Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Facebook & others keep redirecting (rootkit problem)


  • This topic is locked This topic is locked
18 replies to this topic

#1 safadao

safadao

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 14 March 2012 - 09:27 PM

Afternoon all,

Through hours of trawling through google i've found some information. Basicly when ever I go to facebook it redirects to another page. I've run GMER and appears I have some rootkit issues.

I've run some of the required steps (Thanks to BOOPME for direction.) Can anyone suggest a fix?

Thanks.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by jgowers at 15:18:22 on 2012-03-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.1926 [GMT 11:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synology Data Replicator 3\SynoDrService.exe
C:\Program Files\Synology\Assistant\UsbClientService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Tracker Software\PDF Viewer\PDFXCview.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{b49673f8-7ab6-4a14-8213-c8a7be370010}\IcoUltraMon.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: Interfaces\{3E3CB466-6119-41F7-B5C1-F09C46504182} : NameServer = 10.0.0.99
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
Hosts: 216.139.213.144 www.colgowershomes.com.au
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jgowers\application data\mozilla\firefox\profiles\47fwm9vp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2780272&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Your-TV Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2009-8-31 151592]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 130312]
R2 FileOpenManagerSvc;FileOpen Manager Service;c:\program files\fileopen\services\FileOpenManagerSvc32.exe [2011-10-21 213376]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-12-1 112648]
R2 SynoDrService;SynoDrService;c:\program files\synology data replicator 3\SynoDrService.exe [2010-1-12 245760]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-11-14 17184]
R2 UsbClientService;UsbClientService;c:\program files\synology\assistant\UsbClientService.exe [2011-2-18 245760]
R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2011-2-18 46304]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2011-1-27 243856]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S1 MpKsl30cce978;MpKsl30cce978;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91a087a0-cb78-4dc3-95f0-b02cfec58471}\mpksl30cce978.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91a087a0-cb78-4dc3-95f0-b02cfec58471}\MpKsl30cce978.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 136176]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2012-2-21 8192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
.
=============== Created Last 30 ================
.
2012-03-13 21:04:59 -------- d-----w- c:\program files\iPod
2012-03-13 21:04:39 -------- d-----w- c:\program files\iTunes
2012-02-20 21:13:03 8192 ----a-w- c:\windows\system32\srvany.exe
2012-02-20 00:52:51 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-02-20 00:52:27 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-02-20 00:52:27 -------- d-----w- c:\documents and settings\all users\Microsoft
2012-02-20 00:51:42 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-20 00:50:55 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-02-20 00:50:47 -------- d-----w- c:\windows\SHELLNEW
2012-02-16 06:23:57 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 06:23:57 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-16 03:19:12 -------- d-----w- c:\documents and settings\all users\application data\TomTom
2012-02-16 03:18:59 -------- d-----w- c:\documents and settings\jgowers\local settings\application data\TomTom
2012-02-16 03:18:59 -------- d-----w- c:\documents and settings\jgowers\application data\TomTom
.
==================== Find3M ====================
.
2012-02-29 23:58:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-05 12:10:09 144008 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 15:19:10.56 ===============



-----------------------


GMER result. Note: Something cuses GMER to crash. This is the results of the early on scan.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-15 08:05:59
Windows 5.1.2600 Service Pack 3
Running: ni1lq849.exe; Driver: C:\DOCUME~1\jgowers\LOCALS~1\Temp\agdyifod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xB5F81416]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D7090]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7090] ZwCreateKey [0x804D7090]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x804D709A]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709A] ZwDeleteKey [0x804D709A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x804D708B]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D708B] ZwDeleteValueKey [0x804D708B]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709F] ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A4] ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B3] ZwOpenKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70AE] ZwQueryKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A9] ZwQueryValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x804D7095]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7095] ZwSetValueKey [0x804D7095]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70CC

