LSF76
-
Posts
7 -
Joined
-
Last visited
-
Rootkit virus- Need help with GMER log
LSF76 replied to LSF76's topic in Resolved Malware Removal Logs
1. MBAM log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6513 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 5/5/2011 9:47:56 AM mbam-log-2011-05-05 (09-47-56).txt Scan type: Quick scan Objects scanned: 156370 Time elapsed: 4 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) 2. ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=38f52542c0704346ad6646fca976e150 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-05-05 03:49:28 # local_time=2011-05-05 11:49:28 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # compatibility_mode=9217 16777214 100 70 25598598 26368920 0 0 # scanned=83286 # found=1 # cleaned=1 # scan_time=6129 C:\Documents and Settings\Sam Mogilensky\My Documents\Backup of Flash Drive\Removable Disk (E)\Autorun.inf INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C 3. The symptoms which led me to think I was infected (pop-up ads, search results redirected to ads) have disappeared. I do have a concern, which is that ESET found a virus in a backup file I created for the content on my flash drive. Does that mean my flash drive is infected, and how can I remove that infection without reinfecting my computer? -
Rootkit virus- Need help with GMER log
LSF76 replied to LSF76's topic in Resolved Malware Removal Logs
1. Softwares uninstalled: J2SE Runtime Environment 5.0 Update 6 Viewpoint Media Player 2. ComboFix log: ComboFix 11-05-04.03 - Sam Mogilensky 05/04/2011 23:34:31.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1558 [GMT -4:00] Running from: c:\documents and settings\Sam Mogilensky\Desktop\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\Thumbs.db . . ((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 ))))))))))))))))))))))))))))))) . . 2011-05-02 19:17 . 2011-05-02 19:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe 2011-05-02 05:01 . 2011-05-01 14:39 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-05-01 20:13 . 2011-05-01 20:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-01 12:03 . 2006-05-20 17:31 24576 ----a-w- c:\windows\system32\userinit.exe 2011-04-29 16:12 . 2009-11-25 19:46 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="thpsrv" [X] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940] "RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-04-25 253952] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 155648] "TPSMain"="TPSMain.exe" [2006-04-25 315392] "TPSODDCtl"="TPSODDCtl.exe" [2006-04-25 110592] "TFncKy"="TFncKy.exe" [bU] "TOSDCR"="TOSDCR.EXE" [2005-12-13 57344] "PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-18 151552] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608] "TFNF5"="TFNF5.exe" [2006-04-10 622592] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-5-20 155648] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKLM\~\startupfolder\C:^Documents and Settings^Sam Mogilensky^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] 2006-06-30 12:32 89541 ----a-w- c:\windows\agrsmmsg.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2008-02-15 17:46 159744 ----a-w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2008-02-15 17:46 135168 ----a-w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2008-02-15 17:46 131072 ----a-w- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher] 2006-05-06 00:36 30208 ----a-w- c:\program files\Protector Suite QL\launcher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] 2006-04-24 22:20 1448960 ----a-w- c:\windows\SkyTel.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMERzCtl.EXE] 2006-02-23 00:41 86016 ----a-w- c:\program files\Toshiba\TME3\TMERzCtl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMESRV.EXE] 2005-12-14 19:00 126976 ----a-w- c:\program files\Toshiba\TME3\TMESRV31.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=3 (0x3) "FastUserSwitchingCompatibility"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "SSDPSRV"=3 (0x3) "seclogon"=3 (0x3) "RemoteRegistry"=2 (0x2) "RDSessMgr"=3 (0x3) "iPod Service"=3 (0x3) "ERSvc"=3 (0x3) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/25/2009 3:46 PM 64512] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/28/2004 2:31 AM 16384] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [5/20/2006 2:20 PM 6144] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [5/20/2006 2:21 PM 5888] R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568] R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024] R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456] R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [5/20/2006 2:21 PM 126976] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/20/2006 1:49 PM 35968] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/29/2011 12:11 PM 2146496] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/29/2011 12:11 PM 15232] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder . 