Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Website redirect - Rootkit problem


  • Please log in to reply
7 replies to this topic

#1 safadao

safadao

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 13 March 2012 - 05:40 PM

Good morning all,

Through hours of trawling through google i've found some information. Basicly when ever I go to facebook it redirects to another page. I've run GMER and appears I have some rootkit issues.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-03-14 09:33:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 SAMSUNG_HD502IJ rev.1AA01118
Running: ni1lq849.exe; Driver: C:\DOCUME~1\jgowers\LOCALS~1\Temp\agdyifog.sys


---- System - GMER 1.0.15 ----

SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709F] ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A4] ZwEnumerateValueKey [0x804D70A4]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Can anyone suggest a fix?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:34 AM

Posted 13 March 2012 - 06:06 PM

Hello safadao I moved from Win 98 as you have XP and I put it in the Am I Infected forum.

Please do these..

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


>>>>
Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.



If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

>>>>>
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on [color=blue]Malwarebytes Chameleon
and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 13 March 2012 - 06:31 PM

Quick response, thank you.

My apologies for wrong OS version, I guess I was just frustrated :)

OK.

Completed in order with logs attached. TDSSKiller returned no positives.

MiniToolBox by Farbar Version: 18-01-2012
Ran by jgowers (administrator) on 14-03-2012 at 10:14:12
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

216.139.213.144 www.colgowershomes.com.au


127.0.0.1 localhost

========================= IP Configuration: ================================

1394 Net Adapter = 1394 Connection (Connected)
Intel® 82567LM-2 Gigabit Network Connection = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=static addr=10.0.0.222 mask=255.255.255.0
set address name="Local Area Connection" gateway=10.0.0.2 gwmetric=0
set dns name="Local Area Connection" source=static addr=10.0.0.99 register=PRIMARY
set wins name="Local Area Connection" source=static addr=none


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : jason-2010 Primary Dns Suffix . . . . . . . : ColGowersHomes.com.au Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : ColGowersHomes.com.au com.auEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel® 82567LM-2 Gigabit Network Connection Physical Address. . . . . . . . . : 00-1C-C0-A3-70-0F Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.0.0.222 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.2 DNS Servers . . . . . . . . . . . : 10.0.0.99Server: UnKnown
Address: 10.0.0.99

Name: google.com.com.au
Address: 174.122.148.154

Pinging google.com [74.125.237.9] with 32 bytes of data:Reply from 74.125.237.9: bytes=32 time=32ms TTL=53Reply from 74.125.237.9: bytes=32 time=34ms TTL=53Ping statistics for 74.125.237.9: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 32ms, Maximum = 34ms, Average = 33msServer: UnKnown
Address: 10.0.0.99

Name: yahoo.com.com.au
Address: 174.122.148.154

Pinging yahoo.com [98.139.127.62] with 32 bytes of data:Reply from 98.139.127.62: bytes=32 time=200ms TTL=51Reply from 98.139.127.62: bytes=32 time=231ms TTL=51Ping statistics for 98.139.127.62: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 200ms, Maximum = 231ms, Average = 215msServer: UnKnown
Address: 10.0.0.99

Name: bleepingcomputer.com
Address: 208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:Reply from 208.43.87.2: Destination host unreachable.Reply from 208.43.87.2: Destination host unreachable.Ping statistics for 208.43.87.2: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c c0 a3 70 0f ...... Intel® 82567LM-2 Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.2 10.0.0.222 10
10.0.0.0 255.255.255.0 10.0.0.222 10.0.0.222 10
10.0.0.222 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.0.0.222 10.0.0.222 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.0.0.222 10.0.0.222 20
224.0.0.0 240.0.0.0 10.0.0.222 10.0.0.222 10
255.255.255.255 255.255.255.255 10.0.0.222 10.0.0.222 1
Default Gateway: 10.0.0.2
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 H:\Windows\System32\mswsock.dll [File Not found] ()
Catalog5 02 H:\Windows\System32\winrnr.dll [File Not found] ()
Catalog5 03 H:\Windows\System32\mswsock.dll [File Not found] ()
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 02 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 03 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 04 H:\Windows\system32\rsvpsp.dll [File Not found] ()
Catalog9 05 H:\Windows\system32\rsvpsp.dll [File Not found] ()
Catalog9 06 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 07 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 08 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 09 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 10 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 11 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 12 H:\Windows\system32\mswsock.dll [File Not found] ()
Catalog9 13 H:\Windows\system32\mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/14/2012 09:41:22 AM) (Source: Application Hang) (User: )
Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC7B.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC7A.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC79.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC78.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC77.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC76.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC75.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC74.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (03/14/2012 08:06:47 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\CONFIG.MSI\4CABC73.RBF> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (03/14/2012 09:59:56 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
mv61xx