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9463360, 0x35483F, 0xE8000020]
.text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xB5B78000, 0x44527, 0xE0000020]
.init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xB5BCA224]
.init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xB5BCA000, 0x7000, 0xE20000E0]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB59DD400, 0x88182, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5A81820] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5A81820]
.protect˙˙˙˙hardlockunknown last code section [0xB5A81600, 0x50F6, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB5A81600, 0x50F6, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2188] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01215B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01FE0001
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 0139802D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A50F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A20F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!send 71AB4C27 6 Bytes JMP 719F0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71960F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719C0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 71990F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3484] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71930F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4056] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106C01A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4056] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106C0135 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4056] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10450924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4056] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10450ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \Driver\FileOpenWebPublisherScreenHookDriver \Device\FileOpenWebPublisherScreenHookDriver fowp32.sys
Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DR2 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:14 AM

Posted 14 March 2012 - 10:04 PM

Hello safadao,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 15 March 2012 - 10:52 PM

Thank you for taking the time to have a look at my problem. I look forward to your help :)

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:14 AM

Posted 16 March 2012 - 10:02 PM

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:14 AM

Posted 18 March 2012 - 01:48 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 2-3 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 18 March 2012 - 11:44 PM

My apologies, was away for the weekend. I am on it now :)

#7 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 18 March 2012 - 11:46 PM

