Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zlob.azvf


  • This topic is locked This topic is locked
24 replies to this topic

#1 badgerfan64

badgerfan64

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 25 October 2011 - 10:02 PM

I was bad and downloaded and tried combofix since all the folks you helped had the same problem. I still have the zlob.azvf. AVG finds it but cannot get rid of it. Help please

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:36 PM

Posted 26 October 2011 - 01:37 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button. Since you have run ComboFix, please include the ComboFix log in the new topic.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, include the information that you were unable to produce the other logs, include the ComboFix log, and describe what happens when you try to create the other logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 badgerfan64

badgerfan64
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 27 October 2011 - 10:13 PM

DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ann at 22:35:42 on 2011-10-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.738 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciServiceHost.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [Win7_Upgrade] c:\documents and settings\ann\local settings\application data\dellwin7upgrade\Win7_Upgrade_Start.exe
mRun: [Desktop Disc Tool] "c:\program files\roxio\roxio burn\RoxioBurnLauncher.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
StartupFolder: c:\docume~1\ann\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: $TALISMA_URL$
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A09C0C59-A88D-4E7E-9E85-0960D9C4CF10} : DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ann\application data\mozilla\firefox\profiles\bmyhqyt7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://us.mg204.mail.yahoo.com/dc/launch?.partner=sbc&.gx=1&.rand=40gvld0lapk3m|http://att.my.yahoo.com/|http://www.facebook.com/?filter=app_2915120374#!/?ref=home
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf7a7e&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - plugin: c:\documents and settings\ann\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2009-6-9 155648]
R2 McciServiceHost;McciServiceHost;c:\program files\common files\motive\McciServiceHost.exe [2010-11-12 315392]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-10-8 246600]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 74;74;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-4-28 1025352]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
=============== Created Last 30 ================
.
2011-10-21 22:56:26 -------- d-sha-r- C:\cmdcons
2011-10-21 22:53:34 98816 ----a-w- c:\windows\sed.exe
2011-10-21 22:53:34 518144 ----a-w- c:\windows\SWREG.exe
2011-10-21 22:53:34 256000 ----a-w- c:\windows\PEV.exe
2011-10-21 22:53:34 208896 ----a-w- c:\windows\MBR.exe
2011-10-08 23:04:39 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-08 22:19:38 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-10-08 22:19:37 -------- d-----w- c:\program files\AVG Secure Search
.
==================== Find3M ====================
.
2011-10-15 17:56:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 10:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320418AS rev.CC45 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3320418AS_____________________________CC45____#5&1d516d0a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A456AEA
user & kernel MBR OK
sectors 625142446 (+255): user != kernel
.
============= FINISH: 22:42:15.18 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/6/2010 2:38:41 PM
System Uptime: 10/26/2011 6:03:54 PM (28 hours ago)
.
Motherboard: Dell Inc. | | 0U880P
Processor: Pentium® Dual-Core CPU E5400 @ 2.70GHz | CPU 1 | 2693/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 248.783 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 10/21/2011 7:32:22 AM - System Checkpoint
RP2: 10/22/2011 9:02:52 AM - System Checkpoint
RP3: 10/23/2011 11:37:51 AM - System Checkpoint
RP4: 10/24/2011 12:11:10 PM - System Checkpoint
RP5: 10/25/2011 2:05:35 PM - System Checkpoint
RP6: 10/26/2011 7:38:44 PM - System Checkpoint
RP7: 10/27/2011 9:05:19 PM - System Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Software Update
AT&T Troubleshoot & Resolve Tool
AVG 2012
Compatibility Pack for the 2007 Office system
Consumer In-Home Service Agreement
Dell DataSafe Online
Dell Dock
Dell Driver Download Manager
Dell Driver Reset Tool
Dell Resource CD
Dell System Restore
FOX News Live Stream
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB970653-v3)
hp deskjet 5100
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 16
Junk Mail filter update
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows Theme Ontario
Microsoft Works
Mozilla Firefox 7.0.1 (x86 en-US)
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB927977)
Octoshape add-in for Adobe Flash Player
PowerDVD DX
QuickTime
Realtek High Definition Audio Driver
Roxio Burn
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Presentation Foundation
Windows Search 4.0
Wizard101
XML Paper Specification Shared Components Pack 1.0
Yahoo! BrowserPlus 2.9.8
.
==== Event Viewer Messages From Past Week ========
.
10/26/2011 5:04:53 PM, error: Service Control Manager [7023] - The 74 service terminated with the following error: The specified procedure could not be found.
10/25/2011 9:38:01 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/21/2011 6:20:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm TfFsMon TfSysMon
10/20/2011 6:53:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
10/20/2011 1:56:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TfSysMon
10/20/2011 1:56:36 AM, error: Service Control Manager [7000] - The hpdj service failed to start due to the following error: The system cannot find the file specified.
10/20/2011 1:50:45 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip TfFsMon TfSysMon
10/20/2011 1:50:45 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2011 1:50:45 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2011 1:50:45 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2011 1:50:45 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2011 1:50:38 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/20/2011 1:49:54 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/20/2011 1:49:50 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/20/2011 1:49:26 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
10/20/2011 1:49:26 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
.
==== End Of File ===========================


