Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

temp:winupd on Windows XP


  • This topic is locked This topic is locked
14 replies to this topic

#1 Dont Shoot Me

Dont Shoot Me

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 19 January 2012 - 05:44 AM

Earlier today I acquired the temp:winupd virus from a sports streaming website. I first noticed something wrong when I checked my task manager and had a svchost.exe process using over 800,000k memory. I did some research on the web, found this thread on the forums here, and ended up finding the temp:winupd virus when looking under the startup tab when using the system configuration utility [screenshot].

I also ran tasklist /svc /fi "imagename eq svchost.exe" through cmd, which resulted in this:

Along with my svchost.exe process using an extreme amount of memory, I also am being re-directed when I try to open web pages, most notably when opening google links. I also have had some difficulty powering down and rebooting my computer (I have had to manually switch the power off twice because the computer would just sit at a blue screen for an indefinite period of time). I have run virus scans using Immunet Protect and McAfee, but neither of them have come up with anything.

I would appreciate any assistance in removing this virus from my computer.

Edited by Dont Shoot Me, 19 January 2012 - 05:52 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:59 PM

Posted 19 January 2012 - 11:08 AM

Hello, looks like there is a rotkit in here.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Report tab.
  • Click the Scan button.
  • Check all seven boxes: Posted Image
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, a logfile will open Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Dont Shoot Me

Dont Shoot Me
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 19 January 2012 - 03:03 PM

Malwarebytes Anti-Malware log:


Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brett :: A [administrator]

Protection: Enabled

1/19/2012 1:20:54 PM
mbam-log-2012-01-19 (13-20-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199725
Time elapsed: 15 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 10
HKCR\CLSID\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\AdvBHO.AdvBHO.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\AdvBHO.AdvBHO (Trojan.BHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls|AppSecDll (Trojan.Agent) -> Data: C:\Documents and Settings\Brett\Local Settings\Application Data\Windows Server\mckrgo.dll -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\Brett\Local Settings\Temp\p9pl4179366973544436850.tmp (Exploit.Drop.3P) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.19183380078297207.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.3857640120798713.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\brett\local settings\temp:winupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)



Malwarebytes has also continuously been blocking access to potentially malicious websites.

Malwarebytes Anti-Malware Protection Log:

2012/01/19 13:20:02 -0600 A Brett MESSAGE Starting protection
2012/01/19 13:20:07 -0600 A Brett MESSAGE Protection started successfully
2012/01/19 13:20:10 -0600 A Brett MESSAGE Starting IP protection
2012/01/19 13:20:12 -0600 A Brett MESSAGE IP Protection started successfully
2012/01/19 13:20:12 -0600 A Brett MESSAGE Executing scheduled update: Daily
2012/01/19 13:20:13 -0600 A Brett MESSAGE Database already up-to-date
2012/01/19 13:20:15 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:20:15 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: incoming)
2012/01/19 13:20:18 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:20:19 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: incoming)
2012/01/19 13:20:24 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:20:26 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: incoming)
2012/01/19 13:20:30 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: incoming)
2012/01/19 13:20:36 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:20:39 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:20:41 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: incoming)
2012/01/19 13:20:45 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:20:57 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:00 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:05 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:21:06 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:08 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:21:10 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: incoming)
2012/01/19 13:21:14 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:21:18 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:18 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:20 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:26 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:21:27 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:29 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:21:35 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:21:38 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:42 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:47 -0600 A Brett IP-BLOCK 46.249.59.48 (Type: outgoing)
2012/01/19 13:21:48 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:21:50 -0600 A Brett IP-BLOCK 46.249.59.48 (Type: outgoing)
2012/01/19 13:21:56 -0600 A Brett IP-BLOCK 46.249.59.48 (Type: outgoing)
2012/01/19 13:22:05 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:22:08 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:22:14 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:22:26 -0600 A Brett IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/19 13:22:29 -0600 A Brett IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/19 13:22:35 -0600 A Brett IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/19 13:22:39 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:22:41 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:22:47 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:22:48 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:22:50 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:22:56 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:23:00 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:23:02 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:23:05 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:23:08 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:23:09 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:23:14 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:23:26 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:23:29 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:23:36 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:23:48 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:23:51 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:23:57 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:24:09 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:24:12 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:24:18 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:24:21 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:24:23 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:24:27 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:24:29 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:24:30 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:24:36 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:24:41 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:24:44 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:24:47 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:24:51 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:24:51 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:24:57 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:25:09 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:25:12 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:25:18 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:25:27 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:25:29 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:25:36 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:25:59 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:26:03 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:26:06 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:26:12 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:26:24 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:26:27 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:26:33 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:27:45 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:27:48 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:27:54 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:28:06 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:28:09 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:28:15 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:29:27 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:29:31 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:29:37 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:29:49 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:29:52 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:29:58 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:31:10 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:31:13 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:31:19 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:31:31 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:31:34 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:31:40 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:32:52 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:32:55 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:33:01 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:33:13 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:33:16 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:33:22 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:34:34 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:34:38 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:34:44 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:34:56 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:34:59 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:35:05 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:36:17 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:36:20 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:36:26 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:36:38 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:36:41 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:36:47 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:38:31 -0600 A Brett MESSAGE Starting protection
2012/01/19 13:38:37 -0600 A Brett MESSAGE Protection started successfully
2012/01/19 13:38:40 -0600 A Brett MESSAGE Starting IP protection
2012/01/19 13:38:42 -0600 A Brett MESSAGE IP Protection started successfully
2012/01/19 13:38:46 -0600 A Brett IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/01/19 13:38:49 -0600 A Brett IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/01/19 13:38:55 -0600 A Brett IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/01/19 13:41:07 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:41:10 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:41:15 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:41:16 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:41:18 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:41:24 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:41:36 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:41:39 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:41:45 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:42:57 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:43:00 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:43:06 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:43:18 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:43:21 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:43:27 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:43:28 -0600 A Brett IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/01/19 13:43:31 -0600 A Brett IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/01/19 13:43:37 -0600 A Brett IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/01/19 13:44:39 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:44:42 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:44:48 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:45:00 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:45:03 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:45:09 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:45:49 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:45:52 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:45:58 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:46:21 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:46:24 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:46:30 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:46:42 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:46:45 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:46:51 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:48:03 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:48:06 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:48:10 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:48:12 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:48:13 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:48:16 -0600 A Brett IP-BLOCK 46.249.59.48 (Type: outgoing)
2012/01/19 13:48:19 -0600 A Brett IP-BLOCK 46.249.59.48 (Type: outgoing)
2012/01/19 13:48:19 -0600 A Brett IP-BLOCK 141.136.16.152 (Type: outgoing)
2012/01/19 13:48:24 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:48:25 -0600 A Brett IP-BLOCK 46.249.59.48 (Type: outgoing)
2012/01/19 13:48:27 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:48:33 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:48:37 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:48:40 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:48:46 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:48:58 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:49:01 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:49:07 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:49:16 -0600 A Brett IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/19 13:49:19 -0600 A Brett IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/19 13:49:25 -0600 A Brett IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/01/19 13:49:37 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:49:40 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:49:45 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:49:46 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:49:48 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:49:54 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:49:58 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:50:01 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:50:06 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:50:07 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:50:09 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:50:15 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:50:16 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:50:19 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:50:25 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:50:37 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:50:40 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:50:46 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:50:58 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:51:01 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:51:07 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:51:19 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:51:22 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:51:27 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:51:28 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:51:30 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:51:36 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:51:37 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:51:40 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:51:46 -0600 A Brett IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/01/19 13:51:48 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:51:51 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:51:57 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:51:58 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:52:01 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:52:07 -0600 A Brett IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/01/19 13:52:19 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:52:22 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:52:28 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:52:37 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:52:40 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:52:46 -0600 A Brett IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/01/19 13:53:09 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:53:12 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:53:18 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:53:30 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:53:33 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:53:39 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:55:23 -0600 A Brett IP-BLOCK 89.28.105.113 (Type: outgoing)
2012/01/19 13:55:26 -0600 A Brett IP-BLOCK 89.28.105.113 (Type: outgoing)
2012/01/19 13:55:27 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:55:29 -0600 A Brett IP-BLOCK 89.28.105.113 (Type: outgoing)
2012/01/19 13:55:30 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:55:32 -0600 A Brett IP-BLOCK 89.28.105.113 (Type: outgoing)
2012/01/19 13:55:32 -0600 A Brett IP-BLOCK 89.28.105.113 (Type: outgoing)
2012/01/19 13:55:36 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:55:38 -0600 A Brett IP-BLOCK 89.28.105.113 (Type: outgoing)
2012/01/19 13:55:48 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:55:51 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:55:57 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:57:09 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:57:12 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:57:18 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:57:30 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)
2012/01/19 13:57:33 -0600 A Brett IP-BLOCK 178.238.233.155 (Type: outgoing)



RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2012/01/19 13:42
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: <empty>
Image Path: <empty>
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC2E0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA614000 Size: 8192 File Visible: No Signed: -
Status: -

Name: neggddu.sys
Image Path: neggddu.sys
Address: 0xBA0A8000 Size: 54016 File Visible: No Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB8CCF000 Size: 122880 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$NtUninstallKB22461$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB2259922$:SummaryInformation
Status: Invisible to the Windows API!

Path: c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\logs\protection-log-2012-01-19.txt
Status: Size mismatch (API: 27420, Raw: 27276)

Processes
-------------------
Path: C:\WINDOWS\system32\ping.exe
PID: 3788 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecb6fa

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ea9f68

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9eaa230

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc0b4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc43e

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9eca938

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ImmunetSelfProtect.sys" at address 0xba3c8cce

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc982

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecbab8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ea99d8

Stealth Objects
-------------------
Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CREATE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CLOSE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_READ]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_WRITE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_EA]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_POWER]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_PNP]
Process: System Address: 0x8a0c2880 Size: 1113

==EOF==



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:59 PM

Posted 19 January 2012 - 04:06 PM

Please do 2 more rootkit scans,so I can determine if that is what is going on.
Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.



If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in [color=blue]safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Dont Shoot Me

Dont Shoot Me
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 19 January 2012 - 10:46 PM

RootRepeal scan 1:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2012/01/19 15:42
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: <empty>
Image Path: <empty>
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC2E0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA614000 Size: 8192 File Visible: No Signed: -
Status: -

Name: neggddu.sys
Image Path: neggddu.sys
Address: 0xBA0A8000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8A0A000 Size: 49152 File Visible: No Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB8CCF000 Size: 122880 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$NtUninstallKB22461$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB2259922$:SummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Brett\My Documents\tdsskiller.zip
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\LastSession.plist
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\History\segments
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\History\_ed.cfs
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\History\_eg.cfs
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\brett\local settings\application data\apple computer\safari\webpage previews\dfac2ac2f8102bbfbd4ef18a247d74cb.jpeg
Status: Size mismatch (API: 181738, Raw: 169496)

Path: c:\documents and settings\brett\local settings\application data\apple computer\safari\webpage previews\dfac2ac2f8102bbfbd4ef18a247d74cb.png
Status: Size mismatch (API: 1317182, Raw: 1108743)

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\Webpage Previews\AE2FBEF1624DF2562A5BEB1F711ADD5C.jpeg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\Webpage Previews\AE2FBEF1624DF2562A5BEB1F711ADD5C.png
Status: Visible to the Windows API, but not on disk.

Processes
-------------------
Path: C:\WINDOWS\system32\ping.exe
PID: 1996 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecb6fa

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ea9f68

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9eaa230

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc0b4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc43e

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9eca938

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ImmunetSelfProtect.sys" at address 0xba3c8cce

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc982

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecbab8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ea99d8

Stealth Objects
-------------------
Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CREATE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CLOSE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_READ]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_WRITE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_EA]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_POWER]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0c2880 Size: 1113

Object: Hidden Code [Driver Object: 0x8aa759a0, IRP_MJ_PNP]
Process: System Address: 0x8a0c2880 Size: 1113

==EOF==


TDSSKiller log:

