oldguyfrombay

Here you go Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6559 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.11 5/11/2011 11:19:36 PM mbam-log-2011-05-11 (23-19-29).txt Scan type: Quick scan Objects scanned: 231451 Time elapsed: 14 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

One more update, the Task Manager "blank user names" problem is gone now. So my only remaining questions are about the 3 errors reported in my latest malwarebytes scan, and whether it is safe to re-enable the emulation drivers. Thanks

A minor correction, I meant to write my sentence like this: In general, though, I am happy to report that the bad symptoms I've been seeing in the last few days (svchost being very busy and/or crashing; frequent malware reports; some services not running properly) are now gone -- Thanks so much for your help!

OK, I followed the instructions and here are the results -- generally positive but with a couple of concerns. I downloaded & ran TDSSKiller, and it found & cured a rootkit. Hooray! I will attach the log. Then I updated & re-ran malwarebytes. It found 3 issues, all were complaints that MSFT Security Center was disabled. I did not take any action, I would like to hear your advice, is this a normal side-effect of an adventure such as the one I've had, or something else to be concerned about? These issues did not show up when I ran malwarebytes a few days ago. Also I noticed something odd about Task Manager -- I will attach a screen shot -- The tasks owned by me (Lee) correctly show my user name, and a few of the SYSTEM tasks show SYSTEM, but all the others have blank user names. I have never seen this before and I don't know what it may mean. This was not true before I ran TDSSKiller. In general, though, I am happy to report that the bad symptoms I've been seeing in the last few days (svchost being very busy and/or crashing; frequent malware reports; some services not running properly) -- Thanks so much for your help! I have not yet run DeFogger a second time to re-enable the emulation drivers, please advise on this also. TDSSKiller.2.5.0.0_09.05.2011_21.39.58_log.txt mbam-log-2011-05-09 (22-22-37).txt

Thanks for your reply, will do this tonight (Pacific time) and send the results.