15:45:23.0764 5896 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
15:45:24.0764 5896 ============================================================
15:45:24.0764 5896 Current date / time: 2012/03/19 15:45:24.0764
15:45:24.0764 5896 SystemInfo:
15:45:24.0764 5896
15:45:24.0764 5896 OS Version: 5.1.2600 ServicePack: 3.0
15:45:24.0764 5896 Product type: Workstation
15:45:24.0764 5896 ComputerName: JASON-2010
15:45:24.0764 5896 UserName: jgowers
15:45:24.0764 5896 Windows directory: C:\WINDOWS
15:45:24.0764 5896 System windows directory: C:\WINDOWS
15:45:24.0764 5896 Processor architecture: Intel x86
15:45:24.0764 5896 Number of processors: 8
15:45:24.0764 5896 Page size: 0x1000
15:45:24.0764 5896 Boot type: Normal boot
15:45:24.0764 5896 ============================================================
15:45:26.0076 5896 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:45:26.0076 5896 Drive \Device\Harddisk1\DR2 - Size: 0xEEC00000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E6, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:45:26.0076 5896 \Device\Harddisk0\DR0:
15:45:26.0076 5896 MBR used
15:45:26.0076 5896 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41
15:45:26.0076 5896 \Device\Harddisk1\DR2:
15:45:26.0076 5896 MBR used
15:45:26.0076 5896 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0x774080
15:45:26.0108 5896 Initialize success
15:45:26.0108 5896 ============================================================
15:45:28.0248 1936 ============================================================
15:45:28.0248 1936 Scan started
15:45:28.0248 1936 Mode: Manual;
15:45:28.0248 1936 ============================================================
15:45:28.0998 1936 Abiosdsk - ok
15:45:28.0998 1936 abp480n5 - ok
15:45:29.0030 1936 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:45:29.0030 1936 ACPI - ok
15:45:29.0061 1936 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:45:29.0061 1936 ACPIEC - ok
15:45:29.0092 1936 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\WINDOWS\system32\drivers\adfs.sys
15:45:29.0092 1936 adfs - ok
15:45:29.0092 1936 adpu160m - ok
15:45:29.0123 1936 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:45:29.0123 1936 aec - ok
15:45:29.0155 1936 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:45:29.0155 1936 AFD - ok
15:45:29.0155 1936 Aha154x - ok
15:45:29.0155 1936 aic78u2 - ok
15:45:29.0170 1936 aic78xx - ok
15:45:29.0186 1936 aksfridge (9e989429631a0588c60c430fd7db7576) C:\WINDOWS\system32\drivers\aksfridge.sys
15:45:29.0186 1936 aksfridge - ok
15:45:29.0201 1936 AliIde - ok
15:45:29.0201 1936 amsint - ok
15:45:29.0201 1936 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:45:29.0217 1936 Arp1394 - ok
15:45:29.0217 1936 asc - ok
15:45:29.0217 1936 asc3350p - ok
15:45:29.0217 1936 asc3550 - ok
15:45:29.0233 1936 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:45:29.0233 1936 AsyncMac - ok
15:45:29.0248 1936 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:45:29.0248 1936 atapi - ok
15:45:29.0248 1936 Atdisk - ok
15:45:29.0264 1936 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:45:29.0264 1936 Atmarpc - ok
15:45:29.0295 1936 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:45:29.0295 1936 audstub - ok
15:45:29.0311 1936 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:45:29.0311 1936 Beep - ok
15:45:29.0342 1936 busenum (cec1dbed5ea31801cdeb12833234f139) C:\WINDOWS\system32\DRIVERS\busenum.sys
15:45:29.0342 1936 busenum - ok
15:45:29.0358 1936 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:45:29.0358 1936 cbidf2k - ok
15:45:29.0373 1936 cd20xrnt - ok
15:45:29.0389 1936 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:45:29.0389 1936 Cdaudio - ok
15:45:29.0389 1936 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:45:29.0389 1936 Cdfs - ok
15:45:29.0405 1936 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:45:29.0405 1936 Cdrom - ok
15:45:29.0405 1936 Changer - ok
15:45:29.0420 1936 CmdIde - ok
15:45:29.0420 1936 Cpqarray - ok
15:45:29.0420 1936 dac2w2k - ok
15:45:29.0436 1936 dac960nt - ok
15:45:29.0436 1936 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:45:29.0436 1936 Disk - ok
15:45:29.0467 1936 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:45:29.0467 1936 dmboot - ok
15:45:29.0467 1936 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:45:29.0483 1936 dmio - ok
15:45:29.0498 1936 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:45:29.0498 1936 dmload - ok
15:45:29.0514 1936 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:45:29.0514 1936 DMusic - ok
15:45:29.0514 1936 dpti2o - ok
15:45:29.0545 1936 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:45:29.0545 1936 drmkaud - ok