2011-05-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 15:14] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Google Sidewiki... Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - FF - ProfilePath - c:\documents and settings\Sam Mogilensky\Application Data\Mozilla\Firefox\Profiles\zs2vu2sc.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-05 00:00 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(732) c:\windows\system32\vrlogon.dll c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll c:\windows\system32\biologon.dll c:\program files\Protector Suite QL\homepass.dll c:\program files\Protector Suite QL\bio.dll c:\program files\Protector Suite QL\remote.dll c:\program files\Protector Suite QL\crypto.dll c:\program files\Protector Suite QL\biokmd.dll . - - - - - - - > 'explorer.exe'(1168) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\program files\TOSHIBA\TME3\TMEEJMD.DLL c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Protector Suite QL\mysafe.dll c:\program files\Protector Suite QL\infra.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\TPwrCfg.DLL c:\windows\system32\TPwrReg.dll c:\windows\system32\TPSTrace.DLL . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\DVDRAMSV.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\toshiba\IVP\swupdate\swupdtmr.exe c:\windows\system32\ThpSrv.exe c:\program files\TOSHIBA\TME3\TMEEJME.EXE c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\system32\TPSMain.exe c:\windows\system32\thpsrv.exe c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe c:\windows\system32\TFNF5.exe c:\windows\system32\TPSBattM.exe c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\program files\Apoint2K\Apntex.exe . ************************************************************************** . Completion time: 2011-05-05 00:08:59 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-05 04:08 . Pre-Run: 44,964,151,296 bytes free Post-Run: 45,569,208,320 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg . - - End Of File - - 7D296026CD59C96B9D4336C35751B189 -
Rootkit virus- Need help with GMER log
LSF76 replied to LSF76's topic in Resolved Malware Removal Logs
I ran aswMBR. After the scan, I clicked "Fix". It said the problem was fixed, and it was verifying. At that point my computer crashed. I had to manually shut down and reboot. As a precaution, I disabled AdAware AdWatch Live and Spybot S+D Tea Timer this time just in case they were interfering with aswMBR. I ran aswMBR again and the second time it did not report any problems. Here is the log file for the second scan: aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software Run date: 2011-05-04 09:29:05 ----------------------------- 09:29:05.984 OS Version: Windows 5.1.2600 Service Pack 2 09:29:05.984 Number of processors: 2 586 0xF02 09:29:05.984 ComputerName: SAMMYMO UserName: 09:29:06.484 Initialize success 09:29:43.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 09:29:43.062 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 0000002A Size: 95396MB BusType: 3 09:29:45.093 Disk 0 MBR read successfully 09:29:45.093 Disk 0 MBR scan 09:29:45.093 Disk 0 Windows XP default MBR code 09:29:47.093 Disk 0 scanning sectors +195366465 09:29:47.140 Disk 0 scanning C:\WINDOWS\system32\drivers 09:29:52.437 Service scanning 09:29:54.171 Disk 0 trace - called modules: 09:29:54.187 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys atapi.sys pciide.sys 09:29:54.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ba3ab8] 09:29:54.203 3 CLASSPNP.SYS[f765805b] -> nt!IofCallDriver -> \Device\THPDRV[0x89b63908] 09:29:54.203 5 thpdrv.sys[f768971d] -> nt!IofCallDriver -> \Device\00000082[0x89b66490] 09:29:54.203 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89b94940] 09:29:54.218 Scan finished successfully 09:30:27.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sam Mogilensky\Desktop\MBR.dat" 09:30:27.687 The log file has been saved successfully to "C:\Documents and Settings\Sam Mogilensky\Desktop\aswMBR2.txt" DDS logs: Attach2.zip DDS2.zip -
Rootkit virus- Need help with GMER log
LSF76 replied to LSF76's topic in Resolved Malware Removal Logs
Virustotal results for MBR.dat: http://www.virustotal.com/file-scan/report.html?id=8638a15fcf145f0c8ec6e937c083845819302c5d0cb7225313af5ab2b396a7bd-1304476458 Virustotal results for MBRbckp.dat: http://www.virustotal.com/file-scan/report.html?id=c6eb7abbb3b023e2869ec3cd8a889966040018837e257ea64c96aece299d520f-1304476193 MBR.zip MBRbckp.zip -