Rootkit:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-27 23:06:57
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3320418AS rev.CC45
Running: gmer.exe; Driver: C:\DOCUME~1\Ann\LOCALS~1\Temp\pwtdypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9B216F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9B216FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9B217080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9B21711C]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\dmio.sys entry point in ".rsrc" section [0xB9F45B14]
? C:\WINDOWS\system32\drivers\dmio.sys suspicious PE modification
? C:\DOCUME~1\Ann\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1164] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D9000A
.text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DA000A
.text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D8000C
.text C:\WINDOWS\System32\svchost.exe[1340] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0221000A
.text C:\WINDOWS\System32\svchost.exe[1340] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 02BB000A
.text C:\WINDOWS\System32\svchost.exe[1340] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 02BC000A
.text C:\WINDOWS\System32\svchost.exe[1340] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01FA000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 012D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2416] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 012E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2416] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 012C000C
.text C:\WINDOWS\Explorer.EXE[3040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
.text C:\WINDOWS\Explorer.EXE[3040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EC000A
.text C:\WINDOWS\Explorer.EXE[3040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DC000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[16596] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 018DFAE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[22088] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1069E349 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[22088] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1069E2DB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[22088] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104589A7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[22088] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10458F65 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A456AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A456AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A456AEA

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat 98A3FD20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3320418AS_____________________________CC45____#5&1d516d0a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\dmio.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 28 October 2011 - 10:54 AM.
Merged topics. ~ OB


#4 badgerfan64

badgerfan64
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 29 October 2011 - 05:55 PM

Just saw Orangeblossoms note about the Combofix log.

ComboFix 11-10-21.06 - Ann 10/21/2011 18:58:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1393 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ann\Application Data\Adobe\plugs
c:\documents and settings\Ann\Application Data\Adobe\shed
C:\Microsoft
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
.
.
2011-10-08 23:04 . 2011-10-21 11:28 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-08 22:19 . 2011-10-08 22:19 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-08 22:19 . 2011-10-08 22:19 -------- d-----w- c:\program files\AVG Secure Search
2011-09-25 22:28 . 2011-09-25 22:28 -------- d-----w- c:\documents and settings\Emily\Application Data\AVG2012
2011-09-25 22:28 . 2011-09-25 22:28 -------- d-----w- c:\documents and settings\Ann\Application Data\AVG2012
2011-09-25 22:27 . 2011-10-08 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-15 17:56 . 2011-08-18 00:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 10:30 . 2010-09-07 07:48 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-31 21:00 . 2010-12-05 17:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-08 10:08 . 2010-09-07 07:48 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-10-21 21:54 . 2011-03-25 22:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-09-01 13:16 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-04 150040]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"Win7_Upgrade"="c:\documents and settings\Ann\Local Settings\Application Data\DellWin7Upgrade\Win7_Upgrade_Start.exe" [2009-08-26 475136]
"Desktop Disc Tool"="c:\program files\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-12-16 498160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
.
c:\documents and settings\Emily\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\DELL\DellDock\DellDock.exe [2009-9-21 1316192]
.
c:\documents and settings\Ann\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\DELL\DellDock\DellDock.exe [2009-9-21 1316192]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\DELL\DellDock\DellDock.exe [2009-9-21 1316192]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciServiceHost.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 229840]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [9/12/2011 6:23 AM 5265248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 DockLoginService;Dock Login Service;c:\program files\DELL\DellDock\DockLogin.exe [6/9/2009 12:11 PM 155648]
R2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [11/12/2010 7:38 PM 315392]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [10/8/2011 6:19 PM 246600]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 16720]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [4/28/2011 7:31 PM 1025352]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-08 c:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet51002003-04-11 20:25Y38I3P2PF7A.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 20:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: $TALISMA_URL$
TCP: DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\bmyhqyt7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://us.mg204.mail.yahoo.com/dc/launch?.partner=sbc&.gx=1&.rand=40gvld0lapk3m|http://att.my.yahoo.com/|http://www.facebook.com/?filter=app_2915120374#!/?ref=home
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf7a7e&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320418AS rev.CC45 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3320418AS_____________________________CC45____#5&1d516d0a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A451AEA
user & kernel MBR OK
sectors 625142446 (+255): user != kernel
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-10-21 19:12:55
ComboFix-quarantined-files.txt 2011-10-21 23:12
.
Pre-Run: 265,753,317,376 bytes free
Post-Run: 267,597,287,424 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - BD8E18E8F57BAB45A49DCFCEA3408FFB