15:45:29.0592 1936 e1yexpress (6a738bee58ff3d2f237157082e799de8) C:\WINDOWS\system32\DRIVERS\e1y5132.sys
15:45:29.0592 1936 e1yexpress - ok
15:45:29.0623 1936 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:45:29.0623 1936 Fastfat - ok
15:45:29.0623 1936 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
15:45:29.0623 1936 Fdc - ok
15:45:29.0655 1936 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:45:29.0655 1936 Fips - ok
15:45:29.0670 1936 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
15:45:29.0670 1936 Flpydisk - ok
15:45:29.0686 1936 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
15:45:29.0686 1936 FltMgr - ok
15:45:29.0686 1936 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:45:29.0701 1936 Fs_Rec - ok
15:45:29.0717 1936 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:45:29.0717 1936 Ftdisk - ok
15:45:29.0733 1936 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:45:29.0733 1936 GEARAspiWDM - ok
15:45:29.0748 1936 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:45:29.0748 1936 Gpc - ok
15:45:29.0795 1936 Hardlock (c03718f2b954972a40ad75e22d159f9f) C:\WINDOWS\system32\drivers\hardlock.sys
15:45:29.0795 1936 Hardlock - ok
15:45:29.0811 1936 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:45:29.0826 1936 HDAudBus - ok
15:45:29.0826 1936 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:45:29.0826 1936 hidusb - ok
15:45:29.0826 1936 hpn - ok
15:45:29.0858 1936 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:45:29.0858 1936 HTTP - ok
15:45:29.0858 1936 i2omgmt - ok
15:45:29.0873 1936 i2omp - ok
15:45:29.0873 1936 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:45:29.0873 1936 Imapi - ok
15:45:29.0873 1936 ini910u - ok
15:45:29.0967 1936 IntcAzAudAddService (4aaa8312732655f93a254d1fa695eb79) C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:45:29.0983 1936 IntcAzAudAddService - ok
15:45:29.0983 1936 IntelIde - ok
15:45:29.0983 1936 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:45:29.0983 1936 intelppm - ok
15:45:29.0998 1936 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
15:45:29.0998 1936 Ip6Fw - ok
15:45:30.0030 1936 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:45:30.0030 1936 IpFilterDriver - ok
15:45:30.0061 1936 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:45:30.0061 1936 IpInIp - ok
15:45:30.0061 1936 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:45:30.0076 1936 IpNat - ok
15:45:30.0076 1936 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:45:30.0076 1936 IPSec - ok
15:45:30.0092 1936 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:45:30.0092 1936 IRENUM - ok
15:45:30.0108 1936 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:45:30.0108 1936 isapnp - ok
15:45:30.0139 1936 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:45:30.0139 1936 Kbdclass - ok
15:45:30.0155 1936 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:45:30.0155 1936 kbdhid - ok
15:45:30.0170 1936 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:45:30.0170 1936 kmixer - ok
15:45:30.0186 1936 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:45:30.0201 1936 KSecDD - ok
15:45:30.0201 1936 lbrtfdc - ok
15:45:30.0217 1936 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:45:30.0217 1936 mnmdd - ok
15:45:30.0233 1936 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:45:30.0233 1936 Modem - ok
15:45:30.0248 1936 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:45:30.0248 1936 Mouclass - ok
15:45:30.0248 1936 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:45:30.0248 1936 mouhid - ok
15:45:30.0248 1936 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:45:30.0248 1936 MountMgr - ok
15:45:30.0311 1936 MpKsl30cce978 - ok
15:45:30.0326 1936 mraid35x - ok
15:45:30.0326 1936 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:45:30.0326 1936 MRxDAV - ok
15:45:30.0373 1936 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:45:30.0373 1936 MRxSmb - ok
15:45:30.0373 1936 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:45:30.0373 1936 Msfs - ok
15:45:30.0389 1936 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:45:30.0389 1936 MSKSSRV - ok
15:45:30.0405 1936 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:45:30.0405 1936 MSPCLOCK - ok
15:45:30.0420 1936 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:45:30.0420 1936 MSPQM - ok
15:45:30.0436 1936 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:45:30.0436 1936 mssmbios - ok
15:45:30.0467 1936 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:45:30.0467 1936 Mup - ok
15:45:30.0467 1936 mv61xx (1eb94143ed3d8794d189759eb8221537) C:\WINDOWS\system32\drivers\mv61xx.sys
15:45:30.0467 1936 mv61xx - ok
