Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Trojans,registry value changes & Rootkit

  • This topic is locked This topic is locked
3 replies to this topic

#1 stijpn2012


  • Members
  • 1 posts
  • Local time:11:48 AM

Posted 07 January 2012 - 06:21 AM

My laptop is HP Elitebook 8440p and i'm using Windows 7

Everytime i start my PC i get a pop up. I usually go to the Task Manager to end the task.

I ran Malwarebytes Anti-Malware and it found some Trojans, which i put into quarantine but the pop up keeps coming back on Start Up.

Here is the Malwarebytes log:

Malwarebytes Anti-Malware

Database version: v2012.01.07.01

Windows 7 Service Pack 1 x86
Internet Explorer 9.0.8112.16421
bbailey :: RN-LT1 [administrator]

1/7/2012 7:23:08 PM
mbam-log-2012-01-07 (19-23-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219062
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS (Trojan.PMovie) -> Data: C:\Users\bbailey\UserProfile\SystemBoot.lnk -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS (Trojan.PMovie) -> Data: C:\Users\bbailey\SoftRecovery\RegWrite.lnk -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\bbailey\UserProfile\SystemBoot.lnk (Trojan.PMovie) -> Quarantined and deleted successfully.
C:\Users\bbailey\SoftRecovery\RegWrite.lnk (Trojan.PMovie) -> Quarantined and deleted successfully.