Several days ago I began observing several bad behaviors on my WinXP PC: 1. Frequent Just-In-Time Debugger pop-ups; when I went into the debugger I found svchost.exe was the culprit. I turned off the option for it to enter the debugger, then I saw svchost.exe run at 100% CPU for several minutes after startup, then frequently it would crash -- after the crash some basic system functions would be degraded (services or apps could not start, other PCs could not see the shared printer attached to this PC, etc). 2. AVG reported finding and removing several malware files "on open": Trojan horse Generic22.VEB C:\Windows\Temp\ID30501.exe 5/3/11 Malware Win32.Agent.myjs C:\Windows\System32\ITLPFW32.DLL moments later Malware Unknown C:\Windows\Temp\CQPF\SETUP.EXE 5 minutes later Malware Unknown C:\Windows\Temp\EXPLORER.EXE 5/4/11 Malware Win32\Unruy.h C:\Windows\Temp\HCFG\SETUP.EXE 5/5/11 Malware Win32\Unruy.h C:\Windows\Temp\GHEA\SETUP.EXE 5/6/11 In my first malwarebytes scan, it found only 1 unrelated file. I began thinking that some malware was hiding in svchost, downloading SETUP.EXE files periodically. Found by Hitman Pro 3.5: C:\Windows\Temp\lnxa\setup.exe Trojan 5/6/11 PM I have run malwarebytes 3 times now, I will attach the logs. Each time it was "unlucky" and did not catch anything, but I wonder if these SETUP.EXE's are just symptoms of a deeper problem? DDS seems to think it found something, see below. I will attach the other files. Note, when I tried to run GMER, it found something, but after running for a while it crashed. I captured a screen shot, that was the best I could do. I can try again if you need me to. Please advise on possible next steps, or if you need more info. Also I would be interested in knowing whether a System Restore would be advisable as a remedy, or it would just muddy the waters? Thanks, OldGuyFromBay DOS.txt: . DDS (Ver_11-03-05.01) - NTFSx86 Run by Lee at 22:29:17.03 on Fri 05/06/2011 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.262 [GMT -7:00] . . ============== Running Processes =============== . C:\PROGRA~1\AVG\AVG10\avgchsvx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\AVG\AVG10\avgwdsvc.exe C:\Program Files\Memeo\AutoBackup\MemeoService.exe C:\Program Files\Bonjour\mDNSResponder.exe svchost.exe C:\Program Files\AVG\AVG10\avgnsx.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\MozyHome\mozybackup.exe C:\WINDOWS\system32\oodag.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe C:\WINDOWS\system32\UStorSrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Common Files\AOL\1176958551\ee\AOLSoftware.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe C:\WINDOWS\vVX1000.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe C:\Program Files\AVG\AVG10\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\SupportSoft\bin\bcont.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe C:\Program Files\MozyHome\mozystat.exe C:\Program Files\Accessories\Util\Printkey.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\AVG\AVG10\avgrsx.exe C:\Program Files\AVG\AVG10\avgcsrvx.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Common Files\AOL\1176958551\ee\aolsoftware.exe C:\Documents and Settings\Lee\My Documents\Downloads\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com uDefault_Page_URL = hxxp://www.dell4me.com/myway uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uDefault_Search_URL = hxxp://www.google.com/ie mSearch Page = mStart Page = hxxp://www.yahoo.com mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html uInternet Settings,ProxyOverride = 127.0.0.1;*.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe mRun: [CTHelper] CTHELPER.EXE mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [HostManager] c:\program files\common files\aol\1176958551\ee\AOLSoftware.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe" mRun: [stxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe" mRun: [VX1000] c:\windows\vVX1000.exe mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2 mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printkey.lnk - c:\program files\accessories\util\Printkey.exe IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL Trusted Zone: ivyfamily.org\www DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267253753140 DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267253743078 DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {8D619C19-0202-464A-9FA8-C8110D86B0A3} - hxxp://projectpoint.buzzsaw.com/!/download/ProjectPoint-SL-EN.exe DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.cab DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?326 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Authentication Packages = msv1_0 relog_ap . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\lee\applic~1\mozilla\firefox\profiles\85wdv9nk.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll FF - plugin: c:\documents and settings\lee\application data\facebook\npfbplugin_1_0_3.dll FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll . ============= SERVICES / DRIVERS =============== . R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-19 64288] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728] R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984] R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720] R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192] S2 gupdate1c9f5ac902bf630;Google Update Service (gupdate1c9f5ac902bf630);c:\program files\google\update\GoogleUpdate.exe [2009-6-25 133104] S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2002-8-29 14336] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-25 133104] S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-2-25 17480] S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?] S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-2-17 31872] . =============== Created Last 30 ================ . 2011-05-03 08:45:59 0 ----a-w- c:\documents and settings\lee\ntuser.tmp . ==================== Find3M ==================== . 2011-02-23 07:33:43 11447056 ----a-w- c:\documents and settings\all users\Tempmozy-autoupdate-c0261ff8012aad585d55140a9b6ddcb9.exe 2011-02-12 08:21:57 11444496 ----a-w- c:\documents and settings\all users\Tempmozy-update-1f7fe3012a1778a4fc7c5075f2f61812.exe 2011-02-07 01:51:27 134464 ----a-w- c:\windows\system32\LnkProtect.dll . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: WDC_WD800BB-75FJA1 rev.14.03G14 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll >>UNKNOWN [0x8736D4F0]<< c:\windows\system32\drivers\iomdisk.sys Iomega Corporation Microsoft® Windows NT® Operating System _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x873737d0]; MOV EAX, [0x8737384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x873DAAB8] 3 CLASSPNP[0xF769805B] -> nt!IofCallDriver[0x804E37D5] -> [0x8737DD78] 5 iomdisk[0xF78E7BC3] -> nt!IofCallDriver[0x804E37D5] -> [0x873D5D98] \Driver\atapi[0x8737F2A0] -> IRP_MJ_CREATE -> 0x8736D4F0 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8736D33B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 22:39:40.25 =============== Attach.txt mbamlogs.zip