15:45:30.0483 1936 NAL (03ca886ba148b6b9996be1368ddc3fc0) C:\WINDOWS\system32\Drivers\iqvw32.sys
15:45:30.0483 1936 NAL - ok
15:45:30.0483 1936 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:45:30.0498 1936 NDIS - ok
15:45:30.0514 1936 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:45:30.0514 1936 NdisTapi - ok
15:45:30.0545 1936 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:45:30.0545 1936 Ndisuio - ok
15:45:30.0576 1936 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:45:30.0576 1936 NdisWan - ok
15:45:30.0608 1936 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:45:30.0608 1936 NDProxy - ok
15:45:30.0623 1936 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:45:30.0623 1936 NetBIOS - ok
15:45:30.0639 1936 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:45:30.0639 1936 NetBT - ok
15:45:30.0655 1936 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:45:30.0655 1936 NIC1394 - ok
15:45:30.0655 1936 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:45:30.0655 1936 Npfs - ok
15:45:30.0670 1936 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:45:30.0670 1936 Ntfs - ok
15:45:30.0717 1936 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
15:45:30.0717 1936 NuidFltr - ok
15:45:30.0717 1936 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:45:30.0717 1936 Null - ok
15:45:30.0826 1936 nv (07e25fe08344021091f000d84611a2ab) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:45:30.0889 1936 nv - ok
15:45:30.0905 1936 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:45:30.0905 1936 NwlnkFlt - ok
15:45:30.0920 1936 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:45:30.0920 1936 NwlnkFwd - ok
15:45:30.0967 1936 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:45:30.0967 1936 ohci1394 - ok
15:45:30.0998 1936 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
15:45:30.0998 1936 Parport - ok
15:45:31.0030 1936 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:45:31.0030 1936 PartMgr - ok
15:45:31.0045 1936 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:45:31.0045 1936 ParVdm - ok
15:45:31.0092 1936 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:45:31.0092 1936 PCI - ok
15:45:31.0092 1936 PCIDump - ok
15:45:31.0123 1936 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:45:31.0123 1936 PCIIde - ok
15:45:31.0155 1936 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:45:31.0155 1936 Pcmcia - ok
15:45:31.0155 1936 PDCOMP - ok
15:45:31.0155 1936 PDFRAME - ok
15:45:31.0170 1936 PDRELI - ok
15:45:31.0170 1936 PDRFRAME - ok
15:45:31.0170 1936 perc2 - ok
15:45:31.0170 1936 perc2hib - ok
15:45:31.0186 1936 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:45:31.0186 1936 PptpMiniport - ok
15:45:31.0201 1936 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:45:31.0201 1936 PSched - ok
15:45:31.0233 1936 PSINAflt (b66042e21d32fcdf193b3b80516da1b3) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys
15:45:31.0233 1936 PSINAflt - ok
15:45:31.0264 1936 PSINFile (5bab5fb4cb1963f643a1a8b4d816cf8f) C:\WINDOWS\system32\DRIVERS\PSINFile.sys
15:45:31.0264 1936 PSINFile - ok
15:45:31.0295 1936 PSINKNC (16066810f5dae092db226c6662feedc9) C:\WINDOWS\system32\DRIVERS\psinknc.sys
15:45:31.0295 1936 PSINKNC - ok
15:45:31.0311 1936 PSINProc (87b2fe6d7b427947541360f48c302054) C:\WINDOWS\system32\DRIVERS\PSINProc.sys
15:45:31.0311 1936 PSINProc - ok
15:45:31.0326 1936 PSINProt (72ce5f32ff8260a38127953555e29d66) C:\WINDOWS\system32\DRIVERS\PSINProt.sys
15:45:31.0326 1936 PSINProt - ok
15:45:31.0326 1936 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:45:31.0326 1936 Ptilink - ok
15:45:31.0342 1936 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys
15:45:31.0342 1936 PxHelp20 - ok
15:45:31.0342 1936 ql1080 - ok
15:45:31.0358 1936 Ql10wnt - ok
15:45:31.0358 1936 ql12160 - ok
15:45:31.0358 1936 ql1240 - ok
15:45:31.0358 1936 ql1280 - ok
15:45:31.0389 1936 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:45:31.0389 1936 RasAcd - ok
15:45:31.0405 1936 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:45:31.0405 1936 Rasl2tp - ok
15:45:31.0405 1936 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:45:31.0405 1936 RasPppoe - ok
15:45:31.0405 1936 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:45:31.0405 1936 Raspti - ok
15:45:31.0420 1936 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:45:31.0420 1936 Rdbss - ok
15:45:31.0420 1936 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:45:31.0420 1936 RDPCDD - ok
15:45:31.0451 1936 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:45:31.0451 1936 rdpdr - ok
15:45:31.0483 1936 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
15:45:31.0483 1936 RDPWD - ok