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 30 October 2011 - 08:10 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 badgerfan64

badgerfan64
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 30 October 2011 - 08:33 PM

Hi Mole,
I appreciate the help.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 30 October 2011 - 08:36 PM

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Please also run System Look

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    dmio.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#8 badgerfan64

badgerfan64
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 30 October 2011 - 09:17 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-30 22:04:12
-----------------------------
22:04:12.843 OS Version: Windows 5.1.2600 Service Pack 3
22:04:12.843 Number of processors: 2 586 0x170A
22:04:12.843 ComputerName: MAINPC UserName: Ann
22:04:16.109 Initialize success
22:05:12.890 AVAST engine defs: 11103001
22:05:28.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
22:05:28.031 Disk 0 Vendor: ST3320418AS CC45 Size: 305245MB BusType: 3
22:05:28.031 Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3320418AS_____________________________CC45____#5&1d516d0a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
22:05:28.031 Device \Driver\atapi -> DriverStartIo 8a455aea
22:05:30.046 Disk 0 MBR read successfully
22:05:30.046 Disk 0 MBR scan
22:05:30.078 Disk 0 unknown MBR code
22:05:30.078 Disk 0 scanning sectors +625137345
22:05:30.140 Disk 0 scanning C:\WINDOWS\system32\drivers
22:05:35.437 File: C:\WINDOWS\system32\drivers\dmio.sys **INFECTED** Win32:Alureon-FZ
22:05:39.218 Service scanning
22:05:40.250 Modules scanning
22:05:43.296 Disk 0 trace - called modules:
22:05:43.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a455ec5]<<
22:05:43.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a53cab8]
22:05:43.312 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000069[0x8a5119e8]
22:05:43.312 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8a451940]
22:05:43.328 [0x8a511b28] -> IRP_MJ_CREATE -> 0x8a455ec5
22:05:50.046 AVAST engine scan C:\WINDOWS
22:05:59.671 AVAST engine scan C:\WINDOWS\system32
22:06:53.000 AVAST engine scan C:\WINDOWS\system32\drivers
22:06:57.656 File: C:\WINDOWS\system32\drivers\dmio.sys **INFECTED** Win32:Alureon-FZ
22:07:07.562 AVAST engine scan C:\Documents and Settings\Ann
22:09:59.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ann\Desktop\MBR.dat"
22:09:59.250 The log file has been saved successfully to "C:\Documents and Settings\Ann\Desktop\aswMBR.txt"





I can't run the other programs. They will download but not run.

#9 badgerfan64

badgerfan64
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 30 October 2011 - 09:43 PM

It says "Script required"

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 31 October 2011 - 06:00 PM

I've not heard this before but it sounds like malicious intervention.

Please download and run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 badgerfan64

badgerfan64
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 01 November 2011 - 08:49 AM

i will be away from my computer for a few days so I will not be able to do this until Friday or the weekend. Thanks for you help. I will post the logs when I return.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 01 November 2011 - 08:28 PM

Make sure that you update Combofix when it asks. :)
Posted Image
m0le is a proud member of UNITE

#13 badgerfan64

badgerfan64
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 November 2011 - 06:08 PM

I was able to run SystemLook. That log is first.

SystemLook 30.07.11 by jpshortstuff
Log created at 18:39 on 03/11/2011 by Ann
Administrator - Elevation successful

========== filefind ==========

Searching for "dmio.sys"
C:\WINDOWS\system32\drivers\dmio.sys --a---- 153344 bytes [16:16 25/04/2008] [12:00 14/04/2008] 7C824CF7BBDE77D95C08005717A95F6F

-= EOF =-


Here is the Combofix log:

