Jump to content

gutenburg

Members
  • Posts

    2
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I case those who are looking at this do not want to look at the attachments here are the contents of the files: GMER (ark.txt) GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-07-18 18:04:55 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 ST332061 rev.CC4H Running: rd1hqv39.exe; Driver: C:\DOCUME~1\Robbie\LOCALS~1\Temp\uxlyapog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xA43A4542] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwClose [0xA43A4DBA] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwConnectPort [0xA43A58CC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateEvent [0xA43A5DCC] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA41678CC] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9DC1D72] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateMutant [0xA43A5CA4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xA43A4148] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreatePort [0xA43A5B60] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9DA29A6] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9DA2B98] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSection [0xA43A4304] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSemaphore [0xA43A5EFE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xA43A7784] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateThread [0xA43A4A58] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xA43A5C02] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xA43A7176] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA416878E] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9DC2568] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9DC2820] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xA43A5524] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDuplicateObject [0xA43A8146] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwEnumerateKey [0xA43A3E80] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xA43A3F2A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwFsControlFile [0xA43A5330] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwLoadDriver [0xA43A7208] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA418B558] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA418B796] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwMapViewOfSection [0xA43A7838] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xA43A4076] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenEvent [0xA43A5E6E] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA4168280] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9DC0A80] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenMutant [0xA43A5D3C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenProcess [0xA43A4740] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenSection [0xA43A77AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenSemaphore [0xA43A5FA0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenThread [0xA43A4664] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryKey [0xA43A3FD4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xA43A3BFC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQuerySection [0xA43A7B50] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryValueKey [0xA43A384C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueueApcThread [0xA43A749E] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9DC2C8A] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA418BF12] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwReplyPort [0xA43A632A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xA43A61F0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xA43A6E9C] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA418D07E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwResumeThread [0xA43A8028] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSaveKey [0xA43A31FE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSecureConnectPort [0xA43A560A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetContextThread [0xA43A4C76] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA4168B98] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetInformationToken [0xA43A686C] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xA418CBA6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetSystemInformation [0xA43A7C90] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9DC2036] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSuspendProcess [0xA43A7D74] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSuspendThread [0xA43A7E9C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSystemDebugControl [0xA43A70A2] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9DA2656] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwTerminateThread [0xA43A480E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xA43A7A06] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xA43A4998] Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP A43999D4 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) .text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP A4399DAE \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) .text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80504524 12 Bytes [60, 5B, 3A, A4, A6, 29, DA, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2C98 80504534 16 Bytes [04, 43, 3A, A4, FE, 5E, 3A, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D54 805045F0 12 Bytes [08, 72, 3A, A4, 58, B5, 18, ...] {OR [EDX+0x3a], DH; MOVSB ; POP EAX; MOV CH, 0x18; MOVSB ; XCHG ESI, EAX; MOV BH, 0x18; MOVSB } .text ntkrnlpa.exe!ZwCallbackReturn + 2ED0 8050476C 16 Bytes [8A, 2C, DC, B9, 12, BF, 18, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC4 80504860 12 Bytes [74, 7D, 3A, A4, 9C, 7E, 3A, ...] {JZ 0x7f; CMP AH, [ESP+EBX*4-0x5d5bc582]; JO 0x45; MOVSB } .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB89B8000, 0x18FFBC, 0xE8000020] ? C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious PE modification C:\Program Files\CyberLink\PowerDVD DX\000.fcl entry point in "" section [0x9F7AA41C] .clc C:\Program Files\CyberLink\PowerDVD DX\000.fcl unknown last code section [0x9F7AB000, 0x1000, 0xE0000020] ? C:\DOCUME~1\Robbie\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2384] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1068EDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2384] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1068ED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2384] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104A5451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2384] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104A5A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\WINDOWS\system32\SearchIndexer.exe[3608] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4496] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \FileSystem\Fastfat \Fat 9EDB8D20 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS AttachedDevice \FileSystem\Fastfat \Fat VET-REC.SYS ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) A48BB000-A48C4000 (36864 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:488] A48BFD20 Thread System [4:492] A48BFD20 Thread System [4:496] A48BFD20 Thread System [4:500] A48BFD20 Thread System [4:504] 894EF505 Thread System [4:508] 894EF505 Thread System [4:512] 894EF505 Thread System [4:516] 894EF505 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\$NtUninstallKB43074$\3329003985 0 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\click.tlb 2144 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\L 0 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\L\rohepcid 75264 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\loader.tlb 2540 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U 0 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U\@00000001 54368 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U\@000000c0 2560 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U\@000000cb 2048 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U\@000000cf 1536 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U\@80000000 24576 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U\@800000c0 33280 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U\@800000cb 27648 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\U\@800000cf 27648 bytes File C:\WINDOWS\$NtUninstallKB43074$\3329003985\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} 2048 bytes File C:\WINDOWS\$NtUninstallKB43074$\4080173086 0 bytes ---- EOF - GMER 1.0.15 ---- dds.txt: DDS (Ver_2011-07-14.01) - NTFS_x86 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21 Run by Robbie at 17:40:14 on 2011-07-18 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2268 [GMT -4:00] . AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Extreme Security Firewall *Enabled* . ============== Running Processes ================ . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Skype\Phone\Skype.exe C:\Documents and Settings\Robbie\Local Settings\Application Data\Flock\Update\FlockUpdate.exe C:\Program Files\RescueTime\RescueTime.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe C:\WINDOWS\System32\alg.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Common Files\Java\Java Update\jucheck.exe C:\DOCUME~1\Robbie\LOCALS~1\Temp\jre-6u26-windows-i586-iftw-rv.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\SearchFilterHost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k Akamai C:\WINDOWS\system32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1060933 uSearch Page = hxxp://www.live.com mStart Page = hxxp://search.myheritage.com mDefault_Page_URL = hxxp://www.dell.com uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll uURLSearchHooks: MHURLSearchHook Class: {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - c:\program files\family toolbar\tbhelper.dll BHO: MHTBPos00 Class: {0C37B053-FD68-456a-82E1-D788EE342E6F} - c:\program files\family toolbar\tbcore3.dll BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned> BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll BHO: ZoneAlarm Toolbar Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Family Toolbar: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\family toolbar\tbcore3.dll TB: Freecorder Toolbar: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - c:\program files\freecorder\prxtbFre0.dll TB: ZoneAlarm Toolbar: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Family Toolbar: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\family toolbar\tbcore3.dll TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll TB: ZoneAlarm Toolbar: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll TB: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter uRun: [bandwidthMeterPro] c:\program files\bandwidthmeterpro\BandwidthMeterPro.exe uRun: [Google Update] "c:\documents and settings\robbie\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [Jing] c:\program files\techsmith\jing\Jing.exe uRun: [Flock Update] "c:\documents and settings\robbie\local settings\application data\flock\update\FlockUpdate.exe" /c uRun: [AdobeBridge] <no file> mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe" mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rescue~1.lnk - c:\program files\rescuetime\RescueTime.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: imslsp.dll LSP: c:\windows\system32\zonelabs\vetredir.dll LSP: mswsock.dll DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\monopoly\images\stg_drm.ocx DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\monopoly\images\armhelper.ocx TCP: NameServer = 192.168.1.1 TCP: Interfaces\{83DB66DC-C16A-4AF1-A186-0E74D6A751D4} : DHCPNameServer = 192.168.1.1 Handler: ipp - <Clsid value has no data> Handler: msdaipp - <Clsid value has no data> Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll Notify: AtiExtEvent - Ati2evxx.dll SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install IFEO: Your Image File Name Here without a path - ntsd -d . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\robbie\application data\mozilla\firefox\profiles\bk0hjws5.default\ FF - prefs.js: browser.startup.homepage - hxxp://search.myheritage.com/ FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q= FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaDownload.dll FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll FF - plugin: c:\documents and settings\robbie\local settings\application data\flock\update\1.2.213.0\npFlockOneClick8.dll FF - plugin: c:\documents and settings\robbie\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll . ============= SERVICES / DRIVERS =============== . R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-1-6 128016] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-11 206256] R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-1-6 317072] R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-5-18 21605] R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-5-18 15668] R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-5-18 114856] R1 VETMONNT;VET File and Macro Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-5-18 896472] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-1-6 528128] R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files\cyberlink\powerdvd dx\000.fcl [2009-4-30 61424] R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-25 14336] R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-8-27 26352] R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-8-27 493032] R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-4-30 8960] R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-18 41272] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-2 136176] S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] S3 CAISafe;CA ISafe;c:\windows\system32\zonelabs\isafe.exe [2009-5-18 184320] S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-4-30 11264] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-2 136176] S3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2010-8-27 35568] S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-7-5 29824] S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-7-5 41344] S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-7-5 39936] S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-7-5 59776] S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-4-30 16640] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-11 348752] S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-11 1097096] S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096] . =============== Created Last 30 ================ . 2011-07-18 21:27:28 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-18 21:27:25 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-28 14:59:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-23 18:40:38 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll 2011-06-23 18:40:38 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll . ==================== Find3M ==================== . 2011-07-18 20:34:53 288768 ----a-w- c:\windows\system32\drivers\hdaudbus.sys 2011-07-18 20:34:30 115200 ----a-w- c:\windows\system32\drivers\redbook.sys 2011-07-18 20:15:23 784896 ----a-w- c:\windows\system32\drivers\rdpdr.sys 2011-05-03 19:24:48 0 ----a-w- c:\windows\system32\ConduitEngine.tmp . ============= FINISH: 17:41:06.92 ===============
  2. The is a virus redirected all my google searches and it also causing other problems. I have Windows XP Profession. Malwarebytes will not run. It comes up and says it isn't found. I have followed the instructions and have run the programs indicated on the "I'm Infected" post. Attached are the files mentioned. Thanks for any help that can be given. dds.txt attach.txt ark.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.