15:44:30.0968 3896 TDSS rootkit removing tool 2.7.6.0 Jan 19 2012 13:09:04
15:44:31.0359 3896 ============================================================
15:44:31.0359 3896 Current date / time: 2012/01/19 15:44:31.0359
15:44:31.0359 3896 SystemInfo:
15:44:31.0359 3896
15:44:31.0359 3896 OS Version: 5.1.2600 ServicePack: 3.0
15:44:31.0359 3896 Product type: Workstation
15:44:31.0359 3896 ComputerName: A
15:44:31.0359 3896 UserName: Brett
15:44:31.0359 3896 Windows directory: C:\WINDOWS
15:44:31.0359 3896 System windows directory: C:\WINDOWS
15:44:31.0359 3896 Processor architecture: Intel x86
15:44:31.0359 3896 Number of processors: 2
15:44:31.0359 3896 Page size: 0x1000
15:44:31.0359 3896 Boot type: Normal boot
15:44:31.0359 3896 ============================================================
15:44:33.0828 3896 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:44:33.0875 3896 Initialize success
15:44:54.0890 2344 ============================================================
15:44:54.0890 2344 Scan started
15:44:54.0890 2344 Mode: Manual;
15:44:54.0890 2344 ============================================================
15:44:55.0484 2344 Abiosdsk - ok
15:44:55.0531 2344 abp480n5 - ok
15:44:55.0578 2344 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:44:55.0593 2344 ACPI - ok
15:44:55.0656 2344 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:44:55.0671 2344 ACPIEC - ok
15:44:55.0671 2344 adpu160m - ok
15:44:55.0703 2344 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:44:55.0718 2344 aec - ok
15:44:55.0765 2344 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:44:55.0765 2344 AFD - ok
15:44:55.0781 2344 Aha154x - ok
15:44:55.0828 2344 aic78u2 - ok
15:44:55.0828 2344 aic78xx - ok
15:44:55.0843 2344 AliIde - ok
15:44:55.0843 2344 amsint - ok
15:44:55.0953 2344 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:44:55.0968 2344 Arp1394 - ok
15:44:55.0984 2344 asc - ok
15:44:56.0015 2344 asc3350p - ok
15:44:56.0046 2344 asc3550 - ok
15:44:56.0093 2344 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:44:56.0109 2344 AsyncMac - ok
15:44:56.0156 2344 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:44:56.0156 2344 atapi - ok
15:44:56.0203 2344 Atdisk - ok
15:44:56.0312 2344 ati2mtag (15b2fe76e2eceb98c49ed52311a6f26f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
15:44:56.0328 2344 ati2mtag - ok
15:44:56.0375 2344 AtiHdmiService (d9bc8892b9440a2551b8148c57aa039e) C:\WINDOWS\system32\drivers\AtiHdmi.sys
15:44:56.0375 2344 AtiHdmiService - ok
15:44:56.0421 2344 atksgt (3c4b9850a2631c2263507400d029057b) C:\WINDOWS\system32\DRIVERS\atksgt.sys
15:44:56.0421 2344 atksgt - ok
15:44:56.0468 2344 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:44:56.0468 2344 Atmarpc - ok
15:44:56.0484 2344 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:44:56.0484 2344 audstub - ok
15:44:56.0515 2344 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:44:56.0515 2344 Beep - ok
15:44:56.0562 2344 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:44:56.0562 2344 cbidf2k - ok
15:44:56.0562 2344 cd20xrnt - ok
15:44:56.0593 2344 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:44:56.0593 2344 Cdaudio - ok
15:44:56.0640 2344 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:44:56.0640 2344 Cdfs - ok
15:44:56.0671 2344 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:44:56.0671 2344 Cdrom - ok
15:44:56.0687 2344 Changer - ok
15:44:56.0703 2344 CmdIde - ok
15:44:56.0718 2344 Cpqarray - ok
15:44:56.0734 2344 dac2w2k - ok
15:44:56.0765 2344 dac960nt - ok
15:44:56.0812 2344 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:44:56.0812 2344 Disk - ok
15:44:56.0890 2344 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:44:56.0906 2344 dmboot - ok
15:44:56.0906 2344 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:44:56.0921 2344 dmio - ok
15:44:56.0937 2344 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:44:56.0937 2344 dmload - ok
15:44:56.0968 2344 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:44:56.0968 2344 DMusic - ok
15:44:57.0031 2344 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS
15:44:57.0031 2344 DNINDIS5 - ok
15:44:57.0031 2344 dpti2o - ok
15:44:57.0093 2344 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:44:57.0093 2344 drmkaud - ok
15:44:57.0156 2344 e1yexpress (aee21a637ede5bd4f89cd90883149104) C:\WINDOWS\system32\DRIVERS\e1y5132.sys
15:44:57.0156 2344 e1yexpress - ok
15:44:57.0203 2344 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:44:57.0203 2344 Fastfat - ok
15:44:57.0234 2344 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
15:44:57.0234 2344 Fdc - ok
15:44:57.0281 2344 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:44:57.0281 2344 Fips - ok
15:44:57.0281 2344 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
15:44:57.0281 2344 Flpydisk - ok
15:44:57.0343 2344 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
15:44:57.0343 2344 FltMgr - ok
15:44:57.0375 2344 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:44:57.0375 2344 Fs_Rec - ok
15:44:57.0375 2344 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:44:57.0375 2344 Ftdisk - ok
15:44:57.0421 2344 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:44:57.0421 2344 GEARAspiWDM - ok
15:44:57.0437 2344 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:44:57.0437 2344 Gpc - ok
15:44:57.0515 2344 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:44:57.0515 2344 HDAudBus - ok
15:44:57.0546 2344 HECI (e4a123ad734a3731d29ebd3a01b3e535) C:\WINDOWS\system32\DRIVERS\HECI.sys
15:44:57.0562 2344 HECI - ok
15:44:57.0593 2344 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:44:57.0593 2344 HidUsb - ok
15:44:57.0609 2344 hpn - ok
15:44:57.0671 2344 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:44:57.0671 2344 HTTP - ok
15:44:57.0718 2344 i2omgmt - ok
15:44:57.0750 2344 i2omp - ok
15:44:57.0781 2344 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sy@
15:44:57.0796 2344 i8042prt - ok
15:44:57.0843 2344 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:44:57.0843 2344 Imapi - ok
15:44:57.0906 2344 ImmunetProtectDriver (0452cbd785659bb9e86b6c849bc292f9) C:\WINDOWS\system32\DRIVERS\ImmunetProtect.sys
15:44:57.0906 2344 ImmunetProtectDriver - ok
15:44:57.0953 2344 ImmunetSelfProtectDriver (426737322b000e3d9d7fb5b13f443b27) C:\WINDOWS\system32\DRIVERS\ImmunetSelfProtect.sys
15:44:57.0953 2344 ImmunetSelfProtectDriver - ok
15:44:57.0953 2344 ini910u - ok
15:44:58.0093 2344 IntcAzAudAddService (19afbb8427ce65042599555e578170df) C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:44:58.0125 2344 IntcAzAudAddService - ok
15:44:58.0125 2344 IntelIde - ok
15:44:58.0156 2344 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:44:58.0156 2344 intelppm - ok
15:44:58.0171 2344 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
15:44:58.0171 2344 Ip6Fw - ok
15:44:58.0203 2344 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:44:58.0203 2344 IpFilterDriver - ok
15:44:58.0234 2344 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:44:58.0234 2344 IpInIp - ok
15:44:58.0234 2344 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:44:58.0250 2344 IpNat - ok
15:44:58.0265 2344 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:44:58.0281 2344 IPSec - ok
15:44:58.0312 2344 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:44:58.0312 2344 IRENUM - ok
15:44:58.0359 2344 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:44:58.0359 2344 isapnp - ok
15:44:58.0406 2344 JSWSCIMD (ad67795900aa8c05cc4570f5349e0639) C:\WINDOWS\system32\DRIVERS\jswscimd.sys
15:44:58.0406 2344 JSWSCIMD - ok
15:44:58.0468 2344 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:44:58.0468 2344 Kbdclass - ok
15:44:58.0500 2344 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:44:58.0500 2344 kbdhid - ok
15:44:58.0546 2344 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:44:58.0546 2344 kmixer - ok
15:44:58.0593 2344 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:44:58.0593 2344 KSecDD - ok
15:44:58.0609 2344 lbrtfdc - ok
15:44:58.0625 2344 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
15:44:58.0625 2344 lirsgt - ok
15:44:58.0671 2344 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
15:44:58.0671 2344 MBAMProtector - ok
15:44:58.0734 2344 mfeapfk (11115e2281dd9b885b038abb11dd8a75) C:\WINDOWS\system32\drivers\mfeapfk.sys
15:44:58.0734 2344 mfeapfk - ok
15:44:58.0750 2344 mfeavfk (a14941aea876c395214f918b011a1371) C:\WINDOWS\system32\drivers\mfeavfk.sys
15:44:58.0750 2344 mfeavfk - ok
15:44:58.0765 2344 mfebopk (59b8443b78c46d2ac4767938e778f043) C:\WINDOWS\system32\drivers\mfebopk.sys
15:44:58.0765 2344 mfebopk - ok
15:44:58.0781 2344 mfehidk (116689b95a37efca0acc2ac421795e60) C:\WINDOWS\system32\drivers\mfehidk.sys
15:44:58.0781 2344 mfehidk - ok
15:44:58.0828 2344 mferkdk (6e1e4bb2866260f2949a3b7a0759e3c6) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
15:44:58.0828 2344 mferkdk - ok
15:44:58.0843 2344 mfetdik (8468969c92d1dd1fa872cc6c936e4d60) C:\WINDOWS\system32\drivers\mfetdik.sys
15:44:58.0843 2344 mfetdik - ok
15:44:58.0890 2344 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:44:58.0890 2344 Modem - ok
15:44:58.0921 2344 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:44:58.0937 2344 Mouclass - ok
15:44:58.0968 2344 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:44:58.0984 2344 mouhid - ok
15:44:58.0984 2344 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:44:58.0984 2344 MountMgr - ok
15:44:59.0000 2344 mraid35x - ok
15:44:59.0031 2344 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:44:59.0046 2344 MRxDAV - ok
15:44:59.0062 2344 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:44:59.0078 2344 MRxSmb - ok
15:44:59.0156 2344 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:44:59.0156 2344 Msfs - ok
15:44:59.0187 2344 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:44:59.0187 2344 MSKSSRV - ok
15:44:59.0218 2344 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:44:59.0218 2344 MSPCLOCK - ok
15:44:59.0250 2344 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:44:59.0250 2344 MSPQM - ok
