2004-08-03 21:14 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctODM3ODYxNTc0LVFJWDErNC1YMjAxMCsyLUZMMTArMS1TVVArNC1TUDFTNCsxLUREVCszNzQ2MC1ERDEwRisxLVNUMTBGQVBQKzEtUzEwRkRERisxLUYxME0xMkFOKzMzLUVVTEErMS1TVDEyRkFQUCsx&prod=90&ver=2012.0.1831&mid=2cccbc10033347d6b752d156a72a97eb-bc3170be152376071b4f2d39ba4007a4a92f770b" [?]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2007-09-18 14:16 171464 ----a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-09-05 23:13 166424 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-09-05 23:13 141848 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-09-05 23:13 137752 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 16:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/19/2009 2:14 PM 685816]

R2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [11/2/2010 12:58 PM 87888]

R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [12/21/2010 12:30 PM 105984]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys --> c:\windows\system32\drivers\AESTAud.sys [?]

S3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [5/15/2009 2:34 PM 174720]

S3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [5/15/2009 2:34 PM 174720]

S3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [5/15/2009 2:34 PM 174720]

S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [3/19/2009 1:58 PM 160256]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Jeanie\Application Data\Mozilla\Firefox\Profiles\3gdrjfx7.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-21 10:56

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD2500BEVS-75UST0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

.

device: opened successfully

user: MBR read successfully

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8AFF631B

user & kernel MBR OK

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(948)

c:\windows\system32\WININET.dll

.

- - - - - - - > 'lsass.exe'(1012)

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(3876)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\xpsp3res.dll

.

Completion time: 2011-10-21 11:00:50

ComboFix-quarantined-files.txt 2011-10-21 15:00

.

Pre-Run: 231,620,308,992 bytes free

Post-Run: 231,578,984,448 bytes free

.

Current=7 Default=7 Failed=6 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9

- - End Of File - - AAAC5DBE2B73F585AC98D0E6B6631C35

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:20 AM

Posted 25 October 2011 - 01:07 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 darnthemalware

darnthemalware
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 25 October 2011 - 01:32 PM

Hello Gringo,

Thanks very much for taking time to reply. The computer that I was working on was needed for service a few days ago so I pushed forward and was able to clean off the remaining problems from the computer by doing more research on this site and trying a few additional cleanup tools. The tool that took care of the last real problem was Avast's aswMBR.exe. I apologize for not updating this thread after the computer was clean as I had intended.

This site and the efforts of yourself and the other experts here are an invaluable resource for those of us that try to fix malfested computers from time to time.

Thanks for all that you do,

Jonathan Poole

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:20 AM

Posted 25 October 2011 - 06:28 PM

thank you for letting me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:20 AM

Posted 28 October 2011 - 12:09 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users