Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

root kit virus...please help...posted log


  • This topic is locked This topic is locked
42 replies to this topic

#1 dougers1

dougers1

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 March 2012 - 06:57 AM

hi i have a root kit virus please please please help..here is my log

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Run by John at 11:49:56 on 2012-03-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.156 [GMT 0:00]
.
AV: Antivirus *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Enabled*
FW: Norton 360 *Disabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZU&fl=0&ptb=drp4MRNIO2q.XEijFjr5sQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uWindow Title = Internet Explorer, optimized for Bing and MSN
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [mifauwhf] c:\documents and settings\john\local settings\application data\pqkhryibv\lqwnqygtssd.exe
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\2.bin\mwsoemon.exe
uRunOnce: [scan_after_setup] "c:\program files\avira\antivir desktop\avcenter.exe" /SCANAFTERSETUP="scan wait newprocess"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\2.bin\mwsoemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Monitor] c:\windows\pixart\pac7311\Monitor.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HostManager] c:\program files\common files\aol\1210353441\ee\AOLSoftware.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\john\startm~1\programs\startup\zooskm~1.lnk - c:\program files\zooskmessenger\ZooskMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aolcom~1.lnk - c:\program files\aol companion\companion.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?s=100000338&p=ZJfox000&a=dwi5JnNMZt7G92OFiovEDg&n=2010071611
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E97A730-C343-4EC2-9ECB-27862674ADAE} : DhcpNameServer = 192.168.1.1
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\a22jl6rc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZJfox000&ptb=dwi5JnNMZt7G92OFiovEDg
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZJfox000&ptb=dwi5JnNMZt7G92OFiovEDg&ind=2010071611&ptnrS=ZJfox000&si=&n=77cf423b&psa=&st=kwd&searchfor=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn_2010_9_0_6\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\a22jl6rc.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\a22jl6rc.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko5.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\a22jl6rc.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko6.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\a22jl6rc.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko7.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\a22jl6rc.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko8.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50524.0\npctrlui.dll
FF - plugin: c:\program files\mywebsearch\bar\2.bin\NPMYWEBS.DLL
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2012-3-2 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2012-3-2 196440]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2012-3-2 112984]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2012-3-6 106904]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2012-3-6 82952]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-3-2 24408]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-3-2 610648]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-3-2 337112]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2012-3-6 11608]
S1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\mpfirewall.sys --> c:\windows\system32\drivers\MpFirewall.sys [?]
S2 AntiVirFirewallService;Avira FireWall;c:\program files\avira\antivir desktop\avfwsvc.exe [2012-3-6 567464]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2012-3-6 340136]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-6 136360]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2012-3-6 269480]
S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2012-3-6 428200]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-3-2 20696]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-3-2 44768]
S2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2012-3-2 131288]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-6 66616]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-21 54752]
S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-1-12 13696]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe [2011-3-21 28762]
S2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-1-12 13568]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-5-16 191752]
S3 EraserUtilDrvI11;EraserUtilDrvI11;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi11.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI11.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\3.tmp [2012-3-6 6144]
.
=============== Created Last 30 ================
.
2012-03-06 10:26:21 -------- d-----w- c:\documents and settings\john\application data\Avira
2012-03-06 10:23:14 -------- d-----w- c:\windows\LastGood.Tmp
2012-03-06 10:22:46 82952 ----a-w- c:\windows\system32\drivers\avfwim.sys
2012-03-06 10:22:46 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-06 10:22:46 106904 ----a-w- c:\windows\system32\drivers\avfwot.sys
2012-03-06 10:22:45 -------- d-----w- c:\program files\Avira
2012-03-06 10:22:45 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-03-06 09:29:18 6144 ------w- c:\windows\system32\3.tmp
2012-03-06 09:28:53 6144 ------w- c:\windows\system32\2.tmp
2012-03-06 09:28:38 6144 ------w- c:\windows\system32\1.tmp
2012-03-06 09:27:42 -------- d-----w- c:\program files\Sophos
2012-03-02 18:20:35 112984 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-03-02 18:19:54 196440 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-03-02 18:17:32 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-03-02 17:53:56 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-02 17:53:56 24408 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-03-02 17:51:45 41184 ----a-w- c:\windows\avastSS.scr
2012-03-02 17:50:13 -------- d-----w- c:\program files\AVAST Software
2012-03-02 17:50:13 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721616PLA380 rev.P22OA92A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x850B4EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x840f4872; SUB DWORD [EBP-0x4], 0x840f412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8522D4B0]
3 CLASSPNP[0xF74C7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000076[0x851B61C8]
5 ACPI[0xF743E620] -> nt!IofCallDriver[0x804E37D5] -> [0x851B5030]
[0x851A0B78] -> IRP_MJ_CREATE -> 0x850B4EC5
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDS721616PLA380_________________P22OA92A#5&1c6638a1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x850B4AEA
user & kernel MBR OK
sectors 312499998 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:51:50.62 ===============

Attached Files


Edited by dougers1, 06 March 2012 - 07:34 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 06 March 2012 - 07:51 AM

