Jump to content

Nasty Rootkit I cant remove


Recommended Posts

Ran Malwarebytes, Spybot S&D, Webroot essentials, Ad-Aware, HitMan Pro and Combofix. Still have redirect problem in Google. I use Firefox.

Here is my last Combofix, Any help will great.

ComboFix 10-07-29.01 - Patrick 07/30/2010 21:26:42.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1405 [GMT -5:00]

Running from: c:\documents and settings\Patrick\My Documents\Downloads\ComboFix.exe

AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

F:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))

.

2010-07-30 22:00 . 2010-07-30 22:01 -------- d-----w- c:\documents and settings\Patrick\Local Settings\Application Data\AskToolbar

2010-07-30 20:56 . 2010-07-30 20:56 -------- d-----w- c:\program files\Ask.com

2010-07-30 20:55 . 2010-07-30 20:55 -------- d-----w- c:\program files\MSSOAP

2010-07-30 20:54 . 2010-07-30 20:53 108808 ----a-w- c:\windows\system32\drivers\pwipf6.sys

2010-07-30 20:54 . 2010-07-30 23:53 -------- d-----w- c:\documents and settings\Patrick\Application Data\Webroot

2010-07-30 20:54 . 2010-07-30 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2010-07-30 20:54 . 2010-07-30 20:54 -------- d-----w- c:\program files\Webroot

2010-07-30 20:54 . 2009-08-31 15:16 1563008 ----a-w- c:\windows\WRSetup.dll

2010-07-30 15:00 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-30 13:13 . 2010-07-30 13:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-07-30 13:12 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-07-30 13:12 . 2010-07-30 13:12 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-30 12:39 . 2010-07-30 12:39 -------- d-----w- c:\documents and settings\Patrick\Local Settings\Application Data\Sunbelt Software

2010-07-30 12:38 . 2010-07-30 12:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}

2010-07-30 12:38 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe

2010-07-30 05:26 . 2010-07-30 20:35 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-07-30 05:24 . 2010-07-30 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-07-30 05:24 . 2010-07-30 05:24 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-07-30 01:02 . 2010-07-30 01:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-07-29 23:07 . 2010-07-29 23:07 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll

2010-07-29 23:07 . 2010-07-29 23:07 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll

2010-07-29 23:07 . 2010-07-29 23:07 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll

2010-07-29 23:07 . 2010-07-29 23:07 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-07-29 02:17 . 2010-07-29 02:17 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-15 13:48 . 2010-07-15 13:48 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-07-15 13:48 . 2010-07-15 13:48 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-07-15 13:46 . 2010-07-15 13:46 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-07-15 13:46 . 2010-07-15 13:46 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-07-15 13:46 . 2010-07-15 13:46 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-07-15 13:46 . 2010-07-15 13:46 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-07-15 00:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-07 03:09 . 2010-07-16 03:09 452104 ----a-w- c:\documents and settings\Patrick\Application Data\Real\Update\setup3.12\setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-30 12:37 . 2008-05-06 12:36 -------- d-----w- c:\program files\Lavasoft

2010-07-30 04:36 . 2010-07-30 06:23 268800 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat

2010-07-30 03:27 . 2010-06-16 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-30 00:36 . 2004-09-16 22:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-07-30 00:06 . 2005-01-13 22:13 -------- d-----w- c:\program files\TuneUp Utilities 2004

2010-06-24 03:09 . 2010-03-30 00:24 439816 ----a-w- c:\documents and settings\Patrick\Application Data\Real\Update\setup3.10\setup.exe

2010-06-16 22:29 . 2009-08-17 04:15 -------- d-----w- c:\program files\AVG

2010-06-16 21:21 . 2008-12-03 05:01 -------- d-----w- c:\documents and settings\Patrick\Application Data\Zebur

2010-06-15 17:00 . 2010-04-05 06:01 -------- d-----w- c:\documents and settings\Patrick\Application Data\Boxao

2010-06-14 14:31 . 2008-01-12 00:27 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-06-04 00:48 . 2010-06-04 00:48 -------- d-----w- c:\documents and settings\Patrick\Application Data\Malwarebytes

2010-06-04 00:48 . 2010-06-04 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-04 00:48 . 2010-06-04 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-03 23:00 . 2010-06-03 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Maxtor

2010-06-03 22:52 . 2010-06-03 22:52 -------- d-----w- c:\program files\Maxtor

2010-06-02 00:54 . 2010-05-30 18:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-30 20:04 . 2010-05-30 20:04 75040 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-06 10:41 . 2008-01-12 00:27 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2008-01-12 00:27 1851264 ----a-w- c:\windows\system32\win32k.sys

2005-10-27 16:37 . 2005-10-27 16:29 8986 ----a-w- c:\program files\Common Files\temp.html

.

