blackdogg
-
Posts
8 -
Joined
-
Last visited
-
Please help with Rootkit.TDSS
blackdogg replied to blackdogg's topic in Resolved Malware Removal Logs
Thanks, Lorry! I think I will be going with the hosts file. That page is some great reading. -
Please help with Rootkit.TDSS
blackdogg replied to blackdogg's topic in Resolved Malware Removal Logs
This PC is owned by a friend of mine. I wasn't aware it was in such sad shape until he asked me to take a look at it. I will be installing AVG 8.5 and zonealarm on it before returning it to him. Once again, thank you for your time and all the effort you put into helping people like me. -
Please help with Rootkit.TDSS
blackdogg replied to blackdogg's topic in Resolved Malware Removal Logs
thank you for your time, i believe the issue is addressed. the info in the threads is invaluable. Malwarebytes' Anti-Malware 1.41 Database version: 2905 Windows 5.1.2600 Service Pack 2 10/4/2009 1:15:54 PM mbam-log-2009-10-04 (13-15-54).txt Scan type: Quick Scan Objects scanned: 97727 Time elapsed: 14 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -
Please help with Rootkit.TDSS
blackdogg replied to blackdogg's topic in Resolved Malware Removal Logs
Latest log. Malwarebytes' Anti-Malware 1.41 Database version: 2903 Windows 5.1.2600 Service Pack 2 (Safe Mode) 10/4/2009 9:40:42 AM mbam-log-2009-10-04 (09-40-37).txt Scan type: Quick Scan Objects scanned: 96990 Time elapsed: 7 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures (Malware.Trace) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -
Please help with Rootkit.TDSS
blackdogg replied to blackdogg's topic in Resolved Malware Removal Logs
I had used UBCD4Win, which was created using a XP SP2 disc, to access the hard drive, I copied atapi.sys from that. SP3 was never installed on this pc. -
Please help with Rootkit.TDSS
blackdogg replied to blackdogg's topic in Resolved Malware Removal Logs
Also, I should note, while reading some threads, i noticed that atapi.sys seems to be a culprit, i had renamed and replaced the existing one with a known clean one. -
Please help with Rootkit.TDSS
blackdogg replied to blackdogg's topic in Resolved Malware Removal Logs
Hello Lonny, Thank you. My apologies for running combofix. From reading through the threads i had seen no harm running it and assumed the log would be of assistance. I can not post the logs, as i had uninstalled combofix after posting the logs. SERVICE_NAME: atapi DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 "C:\WINDOWS\$NtServicePackUninstall$\atapi.sys":86912:08/29/2002 01:27 AM:-----c--- "C:\WINDOWS\ServicePackFiles\i386\atapi.sys":95360:08/03/2004 10:59 PM:--------- "C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys":96512:04/13/2008 02:40 PM:--a------ "C:\WINDOWS\SYSTEM32\drivers\ATAPI.SYS":95360:02/28/2006 08:00 AM:--a------ -
Here are the logs. Any help would be greatly appreciated. Thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:36:16 PM, on 10/2/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\FairPoint\FairPoint Servicepoint Agent\FairPointServicepoint.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Documents and Settings\Owner\Desktop\SysInspector.exe C:\Documents and Settings\Owner\Desktop\02HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [FairPointServicepoint.exe] "C:\Program Files\FairPoint\FairPoint Servicepoint Agent\FairPointServicepoint.exe" /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O24 - Desktop Component AutorunsDisabled: (no name) - (no file) -- End of file - 5917 bytes Malwarebytes' Anti-Malware 1.41 Database version: 2897 Windows 5.1.2600 Service Pack 2 10/2/2009 9:55:07 PM mbam-log-2009-10-02 (21-55-02).txt Scan type: Full Scan (C:\|) Objects scanned: 193469 Time elapsed: 1 hour(s), 51 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: \\?\globalroot\Device\Ide\IdePort1\byueoriw\byueoriw\tdlwsp.dll (Rootkit.TDSS) -> No action taken. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: \\?\globalroot\Device\Ide\IdePort1\byueoriw\byueoriw\tdlwsp.dll (Rootkit.TDSS) -> No action taken. ComboFix 09-10-01.05 - Owner 10/02/2009 22:16.8.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.257 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 ))))))))))))))))))))))))))))))) . 2009-10-02 16:04 . 2009-10-02 16:04 574 ----a-w- C:\cleanup.bat 2009-10-02 16:04 . 2009-10-02 16:04 135168 ----a-w- C:\zip.exe 2009-10-02 04:15 . 2009-10-02 04:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-09-26 01:56 . 2009-09-26 01:55 23552 ----a-w- c:\windows\system32\drivers\phooks.sys 2009-09-25 16:12 . 2009-09-26 03:10 -------- d-----w- c:\program files\Tizer Secure 2009-09-24 23:26 . 2009-09-26 03:09 -------- d-----w- c:\program files\Sophos 2009-09-24 21:52 . 2009-09-24 21:52 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-09-24 20:22 . 2009-09-24 20:22 2 --shatr- c:\windows\winstart.bat 2009-09-24 20:20 . 2009-09-25 02:44 -------- d-----w- c:\program files\UnHackMe 2009-09-24 02:25 . 2009-09-24 02:25 -------- d-----w- c:\program files\CCleaner 2009-09-24 01:10 . 