15:44:59.0281 2344 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:44:59.0281 2344 mssmbios - ok
15:44:59.0328 2344 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:44:59.0328 2344 Mup - ok
15:44:59.0375 2344 NAL (a467e1deb3bb2b57426c8a5993ba933e) C:\WINDOWS\system32\Drivers\iqvw32.sys
15:44:59.0375 2344 NAL - ok
15:44:59.0421 2344 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:44:59.0437 2344 NDIS - ok
15:44:59.0468 2344 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:44:59.0468 2344 NdisTapi - ok
15:44:59.0484 2344 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:44:59.0484 2344 Ndisuio - ok
15:44:59.0515 2344 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:44:59.0531 2344 NdisWan - ok
15:44:59.0593 2344 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:44:59.0593 2344 NDProxy - ok
15:44:59.0609 2344 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:44:59.0609 2344 NetBIOS - ok
15:44:59.0640 2344 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:44:59.0656 2344 NetBT - ok
15:44:59.0687 2344 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:44:59.0687 2344 NIC1394 - ok
15:44:59.0687 2344 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:44:59.0687 2344 Npfs - ok
15:44:59.0718 2344 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:44:59.0734 2344 Ntfs - ok
15:44:59.0796 2344 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:44:59.0796 2344 Null - ok
15:44:59.0828 2344 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:44:59.0828 2344 NwlnkFlt - ok
15:44:59.0828 2344 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:44:59.0828 2344 NwlnkFwd - ok
15:44:59.0859 2344 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:44:59.0859 2344 ohci1394 - ok
15:44:59.0906 2344 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
15:44:59.0906 2344 Parport - ok
15:44:59.0921 2344 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:44:59.0921 2344 PartMgr - ok
15:44:59.0968 2344 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:44:59.0968 2344 ParVdm - ok
15:44:59.0984 2344 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:44:59.0984 2344 PCI - ok
15:44:59.0984 2344 PCIDump - ok
15:45:00.0046 2344 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:45:00.0046 2344 PCIIde - ok
15:45:00.0078 2344 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:45:00.0078 2344 Pcmcia - ok
15:45:00.0093 2344 PCTCore (6ef125721a9f1f7dbf3229786f7decd0) C:\WINDOWS\system32\drivers\PCTCore.sys
15:45:00.0093 2344 PCTCore - ok
15:45:00.0109 2344 pctDS (f820b4c61d1e591325b679d479d4eea4) C:\WINDOWS\system32\drivers\pctDS.sys
15:45:00.0109 2344 pctDS - ok
15:45:00.0140 2344 pctEFA (acc8c15f3d59f17c5d903ff1de3b43d3) C:\WINDOWS\system32\drivers\pctEFA.sys
15:45:00.0187 2344 pctEFA - ok
15:45:00.0187 2344 PDCOMP - ok
15:45:00.0218 2344 PDFRAME - ok
15:45:00.0250 2344 PDRELI - ok
15:45:00.0250 2344 PDRFRAME - ok
15:45:00.0265 2344 perc2 - ok
15:45:00.0265 2344 perc2hib - ok
15:45:00.0328 2344 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:45:00.0328 2344 PptpMiniport - ok
15:45:00.0359 2344 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:45:00.0359 2344 PSched - ok
15:45:00.0375 2344 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:45:00.0375 2344 Ptilink - ok
15:45:00.0375 2344 ql1080 - ok
15:45:00.0390 2344 Ql10wnt - ok
15:45:00.0421 2344 ql12160 - ok
15:45:00.0421 2344 ql1240 - ok
15:45:00.0437 2344 ql1280 - ok
15:45:00.0453 2344 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:45:00.0453 2344 RasAcd - ok
15:45:00.0468 2344 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:45:00.0468 2344 Rasl2tp - ok
15:45:00.0484 2344 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:45:00.0484 2344 RasPppoe - ok
15:45:00.0515 2344 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:45:00.0515 2344 Raspti - ok
15:45:00.0546 2344 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:45:00.0546 2344 Rdbss - ok
15:45:00.0546 2344 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:45:00.0546 2344 RDPCDD - ok
15:45:00.0578 2344 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:45:00.0593 2344 rdpdr - ok
15:45:00.0656 2344 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
15:45:00.0671 2344 RDPWD - ok
15:45:00.0718 2344 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:45:00.0718 2344 redbook - ok
15:45:00.0718 2344 rootrepeal - ok
15:45:00.0781 2344 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:45:00.0781 2344 Secdrv - ok
15:45:00.0812 2344 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:45:00.0812 2344 serenum - ok
15:45:00.0859 2344 Serial (28b24b51dc058d85558bcbd58464a32d) C:\WINDOWS\system32\DRIVERS\serial.sys
15:45:00.0859 2344 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: 28b24b51dc058d85558bcbd58464a32d, Fake md5: cca207a8896d4c6a0c9ce29a4ae411a7
15:45:00.0859 2344 Serial ( Virus.Win32.ZAccess.k ) - infected
15:45:00.0859 2344 Serial - detected Virus.Win32.ZAccess.k (0)
15:45:00.0906 2344 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:45:00.0906 2344 Sfloppy - ok
15:45:00.0921 2344 Simbad - ok
15:45:00.0937 2344 Sparrow - ok
15:45:00.0984 2344 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:45:00.0984 2344 splitter - ok
15:45:01.0000 2344 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:45:01.0000 2344 sr - ok
15:45:01.0062 2344 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:45:01.0062 2344 Srv - ok
15:45:01.0078 2344 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:45:01.0093 2344 swenum - ok
15:45:01.0125 2344 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:45:01.0125 2344 swmidi - ok
15:45:01.0156 2344 symc810 - ok
15:45:01.0156 2344 symc8xx - ok
15:45:01.0171 2344 sym_hi - ok
15:45:01.0171 2344 sym_u3 - ok
15:45:01.0203 2344 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:45:01.0203 2344 sysaudio - ok
15:45:01.0250 2344 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:45:01.0265 2344 Tcpip - ok
15:45:01.0296 2344 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:45:01.0296 2344 TDPIPE - ok
15:45:01.0312 2344 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:45:01.0312 2344 TDTCP - ok
15:45:01.0359 2344 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:45:01.0359 2344 TermDD - ok
15:45:01.0406 2344 tifsfilter (cf115b0e370d3f8fb270681274fdbb6a) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
15:45:01.0406 2344 tifsfilter - ok
15:45:01.0421 2344 timounter (8047d569c1fc863bf70dd495c3390f79) C:\WINDOWS\system32\DRIVERS\timntr.sys
15:45:01.0437 2344 timounter - ok
15:45:01.0437 2344 TosIde - ok
15:45:01.0484 2344 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:45:01.0484 2344 Udfs - ok
15:45:01.0500 2344 ultra - ok
15:45:01.0578 2344 UnlockerDriver5 (b2af2ba8a3205a8458b61f638fb431dd) C:\Program Files\Unlocker\UnlockerDriver5.sys
15:45:01.0578 2344 UnlockerDriver5 - ok
15:45:01.0656 2344 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:45:01.0671 2344 Update - ok
15:45:01.0718 2344 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
15:45:01.0718 2344 USBAAPL - ok
15:45:01.0765 2344 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:45:01.0765 2344 usbccgp - ok
15:45:01.0812 2344 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:45:01.0812 2344 usbehci - ok
15:45:01.0828 2344 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:45:01.0828 2344 usbhub - ok
15:45:01.0859 2344 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:45:01.0875 2344 usbprint - ok
15:45:01.0906 2344 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:45:01.0906 2344 usbscan - ok
15:45:01.0953 2344 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:45:01.0984 2344 USBSTOR - ok
15:45:02.0031 2344 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:45:02.0031 2344 usbuhci - ok
15:45:02.0078 2344 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:45:02.0078 2344 VgaSave - ok
15:45:02.0078 2344 ViaIde - ok
15:45:02.0125 2344 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:45:02.0125 2344 VolSnap - ok
15:45:02.0171 2344 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:45:02.0171 2344 Wanarp - ok
15:45:02.0250 2344 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
15:45:02.0250 2344 Wdf01000 - ok
15:45:02.0250 2344 WDICA - ok
15:45:02.0312 2344 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:45:02.0312 2344 wdmaud - ok
15:45:02.0359 2344 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
15:45:02.0359 2344 WinUSB - ok
15:45:02.0453 2344 WN111v2 (966860e5ea3591aa471ec9ced49dc8d2) C:\WINDOWS\system32\DRIVERS\WN111v2.sys
15:45:02.0468 2344 WN111v2 - ok
15:45:02.0515 2344 WSIMD (43f767d59bfc25d8f4fc2eb42043ec1e) C:\WINDOWS\system32\DRIVERS\wsimd.sys
15:45:02.0531 2344 WSIMD - ok
15:45:02.0562 2344 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:45:02.0562 2344 WudfPf - ok
15:45:02.0609 2344 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:45:02.0609 2344 WudfRd - ok
15:45:02.0640 2344 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
15:45:02.0656 2344 zumbus - ok
15:45:02.0687 2344 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
15:45:02.0718 2344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
15:45:02.0718 2344 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
15:45:02.0750 2344 Boot (0x1200) (0b9bb5f63de410d211f59e0053c51180) \Device\Harddisk0\DR0\Partition0
15:45:02.0750 2344 \Device\Harddisk0\DR0\Partition0 - ok
15:45:02.0750 2344 ============================================================
15:45:02.0750 2344 Scan finished
15:45:02.0750 2344 ============================================================
15:45:02.0750 2812 Detected object count: 2
15:45:02.0750 2812 Actual detected object count: 2
16:00:36.0593 2812 Backup copy found, using it..
16:00:36.0656 2812 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured on reboot
16:00:38.0578 2812 Serial ( Virus.Win32.ZAccess.k ) - User select action: Cure
16:00:38.0609 2812 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
16:00:38.0609 2812 \Device\Harddisk0\DR0 - ok
16:00:38.0609 2812 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
16:00:42.0296 3008 Deinitialize success


GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-19 21:23:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 ST3500410AS rev.CC34
Running: y8uh29ds.exe; Driver: C:\DOCUME~1\Brett\LOCALS~1\Temp\pxtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9ECB6FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9EA9F68]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9EAA230]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9ECC0B4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9ECC43E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9ECA938]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwOpenProcess [0xBA460CCE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9ECC982]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9ECBAB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9EA99D8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CA0 8050453C 8 Bytes JMP EAA230B9
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB96A7000, 0x1B601E, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xAA5F7300, 0x3AE88, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA3A0300, 0x1B7E, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\docx_auto_file@
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit@ &Edit
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit\command
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit\command@ "C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" /n /dde
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit\ddeexec
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit\ddeexec@ [REM _DDE_Direct][FileOpen("%1")]
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit\ddeexec\Application
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit\ddeexec\Application@ WinWord
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit\ddeexec\Topic
Reg HKLM\SOFTWARE\Classes\docx_auto_file\shell\edit\ddeexec\Topic@ System
Reg HKLM\SOFTWARE\Classes\wps_auto_file@
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit@ &Edit
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit\command
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit\command@ "C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" /n /dde
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit\ddeexec
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit\ddeexec@ [REM _DDE_Direct][FileOpen("%1")]
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit\ddeexec\Application
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit\ddeexec\Application@ WinWord
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit\ddeexec\Topic
Reg HKLM\SOFTWARE\Classes\wps_auto_file\shell\edit\ddeexec\Topic@ System