Rootkit virus- Need help with GMER log
LSF76 replied to LSF76's topic in Resolved Malware Removal Logs
aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software Run date: 2011-05-03 10:14:05 ----------------------------- 10:14:05.078 OS Version: Windows 5.1.2600 Service Pack 2 10:14:05.093 Number of processors: 2 586 0xF02 10:14:05.125 ComputerName: SAMMYMO UserName: 10:14:08.890 Initialize success 10:14:13.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 10:14:13.734 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 0000002A Size: 95396MB BusType: 3 10:14:13.734 Device \Driver\atapi -> DriverStartIo 89b3533b 10:14:15.734 Disk 0 MBR read successfully 10:14:15.765 Disk 0 MBR scan 10:14:15.765 Disk 0 TDL4@MBR code has been found 10:14:15.781 Disk 0 Windows XP default MBR code found via API 10:14:15.796 Disk 0 MBR hidden 10:14:15.796 Disk 0 MBR [TDL4] **ROOTKIT** 10:14:15.812 Disk 0 trace - called modules: 10:14:15.812 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89b354f0]<< 10:14:15.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb4ab8] 10:14:15.828 3 CLASSPNP.SYS[f765805b] -> nt!IofCallDriver -> \Device\THPDRV[0x89b46908] 10:14:15.828 5 thpdrv.sys[f768971d] -> nt!IofCallDriver -> \Device\00000082[0x89b49490] 10:14:16.312 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89b9f940] 10:14:16.343 \Driver\atapi[0x89b6a030] -> IRP_MJ_CREATE -> 0x89b354f0 10:14:16.375 Scan finished successfully 10:14:26.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sam Mogilensky\Desktop\MBR.dat" 10:14:26.750 The log file has been saved successfully to "C:\Documents and Settings\Sam Mogilensky\Desktop\aswMBR.txt" MBRCheck, version 1.2.3 © 2010, AD Command-line: Windows Version: Windows XP Professional Windows Information: Service Pack 2 (build 2600) Logical Drives Mask: 0x0000000c Kernel Drivers (total 153): 0x804D7000 \WINDOWS\system32\ntoskrnl.exe 0x806FF000 \WINDOWS\system32\hal.dll 0x89AF5000 \WINDOWS\system32\KDCOM.DLL 0xF789B000 \WINDOWS\system32\BOOTVID.dll 0xF75A8000 ACPI.sys 0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0xF7597000 pci.sys 0xF75F7000 isapnp.sys 0xF7607000 ohci1394.sys 0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS 0xF789F000 compbatt.sys 0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS 0xF7A4F000 pciide.sys 0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xF74D9000 pcmcia.sys 0xF7627000 MountMgr.sys 0xF74BA000 ftdisk.sys 0xF7989000 dmload.sys 0xF7494000 dmio.sys 0xF770F000 PartMgr.sys 0xF7637000 VolSnap.sys 0xF747C000 atapi.sys 0xF7647000 disk.sys 0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xF745C000 fltMgr.sys 0xF744A000 sr.sys 0xF7667000 Lbd.sys 0xF7871000 DRVMCDB.SYS 0xF7677000 PxHelp20.sys 0xF785A000 KSecDD.sys 0xF7847000 WudfPf.sys 0xF7B52000 Ntfs.sys 0xF795A000 NDIS.sys 0xF7717000 TVALZ.SYS 0xF798B000 Thpevm.SYS 0xF7687000 thpdrv.sys 0xF782C000 Mup.sys 0xF76B7000 \SystemRoot\system32\DRIVERS\nic1394.sys 0xBA13E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys 0xBA12A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xBA105000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0xB9F64000 \SystemRoot\system32\DRIVERS\NETw3x32.sys 0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0xB9F41000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xB9F2E000 \SystemRoot\system32\DRIVERS\sdbus.sys 0xF7527000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0xF7817000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xB9F15000 \SystemRoot\system32\DRIVERS\Apfiltr.sys 0xF775F000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xF7517000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS 0xF7507000 \SystemRoot\system32\DRIVERS\serial.sys 0xBA7FC000 \SystemRoot\system32\DRIVERS\serenum.sys 0xB9F01000 \SystemRoot\system32\DRIVERS\parport.sys 0xF74F7000 \SystemRoot\system32\DRIVERS\imapi.sys 0xF7997000 \SystemRoot\System32\Drivers\DLACDBHM.SYS 0xF743A000 \SystemRoot\system32\DRIVERS\cdrom.sys 0xF742A000 \SystemRoot\system32\DRIVERS\redbook.sys 0xB9EDE000 \SystemRoot\system32\DRIVERS\ks.sys 0xBA7E8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys 0xBA7DC000 \SystemRoot\system32\DRIVERS\tosrfec.sys 0xBA7D4000 \SystemRoot\system32\DRIVERS\CmBatt.sys 0xF741A000 \SystemRoot\system32\DRIVERS\intelppm.sys 0xF7AAD000 \SystemRoot\system32\DRIVERS\audstub.sys 0xF740A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xBA7CC000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xB9EC7000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xF7887000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xBA764000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xF7757000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xB9DEE000 \SystemRoot\system32\DRIVERS\psched.sys 0xBA754000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xF7787000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xF7797000 \SystemRoot\system32\DRIVERS\raspti.sys 0xB9DBD000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0xBA744000 \SystemRoot\system32\DRIVERS\termdd.sys 0xF799F000 \SystemRoot\system32\DRIVERS\swenum.sys 0xB9D64000 \SystemRoot\system32\DRIVERS\update.sys 0xBA7A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xBA79C000 \SystemRoot\system32\DRIVERS\tbiosdrv.sys 0xBA724000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xA9841000 \SystemRoot\system32\drivers\RtkHDAud.sys 0xA981F000 \SystemRoot\system32\drivers\portcls.sys 0xBA714000 \SystemRoot\system32\drivers\drmk.sys 0xA9703000 \SystemRoot\system32\DRIVERS\AGRSM.sys 0xF79AF000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xF7807000 \SystemRoot\System32\Drivers\Modem.SYS 0xBA6F4000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xF79B3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xF7A62000 \SystemRoot\System32\Drivers\Null.SYS 0xF79B7000 \SystemRoot\System32\Drivers\Beep.SYS 0xF779F000 \SystemRoot\System32\Drivers\DLARTL_N.SYS 0xF77AF000 \SystemRoot\System32\drivers\vga.sys 0xF79BB000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xF79BF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xA9652000 \SystemRoot\System32\Drivers\meiudf.sys 0xA9641000 \SystemRoot\System32\Drivers\Udfs.SYS 0xF77F7000 \SystemRoot\System32\Drivers\Msfs.SYS 0xA96FB000 \SystemRoot\System32\Drivers\Npfs.SYS 0xA9C9C000 \SystemRoot\system32\DRIVERS\rasacd.sys 0xA962E000 \SystemRoot\system32\DRIVERS\ipsec.sys 0xA95D6000 \SystemRoot\system32\DRIVERS\tcpip.sys 0xA95AE000 \SystemRoot\system32\DRIVERS\netbt.sys 0xA958D000 \SystemRoot\system32\DRIVERS\ipnat.sys 0xBA6E4000 \SystemRoot\system32\DRIVERS\wanarp.sys 0xA950C000 \SystemRoot\System32\vsdatant.sys 0xF76C7000 \SystemRoot\system32\DRIVERS\arp1394.sys 0xA96C3000 \SystemRoot\System32\Drivers\tcusb.sys 0xA944A000 \SystemRoot\System32\drivers\afd.sys 0xF7557000 \SystemRoot\system32\DRIVERS\netbios.sys 0xF79C7000 \SystemRoot\System32\Drivers\TMEI3E.SYS 0xA93F7000 \SystemRoot\system32\DRIVERS\rdbss.sys 0xA9388000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xF780F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0xF7537000 \SystemRoot\System32\Drivers\Fips.SYS 0xA9370000 \SystemRoot\System32\Drivers\dump_atapi.sys 0xF79EF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xA9CA0000 \SystemRoot\System32\drivers\Dxapi.sys 0xF781F000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xBA776000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF024000 \SystemRoot\System32\igxpgd32.dll 0xBF012000 \SystemRoot\System32\igxprd32.dll 0xBF04F000 \SystemRoot\System32\igxpdv32.DLL 0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL 0xBFFA0000 \SystemRoot\System32\ATMFD.DLL 0xA929A000 \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys 0xA9C94000 \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys 0xA928A000 \SystemRoot\System32\Drivers\DRVNDDM.SYS 0xF7A75000 \SystemRoot\System32\DLA\DLADResN.SYS 0xA9184000 \SystemRoot\System32\DLA\DLAIFS_M.SYS 0xF793F000 \SystemRoot\System32\DLA\DLAOPIOM.SYS 0xF79C3000 \SystemRoot\System32\DLA\DLAPoolM.SYS 0xF7A79000 \??\C:\Program Files\Protector Suite QL\smihlp.sys 0xA96F3000 \SystemRoot\System32\DLA\DLABOIOM.SYS 0xA916C000 \SystemRoot\System32\DLA\DLAUDFAM.SYS 0xA9156000 \SystemRoot\System32\DLA\DLAUDF_M.SYS 0xF77DF000 \SystemRoot\system32\DRIVERS\AegisP.sys 0xA91CA000 \SystemRoot\system32\DRIVERS\s24trans.sys 0xA9122000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0xA911A000 \SystemRoot\system32\DRIVERS\netdevio.sys 0xA8BF1000 \SystemRoot\system32\drivers\wdmaud.sys 0xA8DFE000 \SystemRoot\system32\drivers\sysaudio.sys 0xA8AAF000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0xF79CD000 \SystemRoot\System32\Drivers\ParVdm.SYS 0xA8940000 \SystemRoot\system32\DRIVERS\srv.sys 0xA7620000 \SystemRoot\system32\DRIVERS\hidusb.sys 0xA78E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS 0xA7658000 \SystemRoot\system32\DRIVERS\mouhid.sys 0xA73DD000 \SystemRoot\system32\drivers\kmixer.sys 0xA7828000 \??