Hello

You don't need to make a new topic to reply to me just hit the reply button and then post the new reports

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 dougers1

dougers1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 March 2012 - 08:51 AM

i have followed your instructions and once combofix eneded it restarted comp(didnt let me save the log)..when it restarts it still the same windows wont load personal settings unless in safe mode
please help

ComboFix 12-03-04.02 - John 03/06/2012 13:23:52.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.218 [GMT 0:00]
Running from: c:\documents and settings\John\My Documents\Downloads\ComboFix.exe
AV: Antivirus *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: avast! Internet Security *Enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\John\Application Data\Sewa
c:\documents and settings\John\Application Data\Sewa\wovy.len
c:\documents and settings\John\Application Data\Sewa\wovy.tmp
c:\documents and settings\John\Recent\Thumbs.db
c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\0003F379.urr
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCrctr.dll
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\2.bin\INSTALL.RDF
c:\program files\MyWebSearch\bar\2.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\2.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\M3FFTBPR.DLL
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3HTml.dll
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSg.dll
c:\program files\MyWebSearch\bar\2.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\2.bin\M3PATCH.DLL
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3TPINST.DLL
c:\program files\MyWebSearch\bar\2.bin\M3UNPAT.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSMLBTN.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSUABTN.DLL
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0003661E
c:\program files\MyWebSearch\bar\Cache\0004006A.exe
c:\program files\MyWebSearch\bar\Cache\00049779.bin
c:\program files\MyWebSearch\bar\Cache\0004A043.bin
c:\program files\MyWebSearch\bar\Cache\0004A4C8.bin
c:\program files\MyWebSearch\bar\Cache\0004A8A0.bin
c:\program files\MyWebSearch\bar\Cache\0004AA75.bin
c:\program files\MyWebSearch\bar\Cache\0005F17C
c:\program files\MyWebSearch\bar\Cache\00065B90
c:\program files\MyWebSearch\bar\Cache\00073E8D
c:\program files\MyWebSearch\bar\Cache\000AF74F.bin
c:\program files\MyWebSearch\bar\Cache\000AF8A7.bin
c:\program files\MyWebSearch\bar\Cache\000AF934.bin
c:\program files\MyWebSearch\bar\Cache\000AFCBE.bin
c:\program files\MyWebSearch\bar\Cache\000C7AE2.bin
c:\program files\MyWebSearch\bar\Cache\000CEF57
c:\program files\MyWebSearch\bar\Cache\000E626F.bmp
c:\program files\MyWebSearch\bar\Cache\0016A32A
c:\program files\MyWebSearch\bar\Cache\001F53A7
c:\program files\MyWebSearch\bar\Cache\0028B7A5.bmp
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\8_step1.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\bkez.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkgr.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkgs.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bklf.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkrg.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkwebfet.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzc.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzl.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzn.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzq.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzr.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzu.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzv.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzw.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzwinky.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2r.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3r.png
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4b.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4c.htm
c:\program files\MyWebSearch\bar\Message\COMMON\shield.png
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Overlay\COMMON.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_FeatCk.dat
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\setups\My Web Search Installer(0013837b).exe
c:\program files\system32
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\kb913800.exe
c:\windows\PRAGMAquqduwievb
c:\windows\PRAGMAquqduwievb\PRAGMAcfg.ini
c:\windows\PRAGMAquqduwievb\PRAGMAsrcr.dat
c:\windows\system32\1.tmp
c:\windows\system32\2.tmp
c:\windows\system32\3.tmp
c:\windows\system32\linkinfo(2).dll
c:\windows\system32\SET14.tmp
c:\windows\system32\SET15.tmp
c:\windows\system32\SET4A.tmp
c:\windows\system32\SET4F.tmp
c:\windows\system32\SET56.tmp
c:\windows\system32\SET5F.tmp
c:\windows\system32\SET61.tmp
c:\windows\system32\SET64.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_PRAGMAquqduwievb
-------\Service_MyWebSearchService
-------\Service_PRAGMAquqduwievb
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
.
.
2012-03-06 13:10 . 2012-03-06 13:10 -------- d-----w- c:\windows\LastGood
2012-03-06 10:26 . 2012-03-06 10:26 -------- d-----w- c:\documents and settings\John\Application Data\Avira
2012-03-06 10:22 . 2011-07-21 11:23 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-06 10:22 . 2011-07-21 11:23 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-03-06 10:22 . 2011-07-21 11:23 82952 ----a-w- c:\windows\system32\drivers\avfwim.sys
2012-03-06 10:22 . 2011-07-21 11:23 106904 ----a-w- c:\windows\system32\drivers\avfwot.sys
2012-03-06 10:22 . 2010-06-17 15:23 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2012-03-06 10:22 . 2010-06-17 15:23 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2012-03-06 10:22 . 2012-03-06 10:22 -------- d-----w- c:\program files\Avira
2012-03-06 10:22 . 2012-03-06 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-03-06 09:27 . 2012-03-06 09:27 -------- d-----w- c:\program files\Sophos