ComboFix 11-11-03.05 - Ann 11/03/2011 18:53:10.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1462 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\ComFix.exe.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-03 to 2011-11-03 )))))))))))))))))))))))))))))))
.
.
2011-10-08 23:04 . 2011-10-26 22:04 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-08 22:19 . 2011-10-08 22:19 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-08 22:19 . 2011-10-08 22:19 -------- d-----w- c:\program files\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-15 17:56 . 2011-08-18 00:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 10:23 . 2010-09-07 07:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 10:21 . 2010-08-20 01:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-13 10:30 . 2010-09-07 07:48 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-31 21:00 . 2010-12-05 17:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-08 10:08 . 2010-09-07 07:48 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-10-21 21:54 . 2011-03-25 22:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-21_23.09.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-03 20:29 . 2011-11-03 20:29 16384 c:\windows\temp\Perflib_Perfdata_288.dat
+ 2011-10-26 21:05 . 2011-10-27 03:05 2292 c:\windows\SoftwareDistribution\EventCache\{93247BF3-30AA-42E7-AE13-D01E46FCC67E}.bin
+ 2011-10-22 17:24 . 2011-10-22 22:25 2292 c:\windows\SoftwareDistribution\EventCache\{886C747C-9175-4285-90D0-520FC4114FBF}.bin
+ 2011-11-03 20:19 . 2011-11-03 20:19 4671488 c:\windows\Installer\1dc2b325.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-09-01 13:16 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-04 150040]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"Win7_Upgrade"="c:\documents and settings\Ann\Local Settings\Application Data\DellWin7Upgrade\Win7_Upgrade_Start.exe" [2009-08-26 475136]
"Desktop Disc Tool"="c:\program files\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-12-16 498160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
.
c:\documents and settings\Emily\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\DELL\DellDock\DellDock.exe [2009-9-21 1316192]
.
c:\documents and settings\Ann\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\DELL\DellDock\DellDock.exe [2009-9-21 1316192]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\DELL\DellDock\DellDock.exe [2009-9-21 1316192]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\74]
@="service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciServiceHost.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 DockLoginService;Dock Login Service;c:\program files\DELL\DellDock\DockLogin.exe [6/9/2009 12:11 PM 155648]
R2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [11/12/2010 7:38 PM 315392]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [10/8/2011 6:19 PM 246600]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 16720]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 74;74;c:\windows\system32\svchost.exe -k netsvcs [4/25/2008 12:16 PM 14336]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [4/28/2011 7:31 PM 1025352]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
74
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-08 c:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet51002003-04-11 20:25Y38I3P2PF7A.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 20:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: $TALISMA_URL$
TCP: DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\bmyhqyt7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://us.mg204.mail.yahoo.com/dc/launch?.partner=sbc&.gx=1&.rand=40gvld0lapk3m|http://att.my.yahoo.com/|http://www.facebook.com/?filter=app_2915120374#!/?ref=home
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf7a7e&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-03 18:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\Ann\LOCALS~1\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320418AS rev.CC45 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4A5EC5]<<
c:\docume~1\Ann\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88a88872; SUB DWORD [EBP-0x4], 0x88a8812e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A53AAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000069[0x8A53D3B8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A4A1D98]
[0x8A49B0D8] -> IRP_MJ_CREATE -> 0x8A4A5EC5
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3320418AS_____________________________CC45____#5&1d516d0a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4A5AEA
user & kernel MBR OK
sectors 625142446 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\74]
"servicedll"="\\.\globalroot\Device\HarddiskVolume2\DOCUME~1\Ann\LOCALS~1\temp\74.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(1992)
c:\program files\Common Files\Motive\McciContextHook_DSR.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-11-03 19:03:05
ComboFix-quarantined-files.txt 2011-11-03 23:02
ComboFix2.txt 2011-10-22 07:10
ComboFix3.txt 2011-10-22 04:30
ComboFix4.txt 2011-10-21 23:12
.
Pre-Run: 266,984,022,016 bytes free
Post-Run: 267,062,648,832 bytes free
.
- - End Of File - - 9D4BC9C5A019A821C192FFEB0E0405B2

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 03 November 2011 - 07:20 PM

You have an infected file which has no backup available which makes it a bit more difficult to remove.