\C:\DOCUME~1\SAMMOG~1\LOCALS~1\Temp\aswMBR.sys 0x7C900000 \WINDOWS\system32\ntdll.dll Processes (total 52): 0 System Idle Process 4 System 648 C:\WINDOWS\system32\smss.exe 708 csrss.exe 732 C:\WINDOWS\system32\winlogon.exe 784 C:\WINDOWS\system32\services.exe 796 C:\WINDOWS\system32\lsass.exe 992 C:\WINDOWS\system32\svchost.exe 1076 svchost.exe 1120 C:\WINDOWS\system32\svchost.exe 1176 C:\WINDOWS\system32\svchost.exe 1280 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe 1388 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe 1500 svchost.exe 1552 svchost.exe 1708 C:\WINDOWS\system32\ZoneLabs\vsmon.exe 288 C:\WINDOWS\explorer.exe 184 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe 1648 C:\WINDOWS\system32\spoolsv.exe 508 svchost.exe 560 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe 596 C:\WINDOWS\system32\DVDRAMSV.exe 664 C:\Program Files\Java\jre6\bin\jqs.exe 124 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe 1328 C:\WINDOWS\system32\svchost.exe 1528 C:\TOSHIBA\IVP\swupdate\swupdtmr.exe 352 C:\WINDOWS\system32\ThpSrv.exe 1812 C:\Program Files\Toshiba\TME3\TMESRV31.exe 2084 C:\Program Files\Toshiba\TME3\TMEEJME.exe 2520 C:\WINDOWS\system32\wbem\wmiapsrv.exe 2632 unsecapp.exe 2896 wmiprvse.exe 2916 alg.exe 3436 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe 3648 C:\WINDOWS\system32\DLA\DLACTRLW.EXE 3664 C:\WINDOWS\RTHDCPL.exe 3688 C:\WINDOWS\system32\00THotkey.exe 3712 C:\Program Files\Toshiba\DualPointUtility\TEDTray.exe 3720 C:\WINDOWS\system32\TPSMain.exe 3740 C:\WINDOWS\system32\ThpSrv.exe 3764 C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe 3788 C:\Program Files\Apoint2K\Apoint.exe 3832 C:\WINDOWS\system32\TFNF5.exe 3840 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 3872 C:\Program Files\DivX\DivX Update\DivXUpdate.exe 3884 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe 3928 C:\WINDOWS\system32\RAMASST.exe 2124 C:\WINDOWS\system32\TPSBattM.exe 2436 C:\WINDOWS\system32\igfxext.exe 1992 C:\WINDOWS\system32\igfxsrvc.exe 3156 C:\Program Files\Apoint2K\ApntEx.exe 4088 C:\Documents and Settings\Sam Mogilensky\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS) PhysicalDrive0 Model Number: FUJITSUMHV2100BHPL, Rev: 0000002A Size Device Name MBR Status -------------------------------------------- 93 GB \\.\PhysicalDrive0 Windows XP MBR code detected SHA1: 31D100779DE502702C374F7C15687B56FCFD5528 Done! CKScanner - Additional Security Risks - These are not necessarily bad c:\program files\microsoft directx sdk (november 2008)\samples\c++\direct3d\uvatlas\crackdecl.cpp c:\program files\microsoft directx sdk (november 2008)\samples\c++\direct3d\uvatlas\crackdecl.h c:\program files\mount&blade\sounds\fire_small_crackle_slick_op.ogg c:\program files\toshiba games\bejeweled 2 deluxe\sounds\firecrackle.ogg scanner sequence 3.CA.11 ----- EOF ----- -
Rootkit virus- Need help with GMER log
LSF76 replied to LSF76's topic in Resolved Malware Removal Logs
1. aswMBR log: aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software Run date: 2011-05-03 10:14:05 ----------------------------- 10:14:05.078 OS Version: Windows 5.1.2600 Service Pack 2 10:14:05.093 Number of processors: 2 586 0xF02 10:14:05.125 ComputerName: SAMMYMO UserName: 10:14:08.890 Initialize success 10:14:13.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 10:14:13.734 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 0000002A Size: 95396MB BusType: 3 10:14:13.734 Device \Driver\atapi -> DriverStartIo 89b3533b 10:14:15.734 Disk 0 MBR read successfully 10:14:15.765 Disk 0 MBR scan 10:14:15.765 Disk 0 TDL4@MBR code has been found 10:14:15.781 Disk 0 Windows XP default MBR code found via API 10:14:15.796 Disk 0 MBR hidden 10:14:15.796 Disk 0 MBR [TDL4] **ROOTKIT** 10:14:15.812 Disk 0 trace - called modules: 10:14:15.812 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89b354f0]<< 10:14:15.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb4ab8] 10:14:15.828 3 CLASSPNP.SYS[f765805b] -> nt!IofCallDriver -> \Device\THPDRV[0x89b46908] 10:14:15.828 5 thpdrv.sys[f768971d] -> nt!IofCallDriver -> \Device\00000082[0x89b49490] 10:14:16.312 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89b9f940] 10:14:16.343 \Driver\atapi[0x89b6a030] -> IRP_MJ_CREATE -> 0x89b354f0 10:14:16.375 Scan finished successfully 10:14:26.