((((((((((((((((((((((((((((( SnapShot@2010-07-30_04.01.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll

+ 2009-08-26 15:07 . 2009-08-26 15:07 31088 c:\windows\system32\wrLZMA.dll

+ 2009-08-26 15:07 . 2009-08-26 15:07 16240 c:\windows\system32\SsiEfr.exe

+ 2010-07-30 13:12 . 2010-07-12 08:55 64288 c:\windows\system32\DRVSTORE\lbd_9C578CA880A99903668A8694DEFB21244E9C4C62\Lbd.sys

+ 2009-08-26 15:07 . 2009-08-26 15:07 23152 c:\windows\system32\drivers\sshrmd.sys

+ 2009-08-26 15:07 . 2009-08-26 15:07 29808 c:\windows\system32\drivers\ssfs0bbc.sys

+ 2008-01-10 17:35 . 2010-07-31 02:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2008-01-10 17:35 . 2008-10-14 00:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-01-10 17:35 . 2010-07-31 02:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-01-10 17:35 . 2008-10-14 00:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-07-30 13:13 . 2010-07-31 02:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2010-07-30 13:13 . 2010-07-31 02:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-07-30 20:56 . 2010-07-30 20:56 40960 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe

+ 2010-07-30 20:54 . 2010-07-30 20:54 10134 c:\windows\Installer\{3F5B6210-0903-4DC6-8034-8F488AA3A782}\ARPPRODUCTICON.exe

+ 2010-07-30 20:55 . 2010-07-30 20:55 10134 c:\windows\Installer\{32343DB6-9A52-40C9-87E4-5E7C79791C87}\ARPPRODUCTICON.exe

+ 2008-07-29 13:05 . 2008-07-29 13:05 875520 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll

+ 2008-07-29 08:54 . 2008-07-29 08:54 312832 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2009-08-26 15:07 . 2009-08-26 15:07 176752 c:\windows\system32\drivers\ssidrv.sys

+ 2007-03-03 03:45 . 2009-08-31 15:09 511328 c:\windows\system32\capicom.dll

+ 2010-07-30 12:37 . 2010-07-30 12:37 236032 c:\windows\Installer\1aa8a1c.msi

+ 2010-07-30 20:56 . 2010-07-30 20:56 967168 c:\windows\Installer\1681a9.msi

+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 5982720 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 5937144 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 1180672 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll

+ 2010-07-30 12:38 . 2010-07-30 12:38 1866752 c:\windows\Installer\1aa8a26.msi

+ 2010-07-30 20:55 . 2010-07-30 20:55 1473024 c:\windows\Installer\1681a3.msi

+ 2010-07-30 20:54 . 2010-07-30 20:54 2981376 c:\windows\Installer\16819d.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-02-09 20:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]

@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"

[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]

2009-08-31 15:09 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-06-30 2376928]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-31 44032]

"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-17 185896]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]

"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-04 98304]

"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-08-31 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2006-9-26 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0\bin\jusched.exe

"REGSHAVE"=c:\program files\REGSHAVE\REGSHAVE.EXE /AUTORUN

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"P17Helper"=Rundll32 P17.dll,P17Helper

"NeroCheck"=c:\windows\system32\NeroCheck.exe

"Alcmtr"=ALCMTR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Freeciv-1.14.0\\civserver.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/30/2010 8:12 AM 64288]

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/26/2009 10:07 AM 29808]

R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [7/30/2010 3:54 PM 108808]

R2 GenPort;GenPort;c:\windows\system32\drivers\genport.sys [11/26/2006 2:50 PM 4832]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 3:55 AM 1352832]

R2 MapMem;MapMem;c:\windows\system32\drivers\MAPMEM.SYS [11/26/2006 2:50 PM 6816]

R2 NTRemap;NTRemap;c:\windows\system32\drivers\NTREMAP.SYS [11/26/2006 2:50 PM 6336]

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [7/30/2010 3:56 PM 1201640]

R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2/9/2010 1:22 AM 54416]

R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2/9/2010 1:22 AM 160272]

R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2/9/2010 1:22 AM 160272]

R3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2/9/2010 1:22 AM 11920]

R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2/9/2010 1:22 AM 113680]

S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]

S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [9/15/2004 4:30 PM 96256]

S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/11/2008 9:37 PM 24944]

S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]

S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 4:43 PM 32408]

.

Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2004\SystemOptimizer.exe [2004-08-11 00:44]

2010-07-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-07-31 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-07-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 20:06]

2010-07-31 c:\windows\Tasks\SDMsgUpdate (SmartDrawTrial).job

- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2006-04-18 16:09]

2008-01-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-12-18 20:45]

2010-07-30 c:\windows\Tasks\wrSpySweeper_L906B5FE7CFA54109A3B3C0AF26BBA2E4.job

- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-07-30 15:16]

2010-07-30 c:\windows\Tasks\wrSpySweeper_L906B5FE7CFA54109A3B3C0AF26BBA2E4.job

- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-07-30 15:16]

2010-07-30 c:\windows\Tasks\wrSpySweeper_LB614A2D8C0AE4ED8A55AF842ED9717A7.job

- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-07-30 15:16]

2010-07-30 c:\windows\Tasks\wrSpySweeper_LB614A2D8C0AE4ED8A55AF842ED9717A7.job

- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-07-30 15:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: {B944FD4B-AC3B-4F2E-B84D-649E909FA467} - hxxp://www.mtsu.edu/~aerodept/probook2011.cab

FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\3om13j5k.Default User\

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\3om13j5k.Default User\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll

FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-30 21:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x896F8EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba13cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9e3a852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]

@DACL=(02 0000)

@="bootstrap.xaml.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]

@DACL=(02 0000)

@="bootstrap.xbap.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap]

@DACL=(02 0000)

@="bootstrap.xps.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:

Link to post
Share on other sites

  • 4 weeks later...
  • 5 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.