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB22461$\1524917145 0 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411 0 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\bckfg.tmp 846 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\cfg.ini 198 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\keywords 206 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\L 0 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\L\lnhngobq 64512 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\U 0 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB22461$\2223428411\U\80000032.@ 77312 bytes

---- EOF - GMER 1.0.15 ----


RootRepeal log 2 (I ran this one after TSSKiler and GMER):


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2012/01/19 21:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xACC27000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: pxtdrpob.sys
Image Path: C:\DOCUME~1\Brett\LOCALS~1\Temp\pxtdrpob.sys
Address: 0xA9B15000 Size: 100864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA218000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$NtUninstallKB22461$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB2259922$:SummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Brett\Desktop\TDSSKiller.2.7.6.0_19.01.2012_15.44.30_log.txt
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\01SEI3GV\drh_dllCARSH1TV
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\01SEI3GV\drh_dllCA6QF48C
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\01SEI3GV\drh_dllCAH79VXA
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\281V0B1V\drh_dllCA9ZA5C5
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\281V0B1V\drh_dllCAJZ47TK
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\281V0B1V\drh_dllCAQU55MI
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\2JU9WCMK\drh_dllCA5I4FOU
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\2JU9WCMK\drh_dllCAEV5PXP
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\2JU9WCMK\drh_dllCAM38JX5
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\V5YWO8B0\drh_dllCA01JAKH
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\V5YWO8B0\drh_dllCAKB4KHE
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Temporary Internet Files\Content.IE5\V5YWO8B0\drh_dllCAW3LFME
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\History\segments
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\History\_ep.cfs
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\Webpage Previews\955EF7232093579C1AA2B2DA880A6FD0.jpeg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Local Settings\Application Data\Apple Computer\Safari\Webpage Previews\955EF7232093579C1AA2B2DA880A6FD0.png
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\3587ec62f721648b70b3b69525d992ae778ae8b9\3a50491c98cf076886191413cc15d858b07a7a83.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\3587ec62f721648b70b3b69525d992ae778ae8b9\8d9d9fa62badaa76bba72a51aa55058aa427f456.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\3587ec62f721648b70b3b69525d992ae778ae8b9\e7ac58be953e7f4f0bd51bd534774e7aaf07cdf2.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\3587ec62f721648b70b3b69525d992ae778ae8b9\ccef109b80c4505b192bde19bc8fe19de1e26b10.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\3587ec62f721648b70b3b69525d992ae778ae8b9\d1d3d76bf6fe6e2eb2bdaca89bb07a761ba71640.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\3587ec62f721648b70b3b69525d992ae778ae8b9\ecc428c99462b7570639c2e834a300f9bba6f973.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\3587ec62f721648b70b3b69525d992ae778ae8b9\14ac285b792abe7d035d2cb0cdb3dfe1dbe27c85.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\3587ec62f721648b70b3b69525d992ae778ae8b9\14bd71937547856287355dea9b0c365791029c29.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\98faf8d5aa51181d8bc7cd3a329798a89e67d2b2\aaa31ec8f5d4874159e250f570771b6861e7dd6a.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\98faf8d5aa51181d8bc7cd3a329798a89e67d2b2\bde51bb17ae732adcc98dd2c494850f2e053462e.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\98faf8d5aa51181d8bc7cd3a329798a89e67d2b2\db434ad797f9280bf336b49c136439333b6b4b67.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\98faf8d5aa51181d8bc7cd3a329798a89e67d2b2\8494ec6ca5a2a701b56f0878847e1ab1c582cdaa.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\98faf8d5aa51181d8bc7cd3a329798a89e67d2b2\e88a4d1866a347d21853260736efdca3c9b38489.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\98faf8d5aa51181d8bc7cd3a329798a89e67d2b2\98845dc296d09614a840d4688eef556f9a683641.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\98faf8d5aa51181d8bc7cd3a329798a89e67d2b2\3083b4f9056101ddf5223be12f8ca8d32e3d7589.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\98faf8d5aa51181d8bc7cd3a329798a89e67d2b2\4a50c2a467a9fd1aee99ae615de105db6ddeea8a.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\87d38a8d899dffe41b7a39ffcdb2c684c39c5170.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\89fc63257b4e2c11a76a184bdc88d76a6c36044c.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\ce628e2d4d7a6fc2ed9c576ab8736750242d8b99.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\7454d989a85018bc93254ff65a23b47c6736ba21.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\158a60234b2543a6247409cc6c0cf50f4d7a350e.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\3b9c84cdbbfb53dcfc1dcb60564e33fd8bc3f036.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\10a5b88eda8e1557825d53fbfa1a0f908e4eb710.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\ddbdb452b601f4c1ed312cd8b7d5889ba5c9a778.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\8ee8403461abea1951ffed6bd9a26417c7376430.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\8fd8c624f1a45a1ec9ce6a5fb0f8f142aa965724.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\fb56ee6503b2dcbb204ff5ef0b1e177b5148f246.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\83b6a4c99a8a788dffb20569aca84fd24b580ac0.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Brett\Application Data\Apple Computer\Safari\PubSub\Feeds\bf584bd04e3c4550fb10cc71321e645e38cb3123\cabb5e52dc48eae4002d9a7fbf57f20ff6f2e016.xml
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecb6fa

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ea9f68

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9eaa230

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc0b4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc43e

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9eca938

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ImmunetSelfProtect.sys" at address 0xba460cce

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecc982

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecbab8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ea99d8

==EOF==



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:59 PM

Posted 19 January 2012 - 11:33 PM

15:45:02.0750 2812 Detected object count: 2
15:45:02.0750 2812 Actual detected object count: 2
16:00:36.0593 2812 Backup copy found, using it..
16:00:36.0656 2812 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured on reboot
16:00:38.0578 2812 Serial ( Virus.Win32.ZAccess.k ) - User select action: Cure
16:00:38.0609 2812 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
16:00:38.0609 2812 \Device\Harddisk0\DR0 - ok
16:00:38.0609 2812 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
16:00:42.0296 3008 Deinitialize success


The above was a significant clean. Did you do the reboot?

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Dont Shoot Me

Dont Shoot Me
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 20 January 2012 - 01:50 AM

Yes I rebooted. Malwarebytes Anti-Malware has not reported blocking any malicious attempts to access the web since the reboot, so I think I might be clean.

Edited by Dont Shoot Me, 20 January 2012 - 04:56 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:59 PM

Posted 20 January 2012 - 09:18 PM

I like to run this last and get any remnants.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Dont Shoot Me

Dont Shoot Me
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 21 January 2012 - 10:29 AM

ESET Scan log:

C:\Documents and Settings\Brett\Local Settings\Temp\51F.tmp Win32/Olmarik.AXW trojan cleaned by deleting - quarantined
C:\Documents and Settings\Brett\My Documents\Black Ops Clips\YouTubeDownloaderSetup27.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined
C:\Documents and Settings\Brett\My Documents\Black Ops Clips\YouTubeDownloaderSetup272.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\502f7dda-19e68a5c a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\30\81bedde-5d09eea1 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Toolbar\IE\4.3\youtubedownloaderToolbarIE.dll a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1993962763-1336601894-1801674531-1004\Dc293.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined
C:\WINDOWS\Temp\jar_cache1496298066364541367.tmp Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache2894450058565346288.tmp Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache4391072957503753436.tmp Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:59 PM

Posted 21 January 2012 - 08:52 PM

Ok, please do these and see if the original temp:winupd is gone.