2009-09-24 01:10 -------- d-----w- C:\tdsskiller 2009-09-22 03:48 . 2009-09-22 03:48 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2009-09-22 03:41 . 2009-09-22 03:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-09-22 03:36 . 2002-04-27 22:08 60776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-17 13:57 . 2009-09-17 13:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-09-09 06:17 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-25 01:46 . 2009-04-02 22:44 -------- d-----w- c:\program files\Common Files\Motive 2009-09-24 14:45 . 2007-09-01 20:42 -------- d-----w- c:\documents and settings\Owner\Application Data\U3 2009-09-23 02:40 . 2009-06-05 14:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-14 16:37 . 2009-08-31 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-09-10 18:54 . 2009-06-05 14:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2009-06-05 14:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-31 16:35 . 2004-07-09 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo! 2009-08-31 16:35 . 2005-12-05 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo! 2009-08-31 16:34 . 2003-02-24 18:34 -------- d-----w- c:\program files\Yahoo! 2009-08-18 21:25 . 2007-09-14 02:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-18 05:44 . 2009-08-18 05:44 -------- d-----w- c:\documents and settings\Owner\Application Data\TMInc 2009-08-18 05:16 . 2009-08-18 05:16 144 ----a-w- C:\domains.dat 2009-08-18 05:14 . 2009-08-18 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games 2009-08-05 09:11 . 2005-07-22 04:50 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 18:55 . 2005-07-22 04:52 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-05-10 14:15 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2004-08-04 04:56 . 2001-08-18 05:36 1028096 --sh--w- c:\windows\SYSTEM32\mfc42.dll . ((((((((((((((((((((((((((((( SnapShot@2009-09-26_05.42.25 ))))))))))))))))))))))))))))))))))))))))) . + 2001-09-05 03:16 . 2009-10-02 22:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2001-09-05 03:16 . 2009-09-26 03:08 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2001-09-05 03:16 . 2009-10-02 22:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2001-09-05 03:16 . 2009-09-26 03:08 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-09-17 13:57 . 2009-09-26 03:08 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat + 2009-09-17 13:57 . 2009-10-02 22:06 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat + 2001-09-05 03:16 . 2009-10-02 22:06 16384 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat - 2001-09-05 03:16 . 2009-09-26 03:08 16384 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "FairPointServicepoint.exe"="c:\program files\FairPoint\FairPoint Servicepoint Agent\FairPointServicepoint.exe" [2008-10-21 2286832] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= R3 esihdrv;esihdrv;\??\c:\docume~1\Owner\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\Owner\LOCALS~1\Temp\esihdrv.sys [?] S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\drivers\gan_adapter.sys [10/19/2006 11:11 AM 10664] S4 phooks;phooks;c:\windows\SYSTEM32\drivers\phooks.sys [9/25/2009 9:56 PM 23552] S4 rkhdrv40;Rootkit Unhooker Driver; [x] --- Other Services/Drivers In Memory --- *NewlyCreated* - ESIHDRV *Deregistered* - kwedakog [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-24 c:\windows\Tasks\User_Feed_Synchronization-{3CF784A6-C491-4BDB-9E9F-CCFC51EBF640}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] 2009-09-24 c:\windows\Tasks\User_Feed_Synchronization-{BE829261-2C5D-4CA0-8B6D-E74DD505A5FC}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\HijackThis.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-02 22:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\Owner\LOCALS~1\Temp\RGIA.tmp scan completed successfully hidden files: 1 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3020190987-2389969595-2291903390-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}\iexplore] @DACL=(02 0000) "Type"=dword:00000003 "Flags"=dword:00000000 "Count"=dword:00000256 "Time"=hex:d9,07,08,00,05,00,1c,00,0e,00,1c,00,16,00,f4,01 "LoadTime"=dword:00000001 "LoadTimeCount"=dword:00000252 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(476) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(536) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(4084) c:\windows\system32\WININET.dll tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\IdePort1\byueoriw\byueoriw\tdlwsp.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-10-03 22:51 ComboFix-quarantined-files.txt 2009-10-03 02:51 ComboFix2.txt 2009-10-02 16:25 ComboFix3.txt 2009-10-02 06:37 ComboFix4.txt 2009-10-02 04:01 ComboFix5.txt 2009-10-03 02:08 Pre-Run: 14,367,440,896 bytes free Post-Run: 14,354,616,320 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS timeout=2 [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn [spybotsd] timeout.old=30 174 --- E O F --- 2009-09-24 19:14 SysInspector_YOUR_ZE8CXVR8TT_091002_1829.zip