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\XXXXX\Desktop\MBR.dat" (edited to remove name) 10:14:26.750 The log file has been saved successfully to "C:\Documents and Settings\XXXXX\Desktop\aswMBR.txt" (edited to remove name) 2. MBRCheck log: MBRCheck, version 1.2.3 © 2010, AD Command-line: Windows Version: Windows XP Professional Windows Information: Service Pack 2 (build 2600) Logical Drives Mask: 0x0000000c Kernel Drivers (total 153): 0x804D7000 \WINDOWS\system32\ntoskrnl.exe 0x806FF000 \WINDOWS\system32\hal.dll 0x89AF5000 \WINDOWS\system32\KDCOM.DLL 0xF789B000 \WINDOWS\system32\BOOTVID.dll 0xF75A8000 ACPI.sys 0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0xF7597000 pci.sys 0xF75F7000 isapnp.sys 0xF7607000 ohci1394.sys 0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS 0xF789F000 compbatt.sys 0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS 0xF7A4F000 pciide.sys 0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xF74D9000 pcmcia.sys 0xF7627000 MountMgr.sys 0xF74BA000 ftdisk.sys 0xF7989000 dmload.sys 0xF7494000 dmio.sys 0xF770F000 PartMgr.sys 0xF7637000 VolSnap.sys 0xF747C000 atapi.sys 0xF7647000 disk.sys 0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xF745C000 fltMgr.sys 0xF744A000 sr.sys 0xF7667000 Lbd.sys 0xF7871000 DRVMCDB.SYS 0xF7677000 PxHelp20.sys 0xF785A000 KSecDD.sys 0xF7847000 WudfPf.sys 0xF7B52000 Ntfs.sys 0xF795A000 NDIS.sys 0xF7717000 TVALZ.SYS 0xF798B000 Thpevm.SYS 0xF7687000 thpdrv.sys 0xF782C000 Mup.sys 0xF76B7000 \SystemRoot\system32\DRIVERS\nic1394.sys 0xBA13E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys 0xBA12A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xBA105000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0xB9F64000 \SystemRoot\system32\DRIVERS\NETw3x32.sys 0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0xB9F41000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xB9F2E000 \SystemRoot\system32\DRIVERS\sdbus.sys 0xF7527000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0xF7817000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xB9F15000 \SystemRoot\system32\DRIVERS\Apfiltr.sys 0xF775F000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xF7517000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS 0xF7507000 \SystemRoot\system32\DRIVERS\serial.sys 0xBA7FC000 \SystemRoot\system32\DRIVERS\serenum.sys 0xB9F01000 \SystemRoot\system32\DRIVERS\parport.sys 0xF74F7000 \SystemRoot\system32\DRIVERS\imapi.sys 0xF7997000 \SystemRoot\System32\Drivers\DLACDBHM.SYS 0xF743A000 \SystemRoot\system32\DRIVERS\cdrom.sys 0xF742A000 \SystemRoot\system32\DRIVERS\redbook.sys 0xB9EDE000 \SystemRoot\system32\DRIVERS\ks.sys 0xBA7E8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys 0xBA7DC000 \SystemRoot\system32\DRIVERS\tosrfec.sys 0xBA7D4000 \SystemRoot\system32\DRIVERS\CmBatt.sys 0xF741A000 \SystemRoot\system32\DRIVERS\intelppm.sys 0xF7AAD000 \SystemRoot\system32\DRIVERS\audstub.sys 0xF740A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xBA7CC000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xB9EC7000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xF7887000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xBA764000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xF7757000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xB9DEE000 \SystemRoot\system32\DRIVERS\psched.sys 0xBA754000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xF7787000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xF7797000 \SystemRoot\system32\DRIVERS\raspti.sys 0xB9DBD000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0xBA744000 \SystemRoot\system32\DRIVERS\termdd.sys 0xF799F000 \SystemRoot\system32\DRIVERS\swenum.sys 0xB9D64000 \SystemRoot\system32\DRIVERS\update.sys 0xBA7A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xBA79C000 \SystemRoot\system32\DRIVERS\tbiosdrv.sys 0xBA724000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xA9841000 \SystemRoot\system32\drivers\RtkHDAud.sys 0xA981F000 \SystemRoot\system32\drivers\portcls.sys 0xBA714000 \SystemRoot\system32\drivers\drmk.sys 0xA9703000 \SystemRoot\system32\DRIVERS\AGRSM.sys 0xF79AF000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xF7807000 \SystemRoot\System32\Drivers\Modem.SYS 0xBA6F4000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xF79B3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xF7A62000 \SystemRoot\System32\Drivers\Null.SYS 0xF79B7000 \SystemRoot\System32\Drivers\Beep.SYS 0xF779F000 \SystemRoot\System32\Drivers\DLARTL_N.SYS 0xF77AF000 \SystemRoot\System32\drivers\vga.sys 0xF79BB000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xF79BF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xA9652000 \SystemRoot\System32\Drivers\meiudf.sys 0xA9641000 \SystemRoot\System32\Drivers\Udfs.SYS 0xF77F7000 \SystemRoot\System32\Drivers\Msfs.SYS 0xA96FB000 \SystemRoot\System32\Drivers\Npfs.SYS 0xA9C9C000 \SystemRoot\system32\DRIVERS\rasacd.sys 0xA962E000 \SystemRoot\system32\DRIVERS\ipsec.sys 0xA95D6000 \SystemRoot\system32\DRIVERS\tcpip.sys 0xA95AE000 \SystemRoot\system32\DRIVERS\netbt.sys 0xA958D000 \SystemRoot\system32\DRIVERS\ipnat.sys 0xBA6E4000 \SystemRoot\system32\DRIVERS\wanarp.sys 0xA950C000 \SystemRoot\System32\vsdatant.sys 0xF76C7000 \SystemRoot\system32\DRIVERS\arp1394.sys 0xA96C3000 \SystemRoot\System32\Drivers\tcusb.sys 