Jump to content

Browser hijacked

sdstuck
 Share

Recommended Posts

sdstuck

sdstuck

Posted
Posted

A couple of weeks ago, my home PC (XP sp3) got infected, despite running a current AV and AM.

I uninstalled the AV and AM, and installed Viper AV and MBAM. Both products found and fixed problems.

Then I uninstalled Viper and installed the latest ESET and Ad-Aware. Both of them found and fixed problems.

Now ESET, Ad-Aware and Malwarebytes all say there are no problems, even with full scans.

However, the browser is still hijacked and from time to time Ad-Aware live will report svchost trying to connect to a malicious site, like 205.252.166.169.

I tried to work through the "I'm infected.." checklist, but GMER crashed during a scan (multiple attempts), and froze the PC, requiring a power-off reboot.

I've pasted the DDS log below, and attached the attache.txt and MBAM log.

Any help would be very much appreciated.

Pete.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Compaq_Administrator at 12:17:54.45 on Sat 07/31/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1401 [GMT -7:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

svchost.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\MozyHome\mozybackup.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\MozyHome\mozystat.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\HPZipm12.exe

J:\malwarebytes_stuff\dds.scr

C:\WINDOWS\ALCXMNTR.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\compaq_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [DMAScheduler] c:\program files\sonic\digitalmedia plus\digitalmedia archive\DMAScheduler.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [PCDrProfiler]

mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE

mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264293495328

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Hosts: 192.168.5.199 HP000D9D037C44

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-8 64288]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-7-24 95024]

R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-12 135664]

S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-14 1251720]

=============== Created Last 30 ================

2010-07-31 19:11:42 0 ----a-w- c:\documents and settings\compaq_administrator\defogger_reenable

2010-07-25 01:15:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-22 07:04:14 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}

==================== Find3M ====================

2010-07-12 08:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-05-14 18:38:01 11780792 ----a-w- c:\documents and settings\all users\Tempmozy-update-aae5499c7263a63d49c6c545d4b0cc48.exe

2008-09-28 22:36:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 12:20:17.25 ===============

Attach.txt

mbam_log_2010_07_21__22_00_09_.txt

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

Hi sdstuck And Welcome to Malwarebytes Forum!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

Link to post
Share on other sites
sdstuck

sdstuck

Posted
  • Author
Posted

Wow, thanks for the extremely quick response.

I've pasted the TDSSKiller log below. It found and cured a file. I also ran combofix, and have pasted its log below also.

The browser appears to no longer be hijacked.

Pete.

2010/07/31 16:05:30.0984 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49

2010/07/31 16:05:30.0984 ================================================================================

2010/07/31 16:05:30.0984 SystemInfo:

2010/07/31 16:05:30.0984

2010/07/31 16:05:30.0984 OS Version: 5.1.2600 ServicePack: 3.0

2010/07/31 16:05:30.0984 Product type: Workstation

2010/07/31 16:05:30.0984 ComputerName: ATHLONXP

2010/07/31 16:05:30.0984 UserName: Compaq_Administrator

2010/07/31 16:05:30.0984 Windows directory: C:\WINDOWS

2010/07/31 16:05:30.0984 System windows directory: C:\WINDOWS

2010/07/31 16:05:30.0984 Processor architecture: Intel x86

2010/07/31 16:05:30.0984 Number of processors: 1

2010/07/31 16:05:30.0984 Page size: 0x1000

2010/07/31 16:05:30.0984 Boot type: Normal boot

2010/07/31 16:05:30.0984 ================================================================================

2010/07/31 16:05:31.0312 Initialize success

2010/07/31 16:05:36.0437 ================================================================================

2010/07/31 16:05:36.0437 Scan started

2010/07/31 16:05:36.0437 Mode: Manual;

2010/07/31 16:05:36.0437 ================================================================================

2010/07/31 16:05:37.0500 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/07/31 16:05:37.0531 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/07/31 16:05:37.0578 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/07/31 16:05:37.0640 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/07/31 16:05:37.0734 AgereSoftModem (51a66c689ad9b9a953f75496209ae520) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/07/31 16:05:37.0984 ALCXWDM (7f26d024355cbadb60838f53dfb171ec) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/07/31 16:05:38.0078 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2010/07/31 16:05:38.0156 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys

2010/07/31 16:05:38.0203 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys

2010/07/31 16:05:38.0234 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys

2010/07/31 16:05:38.0265 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys

2010/07/31 16:05:38.0328 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/07/31 16:05:38.0343 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys

2010/07/31 16:05:38.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/07/31 16:05:38.0468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/07/31 16:05:38.0593 ati2mtag (7a6cf9f411a9c5bd5c442a1cd46af401) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/07/31 16:05:38.0656 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/07/31 16:05:38.0687 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/07/31 16:05:38.0718 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys

2010/07/31 16:05:38.0750 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/07/31 16:05:38.0812 BVRPMPR5 (da2dc84e2d14ec6dac1132caa286118d) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

2010/07/31 16:05:38.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/07/31 16:05:38.0875 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/07/31 16:05:38.0906 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/07/31 16:05:38.0937 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/07/31 16:05:38.0984 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/07/31 16:05:39.0109 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/07/31 16:05:39.0156 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/07/31 16:05:39.0187 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/07/31 16:05:39.0203 dmload (27eb95a1b5a566d2b649e52950b2da86) C:\WINDOWS\system32\drivers\dmload.sys

2010/07/31 16:05:39.0203 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmload.sys. Real md5: 27eb95a1b5a566d2b649e52950b2da86, Fake md5: e9317282a63ca4d188c0df5e09c6ac5f

2010/07/31 16:05:39.0203 dmload - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/07/31 16:05:39.0250 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/07/31 16:05:39.0281 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/07/31 16:05:39.0359 eamon (af82dc664e3d8e2cba3b95e68f6448a7) C:\WINDOWS\system32\DRIVERS\eamon.sys

2010/07/31 16:05:39.0406 ehdrv (686a799c1bf1b18941994daf9f45db06) C:\WINDOWS\system32\DRIVERS\ehdrv.sys

2010/07/31 16:05:39.0437 epfw (39f48a0784be8465cd1ac80b36d61613) C:\WINDOWS\system32\DRIVERS\epfw.sys

2010/07/31 16:05:39.0468 Epfwndis (3b47010b2425b69826004767e59045ba) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

2010/07/31 16:05:39.0515 epfwtdi (763c43360a541c92ef6c97452b312f3b) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys

2010/07/31 16:05:39.0578 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/07/31 16:05:39.0609 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/07/31 16:05:39.0625 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/07/31 16:05:39.0640 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/07/31 16:05:39.0687 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/07/31 16:05:39.0703 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/07/31 16:05:39.0718 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/07/31 16:05:39.0765 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys

2010/07/31 16:05:39.0796 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/07/31 16:05:39.0828 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/07/31 16:05:39.0921 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/07/31 16:05:39.0968 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/07/31 16:05:40.0015 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2010/07/31 16:05:40.0062 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/07/31 16:05:40.0109 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/07/31 16:05:40.0125 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/07/31 16:05:40.0156 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/07/31 16:05:40.0171 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/07/31 16:05:40.0187 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/07/31 16:05:40.0218 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/07/31 16:05:40.0250 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/07/31 16:05:40.0265 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/07/31 16:05:40.0296 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/07/31 16:05:40.0328 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/07/31 16:05:40.0375 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys

2010/07/31 16:05:40.0421 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/07/31 16:05:40.0468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/07/31 16:05:40.0515 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/07/31 16:05:40.0640 LVcKap (fb548ff809634bfa866312b37d8a18ae) C:\WINDOWS\system32\DRIVERS\LVcKap.sys

2010/07/31 16:05:40.0984 LVMVDrv (fe3fb994f8702d9e37648927819b74b8) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys

2010/07/31 16:05:41.0171 LVPr2Mon (c7ea51f1ab10b0b2b443f4d5589fc1a5) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys

2010/07/31 16:05:41.0265 LVUSBSta (caef4c05ba2c1acad4ebcaa4261cd55d) C:\WINDOWS\system32\drivers\LVUSBSta.sys