2012-03-05 18:32 . 2012-03-05 18:32 -------- d-----w- c:\documents and settings\jc
2012-03-02 18:20 . 2012-02-23 16:13 112984 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-03-02 18:19 . 2012-02-23 16:12 196440 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-03-02 18:17 . 2012-02-23 15:54 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-03-02 17:54 . 2012-02-23 16:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-02 17:54 . 2012-02-23 16:12 337112 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-02 17:53 . 2012-02-23 16:10 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-02 17:53 . 2012-02-23 16:10 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-02 17:53 . 2012-02-23 16:12 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-02 17:53 . 2012-02-23 16:11 24408 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-03-02 17:53 . 2012-02-23 16:10 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-02 17:53 . 2012-02-23 16:10 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-02 17:53 . 2012-02-23 16:07 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-02 17:51 . 2012-02-23 16:23 41184 ----a-w- c:\windows\avastSS.scr
2012-03-02 17:51 . 2012-02-23 16:23 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-02 17:50 . 2012-03-02 17:50 -------- d-----w- c:\program files\AVAST Software
2012-03-02 17:50 . 2012-03-02 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-19 16:55 . 2011-12-08 14:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 15:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-28 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2010-10-13 221184]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2010-10-13 192512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2010-10-13 26112]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2010-10-13 40960]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"Monitor"="c:\windows\PixArt\PAC7311\Monitor.exe" [2006-11-03 319488]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"HostManager"="c:\program files\Common Files\AOL\1210353441\ee\AOLSoftware.exe" [2006-09-26 50736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-28 236544]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2010-10-13 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\John\Start Menu\Programs\Startup\
ZooskMessenger.lnk - c:\program files\ZooskMessenger\ZooskMessenger.exe [2012-1-12 142336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2006-12-28 156784]
AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2006-12-28 250992]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-12-28 7168]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\1210353441\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [3/2/2012 6:17 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [3/2/2012 6:19 PM 196440]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [3/2/2012 6:20 PM 112984]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [3/6/2012 10:22 AM 106904]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [3/6/2012 10:22 AM 82952]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [3/2/2012 5:53 PM 24408]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/2/2012 5:53 PM 610648]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/2/2012 5:54 PM 337112]
S2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [3/6/2012 10:22 AM 567464]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [3/6/2012 10:22 AM 340136]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/6/2012 10:22 AM 136360]
S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [3/6/2012 10:22 AM 428200]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/2/2012 5:54 PM 20696]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [3/2/2012 6:17 PM 131288]
S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [1/12/2006 10:27 PM 13696]
S2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [1/12/2006 10:29 PM 13568]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [5/16/2011 10:32 AM 191752]
S3 EraserUtilDrvI11;EraserUtilDrvI11;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI11.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI11.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZU&fl=0&ptb=drp4MRNIO2q.XEijFjr5sQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\a22jl6rc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZJfox000&ptb=dwi5JnNMZt7G92OFiovEDg
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZJfox000&ptb=dwi5JnNMZt7G92OFiovEDg&ind=2010071611&ptnrS=ZJfox000&si=&n=77cf423b&psa=&st=kwd&searchfor=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-mifauwhf - c:\documents and settings\John\Local Settings\Application Data\pqkhryibv\lqwnqygtssd.exe
HKLM-Run-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-06 13:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721616PLA380 rev.P22OA92A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8514FEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x840f4872; SUB DWORD [EBP-0x4], 0x840f412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8511E030]
3 CLASSPNP[0xF74C7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000079[0x85203F18]
5 ACPI[0xF743E620] -> nt!IofCallDriver[0x804E37D5] -> [0x85268A38]
[0x85137E20] -> IRP_MJ_CREATE -> 0x8514FEC5
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDS721616PLA380_________________P22OA92A#5&1c6638a1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8514FAEA
user & kernel MBR OK
sectors 312499998 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1248)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(1308)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(660)
c:\windows\system32\WININET.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2012-03-06 14:03:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-06 14:03
.
Pre-Run: 89,435,533,312 bytes free
Post-Run: 89,954,570,240 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 20D8CE3E26EF5B7ED90BBEE17EADE3E0