Error: (02/23/2012 09:13:55 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1053

Error: (02/23/2012 09:13:55 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Windows Search service to connect.

Error: (02/23/2012 09:13:54 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1053" attempting to start the service WSearch with arguments ""
in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (02/21/2012 08:31:43 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1053

Error: (02/21/2012 08:31:43 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Windows Search service to connect.

Error: (02/21/2012 08:31:43 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1053" attempting to start the service WSearch with arguments ""
in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (02/21/2012 08:29:30 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1053

Error: (02/21/2012 08:29:30 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Windows Search service to connect.

Error: (02/21/2012 08:29:30 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1053" attempting to start the service WSearch with arguments ""
in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}


Microsoft Office Sessions:
=========================
Error: (08/25/2011 08:53:23 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6557.500112.0.6425.10001730744860

Error: (05/27/2011 11:17:50 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 0Microsoft Office Word12.0.6545.500012.0.6425.10003413255460

Error: (05/25/2011 11:46:05 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 1Microsoft Office Excel12.0.6550.500412.0.6425.100088551180

Error: (05/17/2011 01:33:07 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6557.500112.0.6425.10001042098700

Error: (04/20/2011 11:10:49 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6555.500012.0.6425.10002421420

Error: (04/18/2011 10:01:18 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6555.500012.0.6425.100022821080

Error: (04/08/2011 10:30:19 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6550.500312.0.6425.10004649780

Error: (04/05/2011 08:07:37 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6550.500312.0.6425.1000841823420

Error: (02/10/2011 01:37:09 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6212.100012.0.6215.1000352300

Error: (02/10/2011 01:31:12 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: 6Microsoft Office Outlook12.0.6212.100012.0.6215.10004776600