Please run TDSSKiller first though

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#15 badgerfan64

badgerfan64
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 November 2011 - 07:41 PM

TDSSKiller log:

20:36:33.0140 3380 TDSS rootkit removing tool 2.6.15.0 Nov 3 2011 17:15:49
20:36:33.0515 3380 ============================================================
20:36:33.0515 3380 Current date / time: 2011/11/03 20:36:33.0515
20:36:33.0515 3380 SystemInfo:
20:36:33.0515 3380
20:36:33.0515 3380 OS Version: 5.1.2600 ServicePack: 3.0
20:36:33.0515 3380 Product type: Workstation
20:36:33.0515 3380 ComputerName: MAINPC
20:36:33.0515 3380 UserName: Ann
20:36:33.0515 3380 Windows directory: C:\WINDOWS
20:36:33.0515 3380 System windows directory: C:\WINDOWS
20:36:33.0515 3380 Processor architecture: Intel x86
20:36:33.0515 3380 Number of processors: 2
20:36:33.0515 3380 Page size: 0x1000
20:36:33.0515 3380 Boot type: Normal boot
20:36:33.0515 3380 ============================================================
20:36:34.0859 3380 Initialize success
20:36:46.0343 3356 ============================================================
20:36:46.0343 3356 Scan started
20:36:46.0343 3356 Mode: Manual;
20:36:46.0343 3356 ============================================================
20:36:46.0703 3356 Abiosdsk - ok
20:36:46.0734 3356 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
20:36:46.0750 3356 abp480n5 - ok
20:36:46.0765 3356 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:36:46.0765 3356 ACPI - ok
20:36:46.0781 3356 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:36:46.0781 3356 ACPIEC - ok
20:36:46.0796 3356 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
20:36:46.0796 3356 adpu160m - ok
20:36:46.0828 3356 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:36:46.0828 3356 aec - ok
20:36:46.0843 3356 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
20:36:46.0859 3356 AFD - ok
20:36:46.0890 3356 AFS2K (b34b1ab0a7690a0e2301fec6d17b2fc1) C:\WINDOWS\system32\drivers\AFS2K.sys
20:36:47.0093 3356 AFS2K - ok
20:36:47.0187 3356 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:36:47.0187 3356 agp440 - ok
20:36:47.0203 3356 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
20:36:47.0203 3356 agpCPQ - ok
20:36:47.0218 3356 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
20:36:47.0218 3356 Aha154x - ok
20:36:47.0218 3356 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
20:36:47.0218 3356 aic78u2 - ok
20:36:47.0234 3356 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
20:36:47.0234 3356 aic78xx - ok
20:36:47.0250 3356 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
20:36:47.0250 3356 AliIde - ok
20:36:47.0250 3356 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
20:36:47.0265 3356 alim1541 - ok
20:36:47.0265 3356 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
20:36:47.0265 3356 amdagp - ok
20:36:47.0281 3356 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
20:36:47.0281 3356 amsint - ok
20:36:47.0281 3356 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
20:36:47.0281 3356 asc - ok
20:36:47.0296 3356 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
20:36:47.0296 3356 asc3350p - ok
20:36:47.0312 3356 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
20:36:47.0312 3356 asc3550 - ok
20:36:47.0359 3356 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:36:47.0359 3356 AsyncMac - ok
20:36:47.0406 3356 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:36:47.0406 3356 atapi - ok
20:36:47.0406 3356 Atdisk - ok
20:36:47.0406 3356 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:36:47.0421 3356 Atmarpc - ok
20:36:47.0437 3356 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:36:47.0437 3356 audstub - ok
20:36:47.0468 3356 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
20:36:47.0484 3356 AVGIDSDriver - ok
20:36:47.0484 3356 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
20:36:47.0484 3356 AVGIDSEH - ok
20:36:47.0500 3356 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
20:36:47.0500 3356 AVGIDSFilter - ok
20:36:47.0531 3356 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
20:36:47.0531 3356 AVGIDSShim - ok
20:36:47.0546 3356 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
20:36:47.0546 3356 Avgldx86 - ok
20:36:47.0546 3356 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
20:36:47.0546 3356 Avgmfx86 - ok
20:36:47.0562 3356 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
20:36:47.0562 3356 Avgrkx86 - ok
20:36:47.0578 3356 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
20:36:47.0578 3356 Avgtdix - ok
20:36:47.0593 3356 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:36:47.0593 3356 Beep - ok
20:36:47.0718 3356 catchme - ok
20:36:47.0765 3356 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
20:36:47.0765 3356 cbidf - ok
20:36:47.0781 3356 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:36:47.0781 3356 cbidf2k - ok
20:36:47.0781 3356 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
20:36:47.0796 3356 cd20xrnt - ok
20:36:47.0796 3356 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:36:47.0796 3356 Cdaudio - ok
20:36:47.0812 3356 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:36:47.0812 3356 Cdfs - ok