Edited by gringo_pr, 06 March 2012 - 09:40 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 06 March 2012 - 09:44 AM

:multiple Anti Virus programs:

It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

AV: Antivirus *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove all but one of them.



I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 dougers1

dougers1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 March 2012 - 10:27 AM

hi gringo here are the logs thatyou requested...thanks for all this help

Attached Files



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 06 March 2012 - 10:35 AM

Hello


You did not send me the TDSSKiller report I would like to see that please


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 dougers1

dougers1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 March 2012 - 10:40 AM

sorry...here is the tds report

14:59:02.0109 2348 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
14:59:02.0140 2348 ============================================================
14:59:02.0140 2348 Current date / time: 2012/03/06 14:59:02.0140
14:59:02.0140 2348 SystemInfo:
14:59:02.0140 2348
14:59:02.0140 2348 OS Version: 5.1.2600 ServicePack: 3.0
14:59:02.0140 2348 Product type: Workstation
14:59:02.0140 2348 ComputerName: JOHN
14:59:02.0140 2348 UserName: John
14:59:02.0140 2348 Windows directory: C:\WINDOWS
14:59:02.0140 2348 System windows directory: C:\WINDOWS
14:59:02.0140 2348 Processor architecture: Intel x86
14:59:02.0140 2348 Number of processors: 1
14:59:02.0140 2348 Page size: 0x1000
14:59:02.0140 2348 Boot type: Normal boot
14:59:02.0140 2348 ============================================================
14:59:03.0968 2348 Drive \Device\Harddisk0\DR0 - Size: 0x2540BE4000 (149.01 Gb), SectorSize: 0x200, Cylinders: 0x4BFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:59:03.0968 2348 Drive \Device\Harddisk1\DR7 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
14:59:03.0984 2348 \Device\Harddisk0\DR0:
14:59:03.0984 2348 MBR used
14:59:03.0984 2348 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0xD62F39C
14:59:04.0000 2348 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xD642DA0, BlocksNum 0x4A7967E
14:59:04.0000 2348 \Device\Harddisk1\DR7:
14:59:04.0000 2348 MBR used
14:59:04.0000 2348 \Device\Harddisk1\DR7\Partition0: MBR, Type 0x7, StartLBA 0x40, BlocksNum 0x74706D40
14:59:04.0156 2348 Initialize success
14:59:04.0156 2348 ============================================================
14:59:09.0359 2696 ============================================================
14:59:09.0359 2696 Scan started
14:59:09.0359 2696 Mode: Manual;
14:59:09.0359 2696 ============================================================
14:59:10.0390 2696 Aavmker4 (fdba5bb4c8171cda00b2233d5389ee5f) C:\WINDOWS\system32\drivers\Aavmker4.sys
14:59:10.0390 2696 Aavmker4 - ok
14:59:10.0421 2696 Abiosdsk - ok
14:59:10.0484 2696 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:59:10.0484 2696 abp480n5 - ok
14:59:10.0656 2696 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:59:10.0656 2696 ACPI - ok
14:59:10.0718 2696 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:59:10.0718 2696 ACPIEC - ok
14:59:10.0812 2696 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:59:10.0828 2696 adpu160m - ok
14:59:10.0875 2696 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:59:10.0890 2696 aec - ok
14:59:11.0015 2696 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
14:59:11.0015 2696 Afc - ok
14:59:11.0078 2696 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
14:59:11.0078 2696 AFD - ok
14:59:11.0125 2696 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
14:59:11.0140 2696 agp440 - ok
14:59:11.0281 2696 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:59:11.0281 2696 agpCPQ - ok
14:59:11.0421 2696 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:59:11.0421 2696 Aha154x - ok
14:59:11.0453 2696 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:59:11.0468 2696 aic78u2 - ok
14:59:11.0562 2696 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:59:11.0562 2696 aic78xx - ok
14:59:11.0656 2696 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
14:59:11.0656 2696 AliIde - ok
14:59:11.0750 2696 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:59:11.0750 2696 alim1541 - ok
14:59:11.0796 2696 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:59:11.0796 2696 amdagp - ok
14:59:11.0843 2696 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
14:59:11.0843 2696 AmdK8 - ok
14:59:11.0921 2696 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
14:59:11.0921 2696 amsint - ok
14:59:11.0968 2696 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
14:59:11.0984 2696 asc - ok
14:59:12.0031 2696 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:59:12.0031 2696 asc3350p - ok
14:59:12.0125 2696 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:59:12.0125 2696 asc3550 - ok
14:59:12.0218 2696 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
14:59:12.0218 2696 ASCTRM - ok
14:59:12.0281 2696 aswFsBlk (581b82df5dbcc1dda6b775fac0d92472) C:\WINDOWS\system32\drivers\aswFsBlk.sys
14:59:12.0281 2696 aswFsBlk - ok
14:59:12.0375 2696 aswFW (1366147ff64fd82f833c16d0c17d4121) C:\WINDOWS\system32\drivers\aswFW.sys
14:59:12.0390 2696 aswFW - ok