=========================== Installed Programs ============================

µTorrent (Version: 2.2.0)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.2.443)
Adobe Acrobat 9 Pro - English, Français, Deutsch (Version: 9.5.0)
Adobe Acrobat 9.5.0 - CPSID_83708
Adobe After Effects CS4 (Version: 9)
Adobe After Effects CS4 Presets (Version: 9)
Adobe After Effects CS4 Third Party Content (Version: 9)
Adobe AIR (Version: 1.1.0.5790)
Adobe Anchor Service CS4 (Version: 2.0)
Adobe Asset Services CS4 (Version: 4)
Adobe Bridge CS4 (Version: 3)
Adobe CMaps CS4 (Version: 2.0)
Adobe Color - Photoshop Specific CS4 (Version: 2.0)
Adobe Color EU Extra Settings CS4 (Version: 2.0)
Adobe Color JA Extra Settings CS4 (Version: 2.0)
Adobe Color NA Recommended Settings CS4 (Version: 2.0)
Adobe Color Video Profiles AE CS4 (Version: 2.0)
Adobe Color Video Profiles CS CS4 (Version: 2.0)
Adobe Contribute CS4 (Version: 5.0)
Adobe Creative Suite 4 Master Collection (Version: 4.0)
Adobe CS4 American English Speech Analysis Models (Version: 1)
Adobe CSI CS4 (Version: 1)
Adobe Default Language CS4 (Version: 2.0)
Adobe Device Central CS4 (Version: 2)
Adobe Dreamweaver CS4 (Version: 10.0)
Adobe Drive CS4 (Version: 1)
Adobe Dynamiclink Support (Version: 1)
Adobe Encore CS4 (Version: 4)
Adobe Encore CS4 Codecs (Version: 4)
Adobe ExtendScript Toolkit CS4 (Version: 3.0.0)
Adobe Extension Manager CS4 (Version: 2.0)
Adobe Fireworks CS4 (Version: 10.0)
Adobe Flash CS4 (Version: 10.0)
Adobe Flash CS4 Extension - Flash Lite STI en (Version: 3.0)
Adobe Flash CS4 STI-en (Version: 10.0)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Flash Player 11 Plugin (Version: 11.1.102.62)
Adobe Fonts All (Version: 2.0)
Adobe Illustrator CS4 (Version: 14.0)
Adobe InDesign CS4 (Version: 6.0)
Adobe InDesign CS4 Application Feature Set Files (Roman) (Version: 6.0)
Adobe InDesign CS4 Common Base Files (Version: 6.0)
Adobe InDesign CS4 Icon Handler (Version: 6.0)
Adobe Linguistics CS4 (Version: 4.0.0)
Adobe Media Encoder CS4 (Version: 1.0)
Adobe Media Encoder CS4 Additional Exporter (Version: 1.0)
Adobe Media Encoder CS4 Dolby (Version: 1.0)
Adobe Media Encoder CS4 Exporter (Version: 1.0)
Adobe Media Encoder CS4 Importer (Version: 1.0)
Adobe Media Player (Version: 0.0.0)
Adobe Media Player (Version: 1.1)
Adobe MotionPicture Color Files CS4 (Version: 2.0)
Adobe OnLocation CS4 (Version: 4)
Adobe Output Module (Version: 2.0)
Adobe PDF Library Files CS4 (Version: 9.0)
Adobe Photoshop CS4 (Version: 11.0)
Adobe Photoshop CS4 Support (Version: 11.0)
Adobe Premiere Pro CS4 (Version: 4)
Adobe Premiere Pro CS4 Functional Content (Version: 4)
Adobe Premiere Pro CS4 Third Party Content (Version: 4)
Adobe Search for Help (Version: 1.0)
Adobe Service Manager Extension (Version: 1.0)
Adobe Setup (Version: 2.0)
Adobe SGM CS4 (Version: 3.0)
Adobe SING CS4 (Version: 2.0)
Adobe Soundbooth CS4 (Version: 2)
Adobe Soundbooth CS4 Codecs (Version: 2)
Adobe Type Support CS4 (Version: 9.0)
Adobe Update Manager CS4 (Version: 6.0.0)
Adobe Version Cue CS4 Server (Version: 4.0)
Adobe WinSoft Linguistics Plugin (Version: 1.1)
Adobe XMP Panels CS4 (Version: 2.0)
AdobeColorCommonSetCMYK (Version: 2.0)
AdobeColorCommonSetRGB (Version: 2.0)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
ASUS nVidia Driver (Version: 6.00.0000)
Audacity 1.2.6
AutoCAD Architecture 2010 (Version: 6.0.56.0)
AutoCAD Architecture 2010 Language Pack - English (Version: 18.0.55.0)
Autodesk Design Review 2010 (Version: 10.0.0.108)
Avidemux 2.5 (32-bit) (Version: 2.5.4.7200)
Bonjour (Version: 3.0.0.10)
Brother MFL-Pro Suite (Version: 1.00.000)
CCleaner (Version: 3.16)
Chief Architect Premier X3 (Version: 13.2.0.0)
Chief Architect X2 (Version: 12.1.2.29)
Connect (Version: 1.0.0.1)
Constructor Workstation (Version: 2.9.46)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
designIT5 (Version: 5.0.4)
EPSON Printer Software
FileOpen Client (Version: 3.0.67.914)
GOM Player (Version: 2.1.28.5039)
Google Chrome (Version: 17.0.963.79)
Google Update Helper (Version: 1.3.21.99)
ImgBurn (Version: 2.5.5.0)
Intel® Network Connections 13.1.33.0 (Version: 13.1.33.0)
iTunes (Version: 10.6.0.40)
kuler (Version: 2.0)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft Software Update for Web Folders (English) 14 (Version: 14.0.6029.1000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Mozilla Firefox 10.0.2 (x86 en-GB) (Version: 10.0.2)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
MSXML 6.0 Parser (Version: 6.00.3883.8)
NVIDIA Drivers (Version: 1.3)
NVIDIA PhysX (Version: 9.09.0203)
Outlook Connector for MDaemon Plug-in (Version: 2.2.4)
Panda Cloud Antivirus (Version: 1.05.02.0000)
Panda Cloud Antivirus (Version: 1.5.2)
Panda Security Toolbar (Version: 2.0.0.17)
Panda Security URL Filtering (Version: 2.0.0.10)
PDF-Viewer (Version: 2.0.42.7)
PDF-Viewer (Version: 2.5.191.0)
PDF Settings CS4 (Version: 9.0)
Photoshop Camera Raw (Version: 5.0)
Picasa 3 (Version: 3.8)
Pidgin (Version: 2.7.9)
Pixel Bender Toolkit (Version: 1.0)
PowerISO (Version: 4.7)
QuickBooks Premier Edition 2010-11 (Version: )
QuickBooks Premier: Contractor Edition 2011-12 (Version: )
QuickTime (Version: 7.71.80.42)
Realtek High Definition Audio Driver (Version: 5.10.0.5672)
Simple Sticky Notes Version 1.5
Skype Click to Call (Version: 5.6.8312)
Skype™ 5.5 (Version: 5.5.119)
Spotify (Version: 0.6.1)
Spybot - Search & Destroy (Version: 1.6.2)
Suite Shared Configuration CS4 (Version: 1.0)
SupportSoft Assisted Service (Version: 15)
Synology Assistant (remove only)
Synology Data Replicator 3 (Version: 1.0.0.0)
TeraCopy 2.12
Toolbar Cleaner 1.0
TopDrawer2011_014 (Version: 07.05.0001)
UltraMon (Version: 3.0.10)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
WebFldrs XP (Version: 9.50.7523)
WinAVI All in One Converter (Version: 1.6.3.4360)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Search 4.0 (Version: 04.00.6001.503)
WinRAR archiver