Here is the DDS.txt report:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by bbailey at 12:38:31 on 2012-01-07
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1484 [GMT 9:00]
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
============== Running Processes ===============
C:\windows\system32\svchost.exe -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe
C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe
c:\Program Files\Hewlett-Packard\HP FastLook\HPDayStarterService.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Synaptics\Scrybe\Service\ScrybeUpdater.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\windows\system32\svchost.exe -k bthsvcs
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Synaptics\Scrybe\scrybe.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ninemsn.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: HP ProtectTools Security Manager Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\hewlett-packard\hp protecttools security manager\bin\DpOtsPluginIe8.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SystemBootNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS] c:\users\bbailey\userprofile\SystemBoot.lnk
uRun: [RegWriteNQtdP6TDS6cn0vSDlYFgIHWxSydqQbiS] c:\users\bbailey\softrecovery\RegWrite.lnk
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HPPowerAssistant] c:\program files\hewlett-packard\hp power assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp power assistant\HPPA_Main.exe /hidden
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\scrybe.lnk - c:\windows\installer\{147dfad8-34c3-4de1-9fca-acefde9ef810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 3 (0x3)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdnariw2k302/installOperaPrintCtrl.exe
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdnariw2k302/installregterm.exe
TCP: DhcpNameServer =
TCP: Interfaces\{888A9A23-66C1-4CA7-A1F1-594ABA3CD94D}\241696C65697 : DhcpNameServer =
TCP: Interfaces\{F839DFF8-444A-4499-9279-19F3E7C857C4} : DhcpNameServer =
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = DPPassFilter scecli
============= SERVICES / DRIVERS ===============
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2009-11-12 51800]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-11-12 13256]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl4fd6ae79;MpKsl4fd6ae79;c:\programdata\microsoft\microsoft antimalware\definition updates\{8ee70109-a304-411b-9d31-b0513d466f96}\MpKsl4fd6ae79.sys [2012-1-7 29904]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2009-11-12 40088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\hewlett-packard\hp power assistant\HPPA_Service.exe [2011-8-17 133176]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\2009 password filter for hp protecttools\PTChangeFilterService.exe [2010-10-19 32768]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-6-21 85560]
R2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\hewlett-packard\hp skyroom\Hp.Skyroom.Windows.Service.exe [2009-11-21 124984]
R2 HPDayStarterService;HP DayStarter Service;c:\program files\hewlett-packard\hp fastlook\HPDayStarterService.exe [2010-7-13 95800]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-7-5 227384]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2009-11-12 277096]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2011-3-15 26168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2012-1-6 94880]
R2 rgsender;Remote Graphics Sender Service;c:\program files\hewlett-packard\hp skyroom\remote graphics sender\rgsendersvc.exe [2011-1-3 379904]
R2 ScrybeUpdater;Scrybe Updater;c:\program files\synaptics\scrybe\service\ScrybeUpdater.exe [2011-5-27 1300264]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-4-21 2477304]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-1-3 2320920]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-1-3 29472]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-9-15 228408]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2011-5-27 224424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-8 106104]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-2-27 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-2-4 232960]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-12-29 7435264]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-9-15 49152]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-15 136176]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-9-15 48640]
S2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-9-15 47616]
S2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-9-15 38912]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-22 1639728]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-15 136176]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2011-5-27 6758912]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-11-24 52224]
=============== Created Last 30 ================
2012-01-07 02:33:15 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8ee70109-a304-411b-9d31-b0513d466f96}\MpKsl4fd6ae79.sys
2012-01-07 02:33:07 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8ee70109-a304-411b-9d31-b0513d466f96}\offreg.dll
2012-01-07 02:33:00 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8ee70109-a304-411b-9d31-b0513d466f96}\mpengine.dll
2012-01-07 00:25:58 -------- d-----w- c:\program files\ESET
2012-01-06 23:50:02 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-06 23:50:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-06 23:33:47 -------- d-sh--w- C:\$RECYCLE.BIN
2012-01-06 21:59:03 -------- d-----w- c:\users\bbailey\appdata\roaming\SUPERAntiSpyware.com
2012-01-06 21:58:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-06 21:58:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-06 21:21:55 703824 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1ce3a957-3bfd-460b-b4f1-11e9c2dbca6d}\gapaengine.dll
2012-01-06 21:20:55 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-06 14:24:08 -------- d-----w- c:\program files\iPod
2012-01-06 14:24:07 -------- d-----w- c:\program files\iTunes