14:59:12.0468 2696 aswKbd (d58ac76eb4d2b478b654ebd6550965bb) C:\WINDOWS\system32\drivers\aswKbd.sys
14:59:12.0500 2696 aswKbd - ok
14:59:12.0781 2696 aswMon2 (4310e0977b48ec9bc5cca6931f806e6d) C:\WINDOWS\system32\drivers\aswMon2.sys
14:59:12.0812 2696 aswMon2 - ok
14:59:13.0093 2696 aswNdis (7b948e3657bea62e437bc46ca6ef6012) C:\WINDOWS\system32\DRIVERS\aswNdis.sys
14:59:13.0109 2696 aswNdis - ok
14:59:13.0468 2696 aswNdis2 (525a3ebc871c34b966167e9b00e459ad) C:\WINDOWS\system32\drivers\aswNdis2.sys
14:59:13.0484 2696 aswNdis2 - ok
14:59:13.0781 2696 AswRdr (0b44ee90b3db93582b260a80b28b7ffd) C:\WINDOWS\system32\drivers\AswRdr.sys
14:59:13.0796 2696 AswRdr - ok
14:59:14.0140 2696 aswSnx (ca9601cd277a1e510b80422a40240a95) C:\WINDOWS\system32\drivers\aswSnx.sys
14:59:14.0171 2696 aswSnx - ok
14:59:14.0500 2696 aswSP (05ea22dde5ca7ee3a865046aff2f0229) C:\WINDOWS\system32\drivers\aswSP.sys
14:59:14.0546 2696 aswSP - ok
14:59:14.0890 2696 aswTdi (3ac73a9e7378848d1bde174b4bb39212) C:\WINDOWS\system32\drivers\aswTdi.sys
14:59:14.0890 2696 aswTdi - ok
14:59:15.0000 2696 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:59:15.0000 2696 AsyncMac - ok
14:59:15.0078 2696 atapi (48f983e51d618252bd8fc6005d26c12a) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:59:15.0078 2696 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 48f983e51d618252bd8fc6005d26c12a, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
14:59:15.0078 2696 atapi ( Rootkit.Win32.TDSS.tdl3 ) - infected
14:59:15.0078 2696 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
14:59:15.0171 2696 Atdisk - ok
14:59:15.0218 2696 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:59:15.0234 2696 Atmarpc - ok
14:59:15.0312 2696 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:59:15.0312 2696 audstub - ok
14:59:15.0406 2696 avfwot - ok
14:59:15.0437 2696 avgntflt - ok
14:59:15.0468 2696 bcm4sbxp (78e7b52da292fa90bad2f887bbf22159) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
14:59:15.0468 2696 bcm4sbxp - ok
14:59:15.0500 2696 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:59:15.0500 2696 Beep - ok
14:59:15.0625 2696 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
14:59:15.0625 2696 BthEnum - ok
14:59:15.0718 2696 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
14:59:15.0734 2696 BthPan - ok
14:59:15.0828 2696 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
14:59:15.0843 2696 BTHPORT - ok
14:59:16.0015 2696 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
14:59:16.0015 2696 BTHUSB - ok
14:59:16.0031 2696 catchme - ok
14:59:16.0093 2696 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:59:16.0093 2696 cbidf - ok
14:59:16.0171 2696 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:59:16.0171 2696 cbidf2k - ok
14:59:16.0234 2696 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:59:16.0234 2696 CCDECODE - ok
14:59:16.0281 2696 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:59:16.0296 2696 cd20xrnt - ok
14:59:16.0390 2696 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:59:16.0390 2696 Cdaudio - ok
14:59:16.0437 2696 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:59:16.0453 2696 Cdfs - ok
14:59:16.0546 2696 cdrbsdrv (248349293ca42ee5db61dc1fd85a2f49) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
14:59:16.0546 2696 cdrbsdrv - ok
14:59:16.0750 2696 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:59:16.0781 2696 Cdrom - ok
14:59:16.0859 2696 Changer - ok
14:59:16.0968 2696 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:59:16.0968 2696 CmdIde - ok
14:59:17.0062 2696 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:59:17.0078 2696 Cpqarray - ok
14:59:17.0171 2696 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:59:17.0171 2696 dac2w2k - ok
14:59:17.0250 2696 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:59:17.0250 2696 dac960nt - ok
14:59:17.0312 2696 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:59:17.0312 2696 Disk - ok
14:59:17.0437 2696 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
14:59:17.0453 2696 DLABOIOM - ok
14:59:17.0500 2696 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
14:59:17.0500 2696 DLACDBHM - ok
14:59:17.0531 2696 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
14:59:17.0531 2696 DLADResN - ok
14:59:17.0593 2696 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
14:59:17.0593 2696 DLAIFS_M - ok
14:59:17.0718 2696 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
14:59:17.0718 2696 DLAOPIOM - ok
14:59:17.0765 2696 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
14:59:17.0765 2696 DLAPoolM - ok
14:59:17.0812 2696 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
14:59:17.0812 2696 DLARTL_N - ok
14:59:17.0968 2696 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
14:59:17.0984 2696 DLAUDFAM - ok
14:59:18.0000 2696 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
14:59:18.0015 2696 DLAUDF_M - ok
14:59:18.0125 2696 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:59:18.0140 2696 dmboot - ok
14:59:18.0234 2696 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:59:18.0250 2696 dmio - ok
14:59:18.0312 2696 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:59:18.0312 2696 dmload - ok
14:59:18.0375 2696 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:59:18.0390 2696 DMusic - ok