========================= Memory info: ===================================

Percentage of memory in use: 25%
Total physical RAM: 3316.41 MB
Available physical RAM: 2457.97 MB
Total Pagefile: 5200.28 MB
Available Pagefile: 4415.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1958.94 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:465.75 GB) (Free:25.52 GB) NTFS
4 Drive f: (TSB USB DRV) (Removable) (Total:3.72 GB) (Free:3.7 GB) FAT32
5 Drive h: (DataDrive) (Network) (Total:1249.27 GB) (Free:884.94 GB) NTFS
6 Drive p: (DataDrive) (Network) (Total:1249.27 GB) (Free:884.94 GB) NTFS
7 Drive q: (DataDrive) (Network) (Total:1249.27 GB) (Free:884.94 GB) NTFS
8 Drive t: (DataDrive) (Network) (Total:1249.27 GB) (Free:884.94 GB) NTFS
9 Drive u: (DataDrive) (Network) (Total:1249.27 GB) (Free:884.94 GB) NTFS
10 Drive x: (DataDrive) (Network) (Total:1249.27 GB) (Free:884.94 GB) NTFS

========================= Users: ========================================

User accounts for \\JASON-2010

Administrator ASPNET Guest
HelpAssistant Jason SUPPORT_388945a0


**** End of log ****




aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-14 10:20:52
-----------------------------
10:20:52.816 OS Version: Windows 5.1.2600 Service Pack 3
10:20:52.816 Number of processors: 8 586 0x1A05
10:20:52.832 ComputerName: JASON-2010 UserName: jgowers
10:20:57.143 Initialize success
10:21:23.839 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
10:21:23.855 Disk 0 Vendor: SAMSUNG_HD502IJ 1AA01118 Size: 476940MB BusType: 3
10:21:23.855 Disk 1 \Device\Harddisk1\DR2 -> \Device\0000008c
10:21:23.855 Disk 1 Vendor: Size: 476940MB BusType: 0
10:21:23.902 Disk 0 MBR read successfully
10:21:23.902 Disk 0 MBR scan
10:21:23.902 Disk 0 Windows XP default MBR code
10:21:23.933 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
10:21:23.949 Disk 0 scanning sectors +976752000
10:21:24.121 Disk 0 scanning C:\WINDOWS\system32\drivers
10:21:44.943 Service scanning
10:21:52.363 Modules scanning
10:22:25.667 Disk 0 trace - called modules:
10:22:25.698 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:22:25.698 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af05ab8]
10:22:25.698 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\00000075[0x8af0a9e8]
10:22:25.698 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8af0ad98]
10:22:25.698 Scan finished successfully
10:22:51.942 Disk 0 MBR has been saved successfully to "C:\Program Files\Mozilla Firefox\MBR.dat"
10:22:51.957 The log file has been saved successfully to "C:\Program Files\Mozilla Firefox\aswMBR.txt"
10:22:59.065 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jgowers\Desktop\MBR.dat"
10:22:59.065 The log file has been saved successfully to "C:\Documents and Settings\jgowers\Desktop\aswMBR.txt"



Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7082

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/07/2011 9:44:37 AM
mbam-log-2011-07-12 (09-44-37).txt

Scan type: Quick scan
Objects scanned: 234990
Time elapsed: 21 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 13 March 2012 - 06:33 PM

GMER still reports

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-14 10:30:33
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 SAMSUNG_HD502IJ rev.1AA01118
Running: ni1lq849.exe; Driver: C:\DOCUME~1\jgowers\LOCALS~1\Temp\agdyifod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xB5EFD416]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D7090]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7090] ZwCreateKey [0x804D7090]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x804D709A]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709A] ZwDeleteKey [0x804D709A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x804D708B]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D708B] ZwDeleteValueKey [0x804D708B]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709F] ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A4] ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B3] ZwOpenKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70AE] ZwQueryKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A9] ZwQueryValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x804D7095]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7095] ZwSetValueKey [0x804D7095]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70D6

---- Kernel code sections - GMER 1.0.15 ----

? alobt.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB93DF360, 0x35483F, 0xE8000020]
.text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xB5B1C000, 0x44527, 0xE0000020]
.init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xB5B6E224]
.init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xB5B6E000, 0x7000, 0xE20000E0]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB5981400, 0x88182, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5A25820] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5A25820]
.protect˙˙˙˙hardlockunknown last code section [0xB5A25600, 0x50F6, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB5A25600, 0x50F6, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2064] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\FileOpenWebPublisherScreenHookDriver \Device\FileOpenWebPublisherScreenHookDriver fowp32.sys
Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DR2 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:34 AM

Posted 13 March 2012 - 07:30 PM

That's OK you're new.. You have a buried Rootkit,probably zeroaccess and we need to properly remove it.

We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Just repost this GMER log instaed of running it again.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 14 March 2012 - 04:08 PM

ok, I think I've got everything ready.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by jgowers at 15:18:22 on 2012-03-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.1926 [GMT 11:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synology Data Replicator 3\SynoDrService.exe
C:\Program Files\Synology\Assistant\UsbClientService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Tracker Software\PDF Viewer\PDFXCview.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{b49673f8-7ab6-4a14-8213-c8a7be370010}\IcoUltraMon.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: Interfaces\{3E3CB466-6119-41F7-B5C1-F09C46504182} : NameServer = 10.0.0.99
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
Hosts: 216.139.213.144 www.colgowershomes.com.au
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jgowers\application data\mozilla\firefox\profiles\47fwm9vp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2780272&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Your-TV Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2009-8-31 151592]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 130312]
R2 FileOpenManagerSvc;FileOpen Manager Service;c:\program files\fileopen\services\FileOpenManagerSvc32.exe [2011-10-21 213376]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-12-1 112648]
R2 SynoDrService;SynoDrService;c:\program files\synology data replicator 3\SynoDrService.exe [2010-1-12 245760]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-11-14 17184]
R2 UsbClientService;UsbClientService;c:\program files\synology\assistant\UsbClientService.exe [2011-2-18 245760]
R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2011-2-18 46304]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2011-1-27 243856]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S1 MpKsl30cce978;MpKsl30cce978;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91a087a0-cb78-4dc3-95f0-b02cfec58471}\mpksl30cce978.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91a087a0-cb78-4dc3-95f0-b02cfec58471}\MpKsl30cce978.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 136176]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2012-2-21 8192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
.
=============== Created Last 30 ================
.
2012-03-13 21:04:59 -------- d-----w- c:\program files\iPod
2012-03-13 21:04:39 -------- d-----w- c:\program files\iTunes
2012-02-20 21:13:03 8192 ----a-w- c:\windows\system32\srvany.exe
2012-02-20 00:52:51 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-02-20 00:52:27 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-02-20 00:52:27 -------- d-----w- c:\documents and settings\all users\Microsoft
2012-02-20 00:51:42 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-20 00:50:55 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-02-20 00:50:47 -------- d-----w- c:\windows\SHELLNEW
2012-02-16 06:23:57 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 06:23:57 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-16 03:19:12 -------- d-----w- c:\documents and settings\all users\application data\TomTom
2012-02-16 03:18:59 -------- d-----w- c:\documents and settings\jgowers\local settings\application data\TomTom
2012-02-16 03:18:59 -------- d-----w- c:\documents and settings\jgowers\application data\TomTom
.
==================== Find3M ====================
.
2012-02-29 23:58:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-05 12:10:09 144008 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 15:19:10.56 ===============