2012-01-06 14:20:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-01-06 14:20:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-01-06 14:20:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-01-06 14:20:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-01-06 14:20:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-01-06 14:20:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-01-06 14:20:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-01-06 09:28:18 -------- d-----w- c:\programdata\AVAST Software
2012-01-06 09:28:18 -------- d-----w- c:\program files\AVAST Software
2012-01-05 23:47:14 -------- d-----w- c:\users\bbailey\appdata\roaming\GlarySoft
2012-01-05 23:32:20 -------- d-----w- c:\windows\pss
2012-01-05 23:06:52 -------- d-----w- c:\program files\WinASO
2012-01-05 21:56:10 -------- d-----w- c:\program files\common files\McAfee
2012-01-05 21:56:05 -------- d-----w- c:\program files\McAfee
2012-01-05 19:56:33 -------- d-----w- c:\users\bbailey\appdata\local\Apps
2012-01-05 13:15:46 -------- d-----w- C:\HP_RECOVERY_mountHPSF
2012-01-05 04:30:31 -------- d-----w- C:\a4a5b20479313b238579215fc2
2012-01-02 23:43:29 -------- d-----w- c:\program files\PC Tools Security
2012-01-02 23:41:32 -------- d-----w- c:\programdata\PC Tools
2012-01-02 03:59:38 -------- d-----w- c:\users\bbailey\appdata\roaming\IObit
2012-01-02 03:59:33 -------- d-----w- c:\program files\IObit
2012-01-02 03:35:01 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-01-02 03:34:52 -------- d-----w- c:\program files\SpywareBlaster
2012-01-02 01:55:44 -------- d-----w- c:\users\bbailey\appdata\roaming\Malwarebytes
2012-01-02 01:55:35 -------- d-----w- c:\programdata\Malwarebytes
2011-12-31 09:36:11 -------- d-----w- c:\users\bbailey\appdata\roaming\Synaptics
2011-12-30 23:39:52 -------- d-----w- c:\users\bbailey\appdata\local\PokerStars
2011-12-30 23:38:09 -------- d-----w- c:\program files\PokerStars
2011-12-30 23:02:37 -------- d-----w- c:\programdata\Synaptics
2011-12-30 23:02:28 218408 ----a-w- c:\windows\system32\SynCtrl.dll
2011-12-30 23:02:27 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-12-30 23:02:27 1335472 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-12-30 23:02:27 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
2011-12-29 03:50:18 -------- d-----w- c:\users\bbailey\appdata\local\Roxio
2011-12-28 20:05:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-28 20:05:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-28 19:41:26 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-12-28 19:37:44 -------- d-----w- c:\program files\Panicware
2011-12-28 19:19:05 5943120 ------w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-12-28 19:18:59 6823496 ------w- c:\programdata\microsoft\windows defender\definition updates\{4a3e672d-babd-445d-b812-5178a4ef8919}\mpengine.dll
2011-12-28 19:18:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-28 16:24:22 -------- d-----w- c:\users\bbailey\appdata\local\Downloaded Installations
2011-12-28 16:22:00 -------- d-----w- c:\program files\common files\Portrait Displays
2011-12-28 16:21:09 -------- d-----w- c:\users\bbailey\appdata\roaming\Hewlett-Packard Company
2011-12-28 16:18:37 7435264 ----a-w- c:\windows\system32\drivers\NETwNs32.sys
2011-12-28 16:18:36 684032 ----a-w- c:\windows\system32\NETwNc32.dll
2011-12-28 16:18:36 2760704 ----a-w- c:\windows\system32\NETwNr32.dll
2011-12-28 16:17:03 -------- d-----w- c:\programdata\Uninstall
2011-12-28 14:31:05 -------- d-----w- c:\users\bbailey\appdata\local\ElevatedDiagnostics
2011-12-27 23:23:04 -------- d-----w- c:\users\bbailey\appdata\roaming\SumatraPDF
2011-12-27 23:22:49 -------- d-----w- c:\users\bbailey\appdata\roaming\Babylon
2011-12-27 23:22:49 -------- d-----w- c:\users\bbailey\appdata\local\Babylon
2011-12-27 23:22:49 -------- d-----w- c:\programdata\Babylon
2011-12-27 23:04:58 -------- d--h--w- c:\users\bbailey\UserProfile
2011-12-27 23:04:58 -------- d--h--w- c:\users\bbailey\SoftRecovery
2011-12-15 06:11:44 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 06:10:06 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 06:08:28 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 06:08:28 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
==================== Find3M ====================
2011-12-05 03:07:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-24 09:28:44 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-16 13:32:33 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-26 04:28:12 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-24 05:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 05:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD25 rev.03.0 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: >>UNKNOWN [0x82C3D000]<< >>UNKNOWN [0x8BA66000]<< >>UNKNOWN [0x8C7BE000]<< >>UNKNOWN [0x8C783000]<< >>UNKNOWN [0x82C06000]<<
1 ntkrnlpa!IofCallDriver[0x82C7452A] -> \Device\Harddisk0\DR0[0x877EB030]
\Driver\Disk[0x877E9A30] -> IRP_MJ_CREATE -> 0x8BA6A39F
3 [0x8BA6A59E] -> ntkrnlpa!IofCallDriver[0x82C7452A] -> [0x877EAC48]
\Driver\hpdskflt[0x8779BAB8] -> IRP_MJ_CREATE -> 0x8C785056
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 12:39:47.60 ===============

Here is the Attach.txt file
Attached File  Attach.txt   20.47KB   0 downloads

And here is the ark.txt file
Attached File  ark.txt   14.13KB   0 downloads

Have tried to follow the guides and logs from this site but can't seem to get rid of the damn things

Many Thanks

BC AdBot (Login to Remove)


#2 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:48 PM

Posted 12 January 2012 - 02:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

:multiple Anti Virus programs:

It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

AV: Microsoft Security Essentials
AV: Symantec Endpoint Protection

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove all but one of them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:48 PM

Posted 15 January 2012 - 02:55 AM


48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:48 PM

Posted 18 January 2012 - 06:16 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users