Due to what was found there you need to change the passwords stored on here.

Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.



Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Dont Shoot Me

Dont Shoot Me
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 22 January 2012 - 08:04 PM

Every time I start TFC the program gets to the "Stopping all running processes..." stage then just stops. I know it starts to close out of some of my programs because I receive error messages, but after that nothing happens. It just sits at the "Stopping all running processes..." stage indefinitely. I let it run for 3 hours and nothing changed. During this time I cannot open any new programs or close out of TFC, so I have had to reboot my system in order to regain functionality. Suggestions?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:59 PM

Posted 22 January 2012 - 09:32 PM

Try this then

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Dont Shoot Me

Dont Shoot Me
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 23 January 2012 - 05:31 PM

Ok ATF Cleaner ran and cleared 180 KB of space. Didn't mention anything about resetting passwords.

Don't know if you wanted me to run MiniToolBox afterwards or not but I did.

MiniToolBox log:


MiniToolBox by Farbar Version: 18-01-2012
Ran by Brett (administrator) on 23-01-2012 at 16:24:01
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 4

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

1394 Net Adapter = 1394 Connection (Disconnected)
Intel® 82567V-2 Gigabit Network Connection = Local Area Connection (Disconnected)
RangeMax Wireless-N USB Adapter WN111v2 = Wireless Network Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : A

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : RangeMax Wireless-N USB Adapter WN111v2

Physical Address. . . . . . . . . : E0-91-F5-11-BB-87

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.0.0.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.1

DHCP Server . . . . . . . . . . . : 10.0.0.1

DNS Servers . . . . . . . . . . . : 10.0.0.1

Lease Obtained. . . . . . . . . . : Monday, January 23, 2012 4:21:32 PM

Lease Expires . . . . . . . . . . : Tuesday, January 24, 2012 4:21:32 PM

Server: UnKnown
Address: 10.0.0.1

Name: google.com
Addresses: 74.125.225.83, 74.125.225.84, 74.125.225.80, 74.125.225.81
74.125.225.82



Pinging google.com [74.125.225.82] with 32 bytes of data:



Reply from 74.125.225.82: bytes=32 time=28ms TTL=54

Reply from 74.125.225.82: bytes=32 time=31ms TTL=54



Ping statistics for 74.125.225.82:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 28ms, Maximum = 31ms, Average = 29ms

Server: UnKnown
Address: 10.0.0.1

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.2.43, 98.137.149.56, 98.139.180.149



Pinging yahoo.com [98.139.180.149] with 32 bytes of data:



Reply from 98.139.180.149: bytes=32 time=69ms TTL=49

Reply from 98.139.180.149: bytes=32 time=76ms TTL=49



Ping statistics for 98.139.180.149:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 69ms, Maximum = 76ms, Average = 72ms

Server: UnKnown
Address: 10.0.0.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...e0 91 f5 11 bb 87 ...... RangeMax Wireless-N USB Adapter WN111v2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.4 20
10.0.0.0 255.255.255.0 10.0.0.4 10.0.0.4 20
10.0.0.4 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.4 10.0.0.4 20
255.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/23/2012 05:21:32 AM) (Source: Application Hang) (User: )
Description: Hanging application ATF-Cleaner.exe, version 3.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/20/2012 09:50:36 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x0153af66.
Processing media-specific event for [iexplore.exe!ws!]

Error: (01/18/2012 10:48:43 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Error in creating result PEAP-TLV in response to received PEAP-TLV (svchost.exe!ld!)

Error: (01/18/2012 10:41:47 PM) (Source: Application Error) (User: )
Description: Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Error: (01/18/2012 09:17:49 PM) (Source: Bonjour Service) (User: )
Description: 388: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (01/18/2012 03:20:35 PM) (Source: Bonjour Service) (User: )
Description: 404: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (01/18/2012 03:34:11 AM) (Source: Bonjour Service) (User: )
Description: 404: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (01/16/2012 00:44:42 AM) (Source: Bonjour Service) (User: )
Description: 232: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (01/15/2012 08:15:26 PM) (Source: Bonjour Service) (User: )
Description: 232: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (01/14/2012 08:35:52 PM) (Source: Bonjour Service) (User: )
Description: 456: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)


System errors:
=============
Error: (01/23/2012 04:00:00 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/23/2012 11:00:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/23/2012 06:00:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/23/2012 01:00:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/22/2012 08:00:00 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/22/2012 03:00:00 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/22/2012 10:00:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/22/2012 05:00:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/22/2012 00:00:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (01/21/2012 07:00:00 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}


Microsoft Office Sessions:
=========================
Error: (11/30/2009 02:48:31 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4846 seconds with 960 seconds of active time. This session ended with a crash.

Error: (09/23/2009 00:00:52 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 6684 seconds with 60 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