------------------------------

GMER result. Note: Something cuses GMER to crash. This is the results of the early on scan.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-15 08:05:59
Windows 5.1.2600 Service Pack 3
Running: ni1lq849.exe; Driver: C:\DOCUME~1\jgowers\LOCALS~1\Temp\agdyifod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xB5F81416]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D7090]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7090] ZwCreateKey [0x804D7090]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x804D709A]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709A] ZwDeleteKey [0x804D709A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x804D708B]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D708B] ZwDeleteValueKey [0x804D708B]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709F] ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A4] ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B3] ZwOpenKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70AE] ZwQueryKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A9] ZwQueryValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x804D7095]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7095] ZwSetValueKey [0x804D7095]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70CC

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9463360, 0x35483F, 0xE8000020]
.text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xB5B78000, 0x44527, 0xE0000020]
.init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xB5BCA224]
.init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xB5BCA000, 0x7000, 0xE20000E0]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB59DD400, 0x88182, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5A81820] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5A81820]
.protect˙˙˙˙hardlockunknown last code section [0xB5A81600, 0x50F6, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB5A81600, 0x50F6, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2188] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01215B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01FE0001
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 0139802D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A50F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A20F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!send 71AB4C27 6 Bytes JMP 719F0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71960F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719C0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 71990F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71930F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4056] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106C01A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4056] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106C0135 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4056] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10450924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4056] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10450ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \Driver\FileOpenWebPublisherScreenHookDriver \Device\FileOpenWebPublisherScreenHookDriver fowp32.sys
Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DR2 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

#7 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 14 March 2012 - 04:13 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-14 10:20:52
-----------------------------
10:20:52.816 OS Version: Windows 5.1.2600 Service Pack 3
10:20:52.816 Number of processors: 8 586 0x1A05
10:20:52.832 ComputerName: JASON-2010 UserName: jgowers
10:20:57.143 Initialize success
10:21:23.839 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
10:21:23.855 Disk 0 Vendor: SAMSUNG_HD502IJ 1AA01118 Size: 476940MB BusType: 3
10:21:23.855 Disk 1 \Device\Harddisk1\DR2 -> \Device\0000008c
10:21:23.855 Disk 1 Vendor: Size: 476940MB BusType: 0
10:21:23.902 Disk 0 MBR read successfully
10:21:23.902 Disk 0 MBR scan
10:21:23.902 Disk 0 Windows XP default MBR code
10:21:23.933 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
10:21:23.949 Disk 0 scanning sectors +976752000
10:21:24.121 Disk 0 scanning C:\WINDOWS\system32\drivers
10:21:44.943 Service scanning
10:21:52.363 Modules scanning
10:22:25.667 Disk 0 trace - called modules:
10:22:25.698 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:22:25.698 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af05ab8]
10:22:25.698 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\00000075[0x8af0a9e8]
10:22:25.698 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8af0ad98]
10:22:25.698 Scan finished successfully
10:22:51.942 Disk 0 MBR has been saved successfully to "C:\Program Files\Mozilla Firefox\MBR.dat"
10:22:51.957 The log file has been saved successfully to "C:\Program Files\Mozilla Firefox\aswMBR.txt"
10:22:59.065 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jgowers\Desktop\MBR.dat"
10:22:59.065 The log file has been saved successfully to "C:\Documents and Settings\jgowers\Desktop\aswMBR.txt"

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:34 AM

Posted 14 March 2012 - 07:13 PM

Hello. from prior instructions...


Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.

If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users