20:36:47.0828 3356 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:36:47.0828 3356 Cdrom - ok
20:36:47.0828 3356 Changer - ok
20:36:47.0875 3356 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
20:36:47.0875 3356 CmdIde - ok
20:36:47.0921 3356 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
20:36:47.0921 3356 Cpqarray - ok
20:36:47.0968 3356 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
20:36:47.0968 3356 dac2w2k - ok
20:36:48.0000 3356 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
20:36:48.0000 3356 dac960nt - ok
20:36:48.0015 3356 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:36:48.0015 3356 Disk - ok
20:36:48.0031 3356 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:36:48.0031 3356 dmboot - ok
20:36:48.0046 3356 dmio (7a7a55ed721f228b320ae5eecd6a638c) C:\WINDOWS\system32\drivers\dmio.sys
20:36:48.0046 3356 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmio.sys. Real md5: 7a7a55ed721f228b320ae5eecd6a638c, Fake md5: 7c824cf7bbde77d95c08005717a95f6f
20:36:48.0046 3356 dmio ( Rootkit.Win32.TDSS.tdl3 ) - infected
20:36:48.0046 3356 dmio - detected Rootkit.Win32.TDSS.tdl3 (0)
20:36:48.0046 3356 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:36:48.0046 3356 dmload - ok
20:36:48.0093 3356 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:36:48.0093 3356 DMusic - ok
20:36:48.0109 3356 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
20:36:48.0109 3356 dpti2o - ok
20:36:48.0125 3356 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:36:48.0125 3356 drmkaud - ok
20:36:48.0171 3356 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:36:48.0171 3356 Fastfat - ok
20:36:48.0187 3356 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:36:48.0187 3356 Fdc - ok
20:36:48.0203 3356 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:36:48.0203 3356 Fips - ok
20:36:48.0218 3356 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:36:48.0218 3356 Flpydisk - ok
20:36:48.0234 3356 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:36:48.0234 3356 FltMgr - ok
20:36:48.0265 3356 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:36:48.0265 3356 Fs_Rec - ok
20:36:48.0281 3356 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:36:48.0296 3356 Ftdisk - ok
20:36:48.0328 3356 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:36:48.0328 3356 Gpc - ok
20:36:48.0343 3356 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:36:48.0343 3356 HDAudBus - ok
20:36:48.0359 3356 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:36:48.0359 3356 hidusb - ok
20:36:48.0375 3356 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
20:36:48.0375 3356 hpn - ok
20:36:48.0406 3356 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
20:36:48.0421 3356 HTTP - ok
20:36:48.0421 3356 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:36:48.0421 3356 i2omgmt - ok
20:36:48.0437 3356 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
20:36:48.0437 3356 i2omp - ok
20:36:48.0562 3356 ialm (66a685b05066683621920bc14a45cfe8) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:36:48.0593 3356 ialm - ok
20:36:48.0609 3356 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:36:48.0609 3356 Imapi - ok
20:36:48.0625 3356 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
20:36:48.0625 3356 ini910u - ok
20:36:48.0734 3356 IntcAzAudAddService (2feb5bf0312e1cb76cd2caa875cbaa5d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:36:48.0765 3356 IntcAzAudAddService - ok
20:36:48.0765 3356 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:36:48.0781 3356 IntelIde - ok
20:36:48.0796 3356 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:36:48.0796 3356 intelppm - ok
20:36:48.0796 3356 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:36:48.0812 3356 Ip6Fw - ok
20:36:48.0812 3356 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:36:48.0812 3356 IpFilterDriver - ok
20:36:48.0812 3356 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:36:48.0828 3356 IpInIp - ok
20:36:48.0828 3356 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:36:48.0828 3356 IpNat - ok
20:36:48.0843 3356 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:36:48.0843 3356 IPSec - ok
20:36:48.0843 3356 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:36:48.0843 3356 IRENUM - ok
20:36:48.0875 3356 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:36:48.0875 3356 isapnp - ok
20:36:48.0890 3356 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:36:48.0890 3356 Kbdclass - ok
20:36:48.0890 3356 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:36:48.0890 3356 kbdhid - ok
20:36:48.0906 3356 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:36:48.0906 3356 kmixer - ok
20:36:48.0921 3356 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:36:48.0921 3356 KSecDD - ok
20:36:48.0937 3356 lbrtfdc - ok
20:36:48.0968 3356 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:36:48.0968 3356 mnmdd - ok
20:36:49.0000 3356 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:36:49.0000 3356 Modem - ok
20:36:49.0000 3356 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:36:49.0000 3356 Mouclass - ok
20:36:49.0015 3356 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:36:49.0015 3356 mouhid - ok