15:45:31.0483 1936 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:45:31.0483 1936 redbook - ok
15:45:31.0530 1936 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys
15:45:31.0530 1936 SCDEmu - ok
15:45:31.0545 1936 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:45:31.0545 1936 Secdrv - ok
15:45:31.0592 1936 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
15:45:31.0592 1936 Serial - ok
15:45:31.0608 1936 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:45:31.0608 1936 Sfloppy - ok
15:45:31.0623 1936 Simbad - ok
15:45:31.0623 1936 Sparrow - ok
15:45:31.0670 1936 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:45:31.0670 1936 splitter - ok
15:45:31.0701 1936 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:45:31.0701 1936 sr - ok
15:45:31.0733 1936 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:45:31.0748 1936 Srv - ok
15:45:31.0780 1936 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
15:45:31.0780 1936 StillCam - ok
15:45:31.0780 1936 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:45:31.0780 1936 swenum - ok
15:45:31.0795 1936 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:45:31.0795 1936 swmidi - ok
15:45:31.0795 1936 symc810 - ok
15:45:31.0795 1936 symc8xx - ok
15:45:31.0811 1936 sym_hi - ok
15:45:31.0811 1936 sym_u3 - ok
15:45:31.0826 1936 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:45:31.0826 1936 sysaudio - ok
15:45:31.0842 1936 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:45:31.0842 1936 Tcpip - ok
15:45:31.0858 1936 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:45:31.0858 1936 TDPIPE - ok
15:45:31.0873 1936 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:45:31.0873 1936 TDTCP - ok
15:45:31.0889 1936 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:45:31.0889 1936 TermDD - ok
15:45:31.0905 1936 TosIde - ok
15:45:31.0920 1936 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:45:31.0920 1936 Udfs - ok
15:45:31.0936 1936 ultra - ok
15:45:31.0967 1936 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys
15:45:31.0967 1936 UltraMonUtility - ok
15:45:31.0998 1936 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:45:31.0998 1936 Update - ok
15:45:32.0030 1936 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
15:45:32.0030 1936 USBAAPL - ok
15:45:32.0077 1936 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:45:32.0077 1936 usbccgp - ok
15:45:32.0092 1936 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:45:32.0092 1936 usbehci - ok
15:45:32.0108 1936 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:45:32.0108 1936 usbhub - ok
15:45:32.0123 1936 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:45:32.0123 1936 usbprint - ok
15:45:32.0186 1936 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:45:32.0186 1936 usbscan - ok
15:45:32.0202 1936 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:45:32.0202 1936 USBSTOR - ok
15:45:32.0202 1936 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:45:32.0202 1936 usbuhci - ok
15:45:32.0217 1936 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:45:32.0217 1936 VgaSave - ok
15:45:32.0217 1936 ViaIde - ok
15:45:32.0233 1936 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:45:32.0233 1936 VolSnap - ok
15:45:32.0233 1936 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:45:32.0233 1936 Wanarp - ok
15:45:32.0280 1936 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
15:45:32.0280 1936 Wdf01000 - ok
15:45:32.0280 1936 WDICA - ok
15:45:32.0295 1936 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:45:32.0295 1936 wdmaud - ok
15:45:32.0342 1936 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
15:45:32.0342 1936 WmiAcpi - ok
15:45:32.0358 1936 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:45:32.0358 1936 WudfPf - ok
15:45:32.0373 1936 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:45:32.0373 1936 WudfRd - ok
15:45:32.0389 1936 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:45:32.0530 1936 \Device\Harddisk0\DR0 - ok
15:45:32.0530 1936 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR2
15:45:32.0530 1936 \Device\Harddisk1\DR2 - ok
15:45:32.0530 1936 Boot (0x1200) (64056f333ab089f8e93b5a2b366199b4) \Device\Harddisk0\DR0\Partition0
15:45:32.0530 1936 \Device\Harddisk0\DR0\Partition0 - ok
15:45:32.0530 1936 Boot (0x1200) (2ac9ffd1baa36682764b80756da70cb8) \Device\Harddisk1\DR2\Partition0
15:45:32.0530 1936 \Device\Harddisk1\DR2\Partition0 - ok
15:45:32.0530 1936 ============================================================
15:45:32.0530 1936 Scan finished
15:45:32.0530 1936 ============================================================
15:45:32.0545 5540 Detected object count: 0
15:45:32.0545 5540 Actual detected object count: 0