Adobe Acrobat 5.0 (Version: 5.0)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
AIM 7
Apple Application Support (Version: 1.4.1)
Apple Mobile Device Support (Version: 3.3.1.3)
Apple Software Update (Version: 2.1.1.116)
Ask Toolbar (Version: 1.6.8.0)
ATI - Software Uninstall Utility (Version: 6.14.10.1022)
ATI AVIVO Codecs (Version: 10.0.0.31121)
ATI Catalyst Control Center (Version: 2.008.1201.1503)
ATI Display Driver (Version: 8.561-081201a1-072274C-ATI)
ATI HYDRAVISION (Version: 3.25.0006)
ATI Parental Control & Encoder (Version: 3.0)
ATI Problem Report Wizard (Version: 8.10)
BearShare
Bonjour (Version: 2.0.3.0)
Call of Duty® 4 - Modern Warfare™ (Version: 1.00.0000)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2008.1201.1504.27008)
Catalyst Control Center Graphics Full Existing (Version: 2008.1201.1504.27008)
Catalyst Control Center Graphics Full New (Version: 2008.1201.1504.27008)
Catalyst Control Center Graphics Light (Version: 2008.1201.1504.27008)
Catalyst Control Center Graphics Previews Common (Version: 2008.1201.1504.27008)
Catalyst Control Center HydraVision Full (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Chinese Standard (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Chinese Traditional (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Czech (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Danish (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Dutch (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Finnish (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization French (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization German (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Greek (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Hungarian (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Italian (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Japanese (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Korean (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Norwegian (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Polish (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Portuguese (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Russian (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Spanish (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Swedish (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Thai (Version: 2008.1201.1504.27008)
Catalyst Control Center Localization Turkish (Version: 2008.1201.1504.27008)
ccc-core-preinstall (Version: 2008.1201.1504.27008)
ccc-core-static (Version: 2008.1201.1504.27008)
ccc-utility (Version: 2008.1201.1504.27008)
CCC Help Chinese Standard (Version: 2008.1201.1503.27008)
CCC Help Chinese Traditional (Version: 2008.1201.1503.27008)
CCC Help Czech (Version: 2008.1201.1503.27008)
CCC Help Danish (Version: 2008.1201.1503.27008)
CCC Help Dutch (Version: 2008.1201.1503.27008)
CCC Help English (Version: 2008.1201.1503.27008)
CCC Help Finnish (Version: 2008.1201.1503.27008)
CCC Help French (Version: 2008.1201.1503.27008)
CCC Help German (Version: 2008.1201.1503.27008)
CCC Help Greek (Version: 2008.1201.1503.27008)
CCC Help Hungarian (Version: 2008.1201.1503.27008)
CCC Help Italian (Version: 2008.1201.1503.27008)
CCC Help Japanese (Version: 2008.1201.1503.27008)
CCC Help Korean (Version: 2008.1201.1503.27008)
CCC Help Norwegian (Version: 2008.1201.1503.27008)
CCC Help Polish (Version: 2008.1201.1503.27008)
CCC Help Portuguese (Version: 2008.1201.1503.27008)
CCC Help Russian (Version: 2008.1201.1503.27008)
CCC Help Spanish (Version: 2008.1201.1503.27008)
CCC Help Swedish (Version: 2008.1201.1503.27008)
CCC Help Thai (Version: 2008.1201.1503.27008)
CCC Help Turkish (Version: 2008.1201.1503.27008)
CCleaner (remove only)
Download Updater (AOL LLC)
EA Download Manager (Version: 5.0.0.255)
Empire: Total War
ESET Online Scanner v3
Gadget Installer (Version: 1.0.2)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.2.2427.2330)
Google Update Helper (Version: 1.3.21.79)
Google Updater (Version: 2.4.2432.1652)
Half-Life 2: Lost Coast
HP Deskjet 3840 (Version: 1.00.0000)
HP Deskjet 3840 Series
HP Software Update (Version: 3.0.1.25)
IconPackager
Immunet Protect (Version: 2.0.17.48)
Impulse (Version: 1.0)
Intel® Management Engine Interface
Intel® Network Connections 13.0.44.0 (Version: 13.0.44.0)
Intel® Platform Administration Technology (Version: 4.0)
iPhone Configuration Utility (Version: 2.1.0.163)
iTunes (Version: 10.1.2.17)
Java™ 6 Update 15 (Version: 6.0.150)
Java™ 6 Update 6 (Version: 1.6.0.60)
LClock
LimeWire 5.5.9 (Version: 5.5.9)
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
McAfee VirusScan Enterprise (Version: 8.6.0)
MediaBar
Medieval II Total War (Version: 1.00.0000)
Medieval II Total War : Kingdoms : Americas (Version: 1.03.000)
Medieval II Total War : Kingdoms : Britannia (Version: 1.03.000)
Medieval II Total War : Kingdoms : Crusades (Version: 1.03.000)
Medieval II Total War : Kingdoms : Teutonic (Version: 1.03.000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2007 Recent Documents Gadget (Version: 12.0.4518.1027)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Standard 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30304 (Version: 9.0.30304)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual J# .NET Redistributable Package 1.1 (Version: 1.1.4322)
Microsoft WinUsb 1.0
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Mozilla Firefox (3.0) (Version: 3.0 (en-US))
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Napoleon: Total War
PingPlotter Standard 3.30.4s (Version: 3.30.4s)
QuickTime (Version: 7.69.80.9)
R for Windows 2.10.0 (Version: 2.10.0)
RangeMax Wireless-N USB Adapter WN111v2 (Version: 2.00.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5628)
Resource Hacker 3.4.0
Right Click Image Converter
runtime (Version: 1.0.0)
Safari (Version: 5.33.19.4)
Sins of a Solar Empire
Sins of a Solar Empire (Version: 1.16.051)
Skins (Version: 2008.1201.1504.27008)
Skype 3.0 (Version: 3.0)
Skype add-on for IE
Skype Plugin Manager (Version: 1.0.130)
Spyware Doctor with AntiVirus 8.0 (Version: 8.0)
StarCraft II (Version: 1.4.2.20141)
Steam (Version: 1.0.0.0)
Styler (Version: 1.4.0.1)
TeamSpeak 3 Client
The Sims™ 3 (Version: 1.19.44)
The Sims™ 3 Ambitions (Version: 4.0.87)
The Sims™ 3 Fast Lane Stuff (Version: 5.5.4)
The Sims™ 3 High-End Loft Stuff (Version: 3.10.4)
The Sims™ 3 Late Night (Version: 6.0.81)
The Sims™ 3 World Adventures (Version: 2.14.4)
The Witcher (Version: 1.00.0000)
Total War: SHOGUN 2
Unlocker 1.8.5 (Version: 1.8.5)
Warcraft III: All Products
WebFldrs XP (Version: 9.50.7523)
WildGames (Version: 1.0.0.50)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile Device Updater Component (Version: 04.07.1404.01)
Windows Sidebar (Version: 6.0.6001.18000)
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
YouTube Downloader 2.7.2
YouTube Downloader Toolbar v4.3 (Version: 4.3)
Zune (Version: 04.07.1404.01)
Zune Language Pack (DEU) (Version: 04.07.1404.01)
Zune Language Pack (ESP) (Version: 04.07.1404.01)
Zune Language Pack (FRA) (Version: 04.07.1404.01)
Zune Language Pack (ITA) (Version: 04.07.1404.01)
Zune Language Pack (NLD) (Version: 04.07.1404.01)
Zune Language Pack (PTB) (Version: 04.07.1404.01)
Zune Language Pack (PTG) (Version: 04.07.1404.01)

========================= Devices: ================================

Name: Intel® 82567V-2 Gigabit Network Connection
Description: Intel® 82567V-2 Gigabit Network Connection
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: e1yexpress
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Class Guid: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


========================= Memory info: ===================================

Percentage of memory in use: 20%
Total physical RAM: 3068.25 MB
Available physical RAM: 2451.67 MB
Total Pagefile: 4952.66 MB
Available Pagefile: 4444.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.96 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:465.75 GB) (Free:327.23 GB) NTFS

========================= Users: ========================================

User accounts for \\A

Administrator ASPNET Brett
Guest HelpAssistant SUPPORT_388945a0

========================= Minidump Files ==================================

No minidump file found

**** End of log ****



#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:59 PM

Posted 23 January 2012 - 09:38 PM

Thanks for running it again.
The Rootkit still has a good grip on your system.

We need a deeper look. Please go here....Preparation Guide .

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 hamluis

hamluis

    Moderator


  • Moderator
  • 55,752 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:59 PM

Posted 24 January 2012 - 07:22 AM

Reference: http://www.bleepingcomputer.com/forums/topic439651.html/page__gopid__2569080#entry2569080

Now that you have posted a malware log topic and are being assisted in that topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users