20:36:49.0031 3356 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:36:49.0031 3356 MountMgr - ok
20:36:49.0046 3356 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
20:36:49.0046 3356 mraid35x - ok
20:36:49.0140 3356 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
20:36:49.0343 3356 MREMP50 - ok
20:36:49.0390 3356 MREMPR5 - ok
20:36:49.0390 3356 MRENDIS5 - ok
20:36:49.0406 3356 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
20:36:49.0421 3356 MRESP50 - ok
20:36:49.0515 3356 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:36:49.0515 3356 MRxDAV - ok
20:36:49.0546 3356 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:36:49.0546 3356 MRxSmb - ok
20:36:49.0562 3356 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:36:49.0562 3356 Msfs - ok
20:36:49.0593 3356 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:36:49.0593 3356 MSKSSRV - ok
20:36:49.0593 3356 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:36:49.0593 3356 MSPCLOCK - ok
20:36:49.0609 3356 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:36:49.0609 3356 MSPQM - ok
20:36:49.0625 3356 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:36:49.0625 3356 mssmbios - ok
20:36:49.0625 3356 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
20:36:49.0640 3356 Mup - ok
20:36:49.0640 3356 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:36:49.0640 3356 NDIS - ok
20:36:49.0656 3356 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:36:49.0656 3356 NdisTapi - ok
20:36:49.0671 3356 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:36:49.0671 3356 Ndisuio - ok
20:36:49.0671 3356 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:36:49.0671 3356 NdisWan - ok
20:36:49.0687 3356 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
20:36:49.0687 3356 NDProxy - ok
20:36:49.0687 3356 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:36:49.0687 3356 NetBIOS - ok
20:36:49.0703 3356 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:36:49.0703 3356 NetBT - ok
20:36:49.0734 3356 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:36:49.0734 3356 Npfs - ok
20:36:49.0781 3356 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:36:49.0781 3356 Ntfs - ok
20:36:49.0796 3356 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:36:49.0796 3356 Null - ok
20:36:49.0812 3356 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:36:49.0812 3356 NwlnkFlt - ok
20:36:49.0812 3356 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:36:49.0812 3356 NwlnkFwd - ok
20:36:49.0843 3356 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
20:36:49.0843 3356 Parport - ok
20:36:49.0875 3356 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:36:49.0875 3356 PartMgr - ok
20:36:49.0890 3356 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:36:49.0890 3356 ParVdm - ok
20:36:49.0890 3356 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:36:49.0890 3356 PCI - ok
20:36:49.0906 3356 PCIDump - ok
20:36:49.0921 3356 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:36:49.0921 3356 PCIIde - ok
20:36:49.0937 3356 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:36:49.0937 3356 Pcmcia - ok
20:36:49.0937 3356 PDCOMP - ok
20:36:49.0953 3356 PDFRAME - ok
20:36:49.0953 3356 PDRELI - ok
20:36:49.0968 3356 PDRFRAME - ok
20:36:49.0968 3356 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
20:36:49.0968 3356 perc2 - ok
20:36:49.0984 3356 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
20:36:49.0984 3356 perc2hib - ok
20:36:50.0031 3356 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:36:50.0031 3356 PptpMiniport - ok
20:36:50.0031 3356 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:36:50.0031 3356 PSched - ok
20:36:50.0046 3356 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:36:50.0046 3356 Ptilink - ok
20:36:50.0062 3356 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:36:50.0062 3356 PxHelp20 - ok
20:36:50.0078 3356 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
20:36:50.0078 3356 ql1080 - ok
20:36:50.0093 3356 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
20:36:50.0093 3356 Ql10wnt - ok
20:36:50.0093 3356 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
20:36:50.0093 3356 ql12160 - ok
20:36:50.0109 3356 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
20:36:50.0109 3356 ql1240 - ok
20:36:50.0109 3356 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
20:36:50.0109 3356 ql1280 - ok
20:36:50.0125 3356 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:36:50.0125 3356 RasAcd - ok
20:36:50.0140 3356 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:36:50.0140 3356 Rasl2tp - ok
20:36:50.0140 3356 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:36:50.0140 3356 RasPppoe - ok
20:36:50.0156 3356 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:36:50.0156 3356 Raspti - ok
20:36:50.0171 3356 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:36:50.0171 3356 Rdbss - ok
20:36:50.0203 3356 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:36:50.0203 3356 RDPCDD - ok
20:36:50.0203 3356 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:36:50.0203 3356 rdpdr - ok
20:36:50.0234 3356 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