0xA944A000 \SystemRoot\System32\drivers\afd.sys 0xF7557000 \SystemRoot\system32\DRIVERS\netbios.sys 0xF79C7000 \SystemRoot\System32\Drivers\TMEI3E.SYS 0xA93F7000 \SystemRoot\system32\DRIVERS\rdbss.sys 0xA9388000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xF780F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0xF7537000 \SystemRoot\System32\Drivers\Fips.SYS 0xA9370000 \SystemRoot\System32\Drivers\dump_atapi.sys 0xF79EF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xA9CA0000 \SystemRoot\System32\drivers\Dxapi.sys 0xF781F000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xBA776000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF024000 \SystemRoot\System32\igxpgd32.dll 0xBF012000 \SystemRoot\System32\igxprd32.dll 0xBF04F000 \SystemRoot\System32\igxpdv32.DLL 0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL 0xBFFA0000 \SystemRoot\System32\ATMFD.DLL 0xA929A000 \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys 0xA9C94000 \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys 0xA928A000 \SystemRoot\System32\Drivers\DRVNDDM.SYS 0xF7A75000 \SystemRoot\System32\DLA\DLADResN.SYS 0xA9184000 \SystemRoot\System32\DLA\DLAIFS_M.SYS 0xF793F000 \SystemRoot\System32\DLA\DLAOPIOM.SYS 0xF79C3000 \SystemRoot\System32\DLA\DLAPoolM.SYS 0xF7A79000 \??\C:\Program Files\Protector Suite QL\smihlp.sys 0xA96F3000 \SystemRoot\System32\DLA\DLABOIOM.SYS 0xA916C000 \SystemRoot\System32\DLA\DLAUDFAM.SYS 0xA9156000 \SystemRoot\System32\DLA\DLAUDF_M.SYS 0xF77DF000 \SystemRoot\system32\DRIVERS\AegisP.sys 0xA91CA000 \SystemRoot\system32\DRIVERS\s24trans.sys 0xA9122000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0xA911A000 \SystemRoot\system32\DRIVERS\netdevio.sys 0xA8BF1000 \SystemRoot\system32\drivers\wdmaud.sys 0xA8DFE000 \SystemRoot\system32\drivers\sysaudio.sys 0xA8AAF000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0xF79CD000 \SystemRoot\System32\Drivers\ParVdm.SYS 0xA8940000 \SystemRoot\system32\DRIVERS\srv.sys 0xA7620000 \SystemRoot\system32\DRIVERS\hidusb.sys 0xA78E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS 0xA7658000 \SystemRoot\system32\DRIVERS\mouhid.sys 0xA73DD000 \SystemRoot\system32\drivers\kmixer.sys 0xA7828000 \??\C:\DOCUME~1\SAMMOG~1\LOCALS~1\Temp\aswMBR.sys 0x7C900000 \WINDOWS\system32\ntdll.dll Processes (total 52): 0 System Idle Process 4 System 648 C:\WINDOWS\system32\smss.exe 708 csrss.exe 732 C:\WINDOWS\system32\winlogon.exe 784 C:\WINDOWS\system32\services.exe 796 C:\WINDOWS\system32\lsass.exe 992 C:\WINDOWS\system32\svchost.exe 1076 svchost.exe 1120 C:\WINDOWS\system32\svchost.exe 1176 C:\WINDOWS\system32\svchost.exe 1280 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe 1388 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe 1500 svchost.exe 1552 svchost.exe 1708 C:\WINDOWS\system32\ZoneLabs\vsmon.exe 288 C:\WINDOWS\explorer.exe 184 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe 1648 C:\WINDOWS\system32\spoolsv.exe 508 svchost.exe 560 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe 596 C:\WINDOWS\system32\DVDRAMSV.exe 664 C:\Program Files\Java\jre6\bin\jqs.exe 124 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe 1328 C:\WINDOWS\system32\svchost.exe 1528 C:\TOSHIBA\IVP\swupdate\swupdtmr.exe 352 C:\WINDOWS\system32\ThpSrv.exe 1812 C:\Program Files\Toshiba\TME3\TMESRV31.exe 2084 C:\Program Files\Toshiba\TME3\TMEEJME.exe 2520 C:\WINDOWS\system32\wbem\wmiapsrv.exe 2632 unsecapp.exe 2896 wmiprvse.exe 2916 alg.exe 3436 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe 3648 C:\WINDOWS\system32\DLA\DLACTRLW.EXE 3664 C:\WINDOWS\RTHDCPL.exe 3688 C:\WINDOWS\system32\00THotkey.exe 3712 C:\Program Files\Toshiba\DualPointUtility\TEDTray.exe 3720 C:\WINDOWS\system32\TPSMain.exe 3740 C:\WINDOWS\system32\ThpSrv.exe 3764 C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe 3788 C:\Program Files\Apoint2K\Apoint.exe 3832 C:\WINDOWS\system32\TFNF5.exe 3840 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 3872 C:\Program Files\DivX\DivX Update\DivXUpdate.exe 3884 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe 3928 C:\WINDOWS\system32\RAMASST.exe 2124 C:\WINDOWS\system32\TPSBattM.exe 2436 C:\WINDOWS\system32\igfxext.exe 1992 C:\WINDOWS\system32\igfxsrvc.exe 3156 C:\Program Files\Apoint2K\ApntEx.exe 4088 C:\Documents and Settings\XXXXX\Desktop\MBRCheck.exe (edited to remove name) \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS) PhysicalDrive0 Model Number: FUJITSUMHV2100BHPL, Rev: 0000002A Size Device Name MBR Status -------------------------------------------- 93 GB \\.\PhysicalDrive0 Windows XP MBR code detected SHA1: 31D100779DE502702C374F7C15687B56FCFD5528 Done! 3. ckfiles.txt: CKScanner - Additional Security Risks - These are not necessarily bad c:\program files\microsoft directx sdk (november 2008)\samples\c++\direct3d\uvatlas\crackdecl.cpp c:\program files\microsoft directx sdk (november 2008)\samples\c++\direct3d\uvatlas\crackdecl.h c:\program files\mount&blade\sounds\fire_small_crackle_slick_op.ogg c:\program files\toshiba games\bejeweled 2 deluxe\sounds\firecrackle.ogg scanner sequence 3.CA.11 ----- EOF ----- -