14:59:18.0515 2696 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:59:18.0515 2696 dpti2o - ok
14:59:18.0593 2696 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:59:18.0593 2696 drmkaud - ok
14:59:18.0703 2696 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
14:59:18.0703 2696 DRVMCDB - ok
14:59:18.0734 2696 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
14:59:18.0734 2696 DRVNDDM - ok
14:59:18.0859 2696 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
14:59:18.0859 2696 DSproct - ok
14:59:19.0015 2696 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:59:19.0015 2696 E100B - ok
14:59:19.0093 2696 eeCtrl - ok
14:59:19.0109 2696 EraserUtilDrvI11 - ok
14:59:19.0125 2696 EraserUtilRebootDrv - ok
14:59:19.0265 2696 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:59:19.0281 2696 Fastfat - ok
14:59:19.0328 2696 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:59:19.0328 2696 Fdc - ok
14:59:19.0484 2696 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:59:19.0484 2696 Fips - ok
14:59:19.0531 2696 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:59:19.0531 2696 Flpydisk - ok
14:59:19.0578 2696 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:59:19.0593 2696 FltMgr - ok
14:59:19.0734 2696 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
14:59:19.0750 2696 fssfltr - ok
14:59:19.0796 2696 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:59:19.0796 2696 Fs_Rec - ok
14:59:19.0843 2696 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:59:19.0859 2696 Ftdisk - ok
14:59:20.0000 2696 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:59:20.0000 2696 Gpc - ok
14:59:20.0078 2696 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:59:20.0093 2696 HDAudBus - ok
14:59:20.0234 2696 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:59:20.0234 2696 HidUsb - ok
14:59:20.0296 2696 hnmwrlspkt (cabba915f11ff2013c550bb1a9b977df) C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys
14:59:20.0312 2696 hnmwrlspkt - ok
14:59:20.0421 2696 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
14:59:20.0421 2696 hpn - ok
14:59:20.0484 2696 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:59:20.0500 2696 HTTP - ok
14:59:20.0640 2696 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
14:59:20.0656 2696 i2omgmt - ok
14:59:20.0703 2696 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:59:20.0703 2696 i2omp - ok
14:59:20.0781 2696 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:59:20.0781 2696 i8042prt - ok
14:59:20.0875 2696 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:59:20.0875 2696 Imapi - ok
14:59:20.0984 2696 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:59:20.0984 2696 ini910u - ok
14:59:21.0109 2696 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:59:21.0109 2696 IntelIde - ok
14:59:21.0171 2696 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:59:21.0171 2696 intelppm - ok
14:59:21.0234 2696 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:59:21.0234 2696 Ip6Fw - ok
14:59:21.0328 2696 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:59:21.0328 2696 IpFilterDriver - ok
14:59:21.0375 2696 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:59:21.0375 2696 IpInIp - ok
14:59:21.0453 2696 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:59:21.0468 2696 IpNat - ok
14:59:21.0578 2696 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:59:21.0640 2696 IPSec - ok
14:59:21.0734 2696 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:59:21.0734 2696 IRENUM - ok
14:59:21.0828 2696 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:59:21.0843 2696 isapnp - ok
14:59:21.0906 2696 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:59:21.0906 2696 Kbdclass - ok
14:59:21.0968 2696 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:59:21.0968 2696 kbdhid - ok
14:59:22.0046 2696 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:59:22.0046 2696 kmixer - ok
14:59:22.0140 2696 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:59:22.0156 2696 KSecDD - ok
14:59:22.0203 2696 lbrtfdc - ok
14:59:22.0312 2696 LVPr2Mon (f96cfb47903854f228baaf3e2d41a0a3) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
14:59:22.0312 2696 LVPr2Mon - ok
14:59:22.0437 2696 LVRS (e22fd7852e74f04cceb6b8a684a51f3e) C:\WINDOWS\system32\DRIVERS\lvrs.sys
14:59:22.0453 2696 LVRS - ok
14:59:22.0578 2696 LVUSBSta (5f987fc1aad215ec2c60cf07719b1cce) C:\WINDOWS\system32\drivers\LVUSBSta.sys
14:59:22.0578 2696 LVUSBSta - ok
14:59:22.0687 2696 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
14:59:22.0687 2696 MHNDRV - ok
14:59:22.0750 2696 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:59:22.0765 2696 mnmdd - ok
14:59:22.0812 2696 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:59:22.0812 2696 Modem - ok
14:59:22.0890 2696 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:59:22.0890 2696 Mouclass - ok
14:59:22.0984 2696 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:59:22.0984 2696 mouhid - ok
14:59:23.0046 2696 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:59:23.0046 2696 MountMgr - ok
14:59:23.0171 2696 MPFIREWL - ok
14:59:23.0234 2696 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:59:23.0234 2696 mraid35x - ok
14:59:23.0265 2696 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:59:23.0265 2696 MRxDAV - ok