#8 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 19 March 2012 - 12:16 AM

ComboFix 12-03-18.02 - jgowers 19/03/2012 16:07:51.1.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.2589 [GMT 11:00]
Running from: c:\documents and settings\jgowers\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.txt
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-02-19 to 2012-03-19 )))))))))))))))))))))))))))))))
.
.
2012-03-14 20:46 . 2012-03-14 20:46 -------- d-----w- C:\found.000
2012-03-13 21:04 . 2012-03-13 21:04 -------- d-----w- c:\program files\iPod
2012-03-13 21:04 . 2012-03-13 21:06 -------- d-----w- c:\program files\iTunes
2012-03-13 21:00 . 2012-03-13 21:00 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2012-02-20 21:13 . 2003-04-18 08:06 8192 ----a-w- c:\windows\system32\srvany.exe
2012-02-20 00:52 . 2012-02-20 00:52 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-02-20 00:52 . 2012-02-20 00:52 -------- d-----w- c:\program files\Microsoft.NET
2012-02-20 00:52 . 2012-02-20 00:52 -------- d-----w- c:\program files\Microsoft Sync Framework
2012-02-20 00:52 . 2012-02-20 00:52 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-02-20 00:52 . 2012-02-20 00:52 -------- d-----w- c:\documents and settings\All Users\Microsoft
2012-02-20 00:51 . 2012-02-20 00:51 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-20 00:50 . 2012-02-20 00:50 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-02-20 00:50 . 2012-02-20 00:53 -------- d-----w- c:\windows\SHELLNEW
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-29 23:58 . 2011-09-08 00:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 00:01 . 2011-01-27 02:25 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 00:01 . 2011-01-27 02:25 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22 . 2008-04-14 01:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-16 06:23 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2011-01-27 00:06 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-20 00:48 . 2011-05-03 04:28 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2011-06-24 17:37 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-06-24 86696]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-03-06 741240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-06-28 217256]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-20 519584]
.
c:\documents and settings\jgowers\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2010-12-27 48618]
UltraMon.lnk - c:\windows\Installer\{B49673F8-7AB6-4A14-8213-C8A7BE370010}\IcoUltraMon.ico [2011-1-27 29310]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2012-01-02 21:23 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2012-01-03 11:50 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2011-03-14 22:16 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ------r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-20 10:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 04:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InnoSetupRegFile.0000000001]
2011-10-14 02:20 709968 ----a-w- c:\windows\is-27HCM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 08:05 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-02-09 05:18 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 03:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simple Sticky Notes]
2011-07-29 02:39 1689488 ----a-w- c:\program files\Simnet\Simple Sticky Notes\ssn.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 06:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-03-06 20:36 741240 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Adobe Version Cue CS4"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
.
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [31/08/2009 10:38 PM 151592]
R2 FileOpenManagerSvc;FileOpen Manager Service;c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe [21/10/2011 3:08 PM 213376]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 SynoDrService;SynoDrService;c:\program files\Synology Data Replicator 3\SynoDrService.exe [12/01/2010 1:45 PM 245760]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [14/11/2008 2:11 AM 17184]
R2 UsbClientService;UsbClientService;c:\program files\Synology\Assistant\UsbClientService.exe [18/02/2011 5:18 PM 245760]
R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [18/02/2011 5:20 PM 46304]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [27/01/2011 11:25 AM 243856]
S1 MpKsl30cce978;MpKsl30cce978;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91A087A0-CB78-4DC3-95F0-B02CFEC58471}\MpKsl30cce978.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91A087A0-CB78-4DC3-95F0-B02CFEC58471}\MpKsl30cce978.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/01/2011 12:37 PM 136176]
S2 KMService;KMService;c:\windows\system32\srvany.exe [21/02/2012 8:13 AM 8192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [27/01/2011 12:37 PM 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [12/06/2011 11:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/01/2010 9:37 PM 4640000]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 288112]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 07:57]
.
2012-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 01:37]
.
2012-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 01:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: Interfaces\{3E3CB466-6119-41F7-B5C1-F09C46504182}: NameServer = 10.0.0.99
FF - ProfilePath - c:\documents and settings\jgowers\Application Data\Mozilla\Firefox\Profiles\47fwm9vp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2780272&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Your-TV Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-19 16:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(920)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2012-03-19 16:14:01
ComboFix-quarantined-files.txt 2012-03-19 05:13
.
Pre-Run: 25,762,959,360 bytes free
Post-Run: 27,238,690,816 bytes free
.
- - End Of File - - 0755BD28A2747133581407555395C554