I'm infected with the channel1reports.com virus. Anti-malware scans with MBAM, Spybot S+D, and Lavasoft AdAware did not remove it. I followed the directions for using GMER Rootkit Scanner. Resulting logs are posted/attached. MBAM log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6481 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 5/1/2011 1:33:42 AM mbam-log-2011-05-01 (01-33-42).txt Scan type: Full scan (C:\|) Objects scanned: 239837 Time elapsed: 1 hour(s), 35 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS log: . DDS (Ver_11-03-05.01) - NTFSx86 Run by Sam Mogilensky at 11:31:01.35 on Mon 05/02/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1322 [GMT -4:00] . AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} FW: ZoneAlarm Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\00THotkey.exe C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\DivX\DivX Update\DivXUpdate.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Documents and Settings\Sam Mogilensky\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie mURLSearchHooks: H - No File mWinlogon: Userinit=c:\windows\system32\userinit.exe BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {089FD14D-132B-48FC-8861-0048AE113215} - No File BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [RTHDCPL] RTHDCPL.EXE mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [DpUtil] c:\program files\toshiba\dualpointutility\TEDTray.exe mRun: [TPSMain] TPSMain.exe mRun: [TPSODDCtl] TPSODDCtl.exe mRun: [ThpSrv] thpsrv /logon mRun: [TFncKy] TFncKy.exe mRun: [TOSDCR] TOSDCR.EXE mRun: [PINGER] c:\toshiba\ivp\ism\pinger.exe /run mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [TFNF5] TFNF5.exe mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe IE: Google Sidewiki... IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1240407552625 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Notify: igfxcui - igfxdev.dll Notify: psfus - psqlpwd.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Notification Packages = scecli psqlpwd Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\sammog~1\applic~1\mozilla\firefox\profiles\zs2vu2sc.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - plugin: c:\documents and settings\sam mogilensky\application data\mozilla\firefox\profiles\zs2vu2sc.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa . ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service . ============= SERVICES / DRIVERS =============== . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-25 64512] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-28 16384] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-5-20 6144] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2006-5-20 5888] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-5-28 532224] R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568] R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496] R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456] R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2006-5-20 126976] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-5-20 35968] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232] . =============== Created Last 30 ================ . 2011-05-02 05:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe . ==================== Find3M ==================== . 2011-05-01 12:03:25 24576 ----a-w- c:\windows\system32\userinit.exe . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: FUJITSU_MHV2100BH_PL rev.0000002A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89B064F0]<< c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89b0c7d0]; MOV EAX, [0x89b0c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x89BB2AB8] 3 CLASSPNP[0xF765805B] -> nt!IofCallDriver[0x804E13B9] -> \Device\THPDRV[0x89B8F908] 5 thpdrv[0xF768971D] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000082[0x89BB4510] 7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x89B99940] \Driver\atapi[0x89BF2F38] -> IRP_MJ_CREATE -> 0x89B064F0 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x89B0633B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 11:34:23.18 =============== Attach log and Ark log are attached in .zip format Attach.zip ark.zip Please help!