14:59:23.0328 2696 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:59:23.0328 2696 MRxSmb - ok
14:59:23.0453 2696 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:59:23.0453 2696 Msfs - ok
14:59:23.0500 2696 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:59:23.0500 2696 MSKSSRV - ok
14:59:23.0531 2696 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:59:23.0531 2696 MSPCLOCK - ok
14:59:23.0562 2696 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:59:23.0578 2696 MSPQM - ok
14:59:23.0625 2696 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:59:23.0625 2696 mssmbios - ok
14:59:23.0765 2696 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:59:23.0765 2696 MSTEE - ok
14:59:23.0796 2696 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:59:23.0796 2696 Mup - ok
14:59:23.0937 2696 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:59:23.0937 2696 NABTSFEC - ok
14:59:24.0000 2696 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:59:24.0000 2696 NDIS - ok
14:59:24.0031 2696 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:59:24.0031 2696 NdisIP - ok
14:59:24.0140 2696 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:59:24.0156 2696 NdisTapi - ok
14:59:24.0203 2696 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:59:24.0203 2696 Ndisuio - ok
14:59:24.0234 2696 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:59:24.0250 2696 NdisWan - ok
14:59:24.0281 2696 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:59:24.0296 2696 NDProxy - ok
14:59:24.0406 2696 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:59:24.0421 2696 NetBIOS - ok
14:59:24.0453 2696 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:59:24.0468 2696 NetBT - ok
14:59:24.0546 2696 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:59:24.0546 2696 Npfs - ok
14:59:24.0609 2696 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:59:24.0625 2696 Ntfs - ok
14:59:24.0734 2696 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:59:24.0734 2696 Null - ok
14:59:24.0890 2696 nv (15a6306a0b958bf60f09688d0ee70479) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:59:25.0000 2696 nv - ok
14:59:25.0109 2696 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:59:25.0125 2696 NwlnkFlt - ok
14:59:25.0140 2696 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:59:25.0156 2696 NwlnkFwd - ok
14:59:25.0203 2696 Packet (ec0d523b492764b15b3b6b1e17172201) C:\WINDOWS\system32\DRIVERS\packet.sys
14:59:25.0203 2696 Packet - ok
14:59:25.0296 2696 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:59:25.0296 2696 Parport - ok
14:59:25.0375 2696 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:59:25.0375 2696 PartMgr - ok
14:59:25.0421 2696 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:59:25.0421 2696 ParVdm - ok
14:59:25.0453 2696 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:59:25.0453 2696 PCI - ok
14:59:25.0468 2696 PCIDump - ok
14:59:25.0500 2696 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:59:25.0500 2696 PCIIde - ok
14:59:25.0531 2696 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:59:25.0546 2696 Pcmcia - ok
14:59:25.0656 2696 PDCOMP - ok
14:59:25.0734 2696 PDFRAME - ok
14:59:25.0750 2696 PDRELI - ok
14:59:25.0781 2696 PDRFRAME - ok
14:59:25.0828 2696 pepifilter (4349c7dc0c982cffc11946fff20f8524) C:\WINDOWS\system32\DRIVERS\lv302af.sys
14:59:25.0828 2696 pepifilter - ok
14:59:25.0906 2696 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
14:59:25.0906 2696 perc2 - ok
14:59:26.0015 2696 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:59:26.0015 2696 perc2hib - ok
14:59:26.0171 2696 PID_PEPI (4fc23dae30ef4f6a2952cd93104909e7) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
14:59:26.0234 2696 PID_PEPI - ok
14:59:26.0390 2696 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:59:26.0406 2696 PptpMiniport - ok
14:59:26.0437 2696 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
14:59:26.0453 2696 \Device\Harddisk0\DR0 - ok
14:59:26.0500 2696 Boot (0x1200) (2496006508c61ff3af7dfa56619a6ee8) \Device\Harddisk0\DR0\Partition0
14:59:26.0500 2696 \Device\Harddisk0\DR0\Partition0 - ok
14:59:26.0531 2696 Boot (0x1200) (c7846c079b61753dc635c236d9cb7d94) \Device\Harddisk0\DR0\Partition1
14:59:26.0546 2696 \Device\Harddisk0\DR0\Partition1 - ok
14:59:26.0562 2696 ============================================================
14:59:26.0562 2696 Scan finished
14:59:26.0562 2696 ============================================================
14:59:26.0578 4064 Detected object count: 1
14:59:26.0578 4064 Actual detected object count: 1
14:59:49.0328 4064 C:\WINDOWS\system32\DRIVERS\atapi.sys - copied to quarantine
14:59:57.0343 4064 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
14:59:57.0359 4064 \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
14:59:57.0390 4064 \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
14:59:57.0390 4064 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
14:59:57.0406 4064 \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine
15:00:05.0046 4064 Backup copy found, using it..
15:00:05.0062 4064 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured on reboot
15:00:05.0062 4064 atapi ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
15:00:14.0281 4032 Deinitialize success