20:36:50.0234 3356 RDPWD - ok
20:36:50.0234 3356 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:36:50.0250 3356 redbook - ok
20:36:50.0296 3356 RTLE8023xp (839141088ad7ee90f5b441b2d1afd22c) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
20:36:50.0296 3356 RTLE8023xp - ok
20:36:50.0312 3356 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:36:50.0328 3356 Secdrv - ok
20:36:50.0343 3356 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
20:36:50.0343 3356 Serial - ok
20:36:50.0375 3356 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:36:50.0375 3356 Sfloppy - ok
20:36:50.0375 3356 Simbad - ok
20:36:50.0390 3356 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
20:36:50.0390 3356 sisagp - ok
20:36:50.0421 3356 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
20:36:50.0421 3356 Sparrow - ok
20:36:50.0468 3356 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:36:50.0468 3356 splitter - ok
20:36:50.0484 3356 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:36:50.0484 3356 sr - ok
20:36:50.0500 3356 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
20:36:50.0500 3356 Srv - ok
20:36:50.0515 3356 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:36:50.0515 3356 swenum - ok
20:36:50.0515 3356 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:36:50.0515 3356 swmidi - ok
20:36:50.0531 3356 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
20:36:50.0546 3356 symc810 - ok
20:36:50.0546 3356 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
20:36:50.0546 3356 symc8xx - ok
20:36:50.0562 3356 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
20:36:50.0562 3356 sym_hi - ok
20:36:50.0578 3356 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
20:36:50.0578 3356 sym_u3 - ok
20:36:50.0593 3356 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:36:50.0593 3356 sysaudio - ok
20:36:50.0609 3356 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:36:50.0625 3356 Tcpip - ok
20:36:50.0640 3356 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:36:50.0640 3356 TDPIPE - ok
20:36:50.0640 3356 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:36:50.0640 3356 TDTCP - ok
20:36:50.0671 3356 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:36:50.0671 3356 TermDD - ok
20:36:50.0687 3356 TfFsMon - ok
20:36:50.0687 3356 TfNetMon - ok
20:36:50.0703 3356 TfSysMon - ok
20:36:50.0765 3356 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
20:36:50.0765 3356 TosIde - ok
20:36:50.0781 3356 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:36:50.0781 3356 Udfs - ok
20:36:50.0812 3356 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
20:36:50.0812 3356 ultra - ok
20:36:50.0812 3356 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:36:50.0828 3356 Update - ok
20:36:50.0875 3356 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:36:50.0875 3356 usbccgp - ok
20:36:50.0906 3356 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:36:50.0906 3356 usbehci - ok
20:36:50.0921 3356 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:36:50.0921 3356 usbhub - ok
20:36:50.0953 3356 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:36:50.0953 3356 usbprint - ok
20:36:50.0984 3356 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:36:50.0984 3356 usbscan - ok
20:36:51.0015 3356 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:36:51.0015 3356 USBSTOR - ok
20:36:51.0015 3356 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:36:51.0015 3356 usbuhci - ok
20:36:51.0046 3356 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:36:51.0046 3356 VgaSave - ok
20:36:51.0078 3356 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:36:51.0078 3356 viaagp - ok
20:36:51.0078 3356 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:36:51.0078 3356 ViaIde - ok
20:36:51.0109 3356 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:36:51.0109 3356 VolSnap - ok
20:36:51.0140 3356 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:36:51.0140 3356 Wanarp - ok
20:36:51.0140 3356 WDICA - ok
20:36:51.0187 3356 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:36:51.0187 3356 wdmaud - ok
20:36:51.0203 3356 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
20:36:51.0203 3356 WmiAcpi - ok
20:36:51.0218 3356 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:36:51.0218 3356 WS2IFSL - ok
20:36:51.0250 3356 MBR (0x1B8) (7b53936afa31aa818ddee1f13c3004e3) \Device\Harddisk0\DR0
20:36:51.0265 3356 \Device\Harddisk0\DR0 - ok
20:36:51.0281 3356 Boot (0x1200) (1ca5104c5c7f7f17be5f58b2232bccf7) \Device\Harddisk0\DR0\Partition0
20:36:51.0296 3356 \Device\Harddisk0\DR0\Partition0 - ok
20:36:51.0296 3356 ============================================================
20:36:51.0296 3356 Scan finished
20:36:51.0296 3356 ============================================================
20:36:51.0296 7432 Detected object count: 1
20:36:51.0296 7432 Actual detected object count: 1
20:37:19.0718 7432 Backup copy found, using it..
20:37:19.0734 7432 C:\WINDOWS\system32\drivers\dmio.sys - will be cured on reboot
20:37:19.0734 7432 dmio ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
20:37:32.0750 5100 Deinitialize success




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users