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:14 AM

Posted 19 March 2012 - 04:01 PM

Hello,

Still redirecting?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 19 March 2012 - 05:17 PM

There is no redirection happening at the minute .... i take it that means i'm cured? :)

#11 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 19 March 2012 - 05:21 PM

the results from GMER here are nothing to be worried about?

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-20 09:20:45
Windows 5.1.2600 Service Pack 3
Running: ni1lq849.exe; Driver: C:\DOCUME~1\jgowers\LOCALS~1\Temp\agdyifog.sys


---- System - GMER 1.0.15 ----

SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D7090]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7090] ZwCreateKey [0x804D7090]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x804D709A]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709A] ZwDeleteKey [0x804D709A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x804D708B]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D708B] ZwDeleteValueKey [0x804D708B]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D709F] ZwEnumerateKey [0x804D709F]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A4] ZwEnumerateValueKey [0x804D70A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B3] ZwOpenKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70AE] ZwQueryKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A9] ZwQueryValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x804D7095]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7095] ZwSetValueKey [0x804D7095]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70C2

Code \??\C:\DOCUME~1\jgowers\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB90E4360, 0x35483F, 0xE8000020]
.text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xB58FD000, 0x44527, 0xE0000020]
.init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xB594F224]
.init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xB594F000, 0x7000, 0xE20000E0]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB578A400, 0x88182, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB582E820] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB582E820]
.protect˙˙˙˙hardlockunknown last code section [0xB582E600, 0x50F6, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB582E600, 0x50F6, 0xE0000020]
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\jgowers\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE[620] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 39416376 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[668] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[2468] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 39416376 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[2468] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 39CD5530 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01215B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2912] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 0139802D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3056] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106C01A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3056] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106C0135 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3056] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10450924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3056] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10450ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Microsoft Office\Office14\EXCEL.EXE[4548] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 39416376 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office14\EXCEL.EXE[4548] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 39CD5530 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\FileOpenWebPublisherScreenHookDriver \Device\FileOpenWebPublisherScreenHookDriver fowp32.sys
Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DR2 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:14 AM

Posted 19 March 2012 - 05:45 PM

Hello,

I see nothing in the Gmer log. Lets run a couple other scanners to make sure there are no leftovers on your machine.

1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 20 March 2012 - 07:43 PM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.13.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
jgowers :: JASON-2010 [administrator]

21/03/2012 7:33:23 AM
mbam-log-2012-03-21 (07-33-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 262621
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

-----------------------

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:14 AM

Posted 20 March 2012 - 08:03 PM

The Eset log?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 safadao

safadao
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 20 March 2012 - 09:43 PM

And this doesn't look to flash

C:\Documents and Settings\jgowers\Desktop\Old Desktop (sort)\jasons laptop - c drive\Users\jason\Downloads\SoftonicDownloader_for_avidemux.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\Documents and Settings\jgowers\My Documents\Downloads\cnet_Setup_SimpleStickyNotes_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Documents and Settings\jgowers\My Documents\Downloads\CS5 Master Collection EN Retail NLUPPER\CS5 Master Collection EN Retail\Disk 1\MasterCollection_CS5_D1_Win.iso probably a variant of Win32/Agent.JKRFJKT trojan deleted - quarantined
C:\Documents and Settings\jgowers\My Documents\Downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe a variant of Win32/HackKMS.A application deleted - quarantined
C:\Documents and Settings\jgowers\My Documents\Downloads\office ACTIVATOR 180 days\mini-KMS_Activator_v1.051.exe Win32/HackKMS.A application deleted - quarantined
C:\Jason's storage\copy off old hddrive\Desktop old old\work general\jasons work\temp\torrs\PowerISO.zip a variant of Win32/Keygen.CP application deleted - quarantined
C:\Jason's storage\copy off old hddrive\My old documents\work general\jasons work\temp\torrs\PowerISO.zip a variant of Win32/Keygen.CP application deleted - quarantined
C:\Jason's storage\copy off old hddrive\New Folder\Building Your Field Of Dreams [Tony Robbins, T Harv Eker, Robert Kiyosaki.rar probably a variant of Win32/TrojanDownloader.VB.JCXGTJX trojan deleted - quarantined
C:\Jason's storage\copy off old hddrive\New Folder\Harness The Power Of Your Mind [John Kehoe, T Harv Eker, Tony Robbins, Jack Canfield].rar probably a variant of Win32/TrojanDownloader.VB.JCXGTJX trojan deleted - quarantined
C:\Jason's storage\copy off old hddrive\New Folder\Magnetic Marketing [Tony Robbins, T Harv Eker, Robert Kiyosaki, Bob Proctor].rar probably a variant of Win32/TrojanDownloader.VB.JCXGTJX trojan deleted - quarantined
C:\Jason's storage\copy off old hddrive\New Folder\Make Money Doing What You Love [Tony Robbins, T Harv Eker, Robert Kiyosaki, Bob Proctor].rar probably a variant of Win32/TrojanDownloader.VB.JCXGTJX trojan deleted - quarantined




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users