Attached Files


Edited by gringo_pr, 06 March 2012 - 10:54 AM.


#8 dougers1

dougers1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 March 2012 - 10:44 AM

here is also thesystemlook report

SystemLook 30.07.11 by jpshortstuff
Log created at 15:41 on 06/03/2012 by John
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a---- 95360 bytes [19:49 06/01/2007] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c- 95360 bytes [20:00 14/01/2009] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 96512 bytes [14:00 06/03/2012] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------- 96512 bytes [17:30 30/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys --a---- 96512 bytes [16:38 30/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a---- 96512 bytes [22:59 03/08/2004] [18:40 13/04/2008] 48F983E51D618252BD8FC6005D26C12A

-= EOF =-

Attached Files


Edited by gringo_pr, 06 March 2012 - 10:55 AM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 06 March 2012 - 10:59 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

Folder::
c:\program files\AskBarDis

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>

Firefox::
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\a22jl6rc.default\
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZJfox000&ptb=dwi5JnNMZt7G92OFiovEDg&ind=2010071611&ptnrS=ZJfox000&si=&n=77cf423b&psa=&st=kwd&searchfor=

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 dougers1

dougers1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 March 2012 - 01:04 PM

ok i had to run this twice ..1st time in normal mode the comp crashed and gave me blue screen of death
second time in safemode
here is my log

ComboFix 12-03-04.02 - John 03/06/2012 17:45:49.3.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.296 [GMT 0:00]
Running from: c:\documents and settings\John\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt.txt
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: avast! Internet Security *Enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
.
.
2012-03-06 16:27 . 2012-03-06 16:27 -------- d-----w- C:\avast! sandbox
2012-03-06 15:58 . 2012-03-06 15:58 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-06 15:58 . 2012-03-06 15:58 -------- d-----w- c:\program files\ESPNMotion
2012-03-06 15:58 . 2012-03-06 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2012-03-06 15:00 . 2012-03-06 15:00 98992 ----a-w- c:\windows\system32\drivers\34521563.sys
2012-03-06 15:00 . 2012-03-06 15:00 96512 ----a-w- c:\windows\system32\drivers\tsk42.tmp
2012-03-06 14:59 . 2012-03-06 14:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-06 10:22 . 2012-03-06 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-03-06 09:27 . 2012-03-06 09:27 -------- d-----w- c:\program files\Sophos
2012-03-05 18:32 . 2012-03-05 18:32 -------- d-----w- c:\documents and settings\jc
2012-03-02 18:20 . 2012-02-23 16:13 112984 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-03-02 18:19 . 2012-02-23 16:12 196440 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-03-02 18:17 . 2012-02-23 15:54 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-03-02 17:54 . 2012-02-23 16:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-02 17:54 . 2012-02-23 16:12 337112 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-02 17:53 . 2012-02-23 16:10 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-02 17:53 . 2012-02-23 16:10 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-02 17:53 . 2012-02-23 16:12 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-02 17:53 . 2012-02-23 16:11 24408 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-03-02 17:53 . 2012-02-23 16:10 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-02 17:53 . 2012-02-23 16:10 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-02 17:53 . 2012-02-23 16:07 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-02 17:51 . 2012-02-23 16:23 41184 ----a-w- c:\windows\avastSS.scr
2012-03-02 17:51 . 2012-02-23 16:23 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-02 17:50 . 2012-03-02 17:50 -------- d-----w- c:\program files\AVAST Software
2012-03-02 17:50 . 2012-03-02 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-19 16:55 . 2011-12-08 14:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[-] 2008-04-13 18:40 . 48F983E51D618252BD8FC6005D26C12A . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-03-06_13.57.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-29 18:40 . 2012-03-06 15:59 145180 c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-28 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2010-10-13 221184]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2010-10-13 192512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2010-10-13 26112]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2010-10-13 40960]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"Monitor"="c:\windows\PixArt\PAC7311\Monitor.exe" [2006-11-03 319488]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-28 236544]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2010-10-13 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\John\Start Menu\Programs\Startup\
ZooskMessenger.lnk - c:\program files\ZooskMessenger\ZooskMessenger.exe [2012-1-12 142336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-12-28 7168]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [3/2/2012 6:17 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [3/2/2012 6:19 PM 196440]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [3/2/2012 6:20 PM 112984]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [3/2/2012 5:53 PM 24408]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/2/2012 5:53 PM 610648]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/2/2012 5:54 PM 337112]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/2/2012 5:54 PM 20696]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [3/2/2012 6:17 PM 131288]
S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [1/12/2006 10:27 PM 13696]
S2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [1/12/2006 10:29 PM 13568]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [5/16/2011 10:32 AM 191752]
S3 EraserUtilDrvI11;EraserUtilDrvI11;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI11.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI11.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZU&fl=0&ptb=drp4MRNIO2q.XEijFjr5sQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\a22jl6rc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZJfox000&ptb=dwi5JnNMZt7G92OFiovEDg
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
SafeBoot-57414231.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-06 17:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\atapi]
"ImagePath"="system32\drivers\tsk42.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-03-06 17:59:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-06 17:59
ComboFix2.txt 2012-03-06 14:03
.
Pre-Run: 90,349,473,792 bytes free
Post-Run: 90,327,257,088 bytes free
.
- - End Of File - - 226BBF7EAEEFFCEC035BE175E918E141

Attached Files


Edited by gringo_pr, 06 March 2012 - 02:51 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 06 March 2012 - 02:53 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 dougers1

dougers1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 07 March 2012 - 03:38 AM

Hi Gringo
here is the log from cobofix....i have managed to run in normal mode

Attached Files



#13 dougers1

dougers1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 07 March 2012 - 04:26 AM

gingo windows did a boot scan and has found the virus in system32\drivers\atapi.sys.vir
it is asking me what iwant to do now
delete
delete all
move to chest
repair
what do i choose


cheers

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 07 March 2012 - 09:19 AM

That can be removed that is the file that we just replaced - how is the computer doing now??



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 dougers1

dougers1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 07 March 2012 - 09:29 AM

its went back to crashing in normal mode when i deleted the file....
its ok in safemode plus avast still saying the root virus(pragma) is still there
what should i do




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users