2010/07/31 16:05:41.0328 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys

2010/07/31 16:05:41.0390 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2010/07/31 16:05:41.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/07/31 16:05:41.0453 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/07/31 16:05:41.0484 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/07/31 16:05:41.0515 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/07/31 16:05:41.0562 mozyFilter (ac7f19fadbde3eca78fc552d3805005b) C:\WINDOWS\system32\DRIVERS\mozy.sys

2010/07/31 16:05:41.0593 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/07/31 16:05:41.0656 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/07/31 16:05:41.0687 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/07/31 16:05:41.0718 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/07/31 16:05:41.0750 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/07/31 16:05:41.0781 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/07/31 16:05:41.0812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/07/31 16:05:41.0828 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/07/31 16:05:41.0843 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/07/31 16:05:41.0890 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/07/31 16:05:41.0921 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/07/31 16:05:41.0968 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/07/31 16:05:42.0000 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/07/31 16:05:42.0031 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/07/31 16:05:42.0062 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/07/31 16:05:42.0093 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/07/31 16:05:42.0125 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/07/31 16:05:42.0156 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/07/31 16:05:42.0218 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/07/31 16:05:42.0234 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/07/31 16:05:42.0281 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/07/31 16:05:42.0328 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/07/31 16:05:42.0359 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/07/31 16:05:42.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/07/31 16:05:42.0453 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/07/31 16:05:42.0484 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/07/31 16:05:42.0515 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/07/31 16:05:42.0546 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/07/31 16:05:42.0593 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/07/31 16:05:42.0640 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/07/31 16:05:42.0687 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/07/31 16:05:42.0843 pepifilter (c5d5ea6a29523e0f6016741e9851c6db) C:\WINDOWS\system32\DRIVERS\lv302af.sys

2010/07/31 16:05:42.0984 PID_PEPI (3f96dcd4ac98c8e0d3c03c24fd49a2fe) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS

2010/07/31 16:05:43.0062 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/07/31 16:05:43.0078 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/07/31 16:05:43.0140 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys

2010/07/31 16:05:43.0171 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/07/31 16:05:43.0203 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/07/31 16:05:43.0250 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/07/31 16:05:43.0421 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/07/31 16:05:43.0453 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/07/31 16:05:43.0484 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/07/31 16:05:43.0515 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/07/31 16:05:43.0578 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/07/31 16:05:43.0609 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/07/31 16:05:43.0656 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/07/31 16:05:43.0703 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/07/31 16:05:43.0750 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/07/31 16:05:43.0796 RTL8023xp (7889e3981e0a5d347e037abd467d53a5) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

2010/07/31 16:05:43.0812 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/07/31 16:05:43.0859 SBRE (4019149e4e296072831c8855605d9fdc) C:\WINDOWS\system32\drivers\SBREdrv.sys

2010/07/31 16:05:43.0906 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/07/31 16:05:43.0968 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/07/31 16:05:44.0000 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/07/31 16:05:44.0078 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/07/31 16:05:44.0140 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/07/31 16:05:44.0171 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/07/31 16:05:44.0218 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/07/31 16:05:44.0281 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

2010/07/31 16:05:44.0343 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/07/31 16:05:44.0390 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/07/31 16:05:44.0453 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/07/31 16:05:44.0546 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

2010/07/31 16:05:44.0671 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/07/31 16:05:44.0750 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/07/31 16:05:44.0796 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/07/31 16:05:44.0843 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/07/31 16:05:44.0906 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/07/31 16:05:44.0968 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/07/31 16:05:45.0031 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/07/31 16:05:45.0109 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/07/31 16:05:45.0187 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/07/31 16:05:45.0250 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/07/31 16:05:45.0281 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/07/31 16:05:45.0312 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/07/31 16:05:45.0359 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/07/31 16:05:45.0375 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/07/31 16:05:45.0421 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/07/31 16:05:45.0437 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/07/31 16:05:45.0500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/07/31 16:05:45.0531 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/07/31 16:05:45.0593 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/07/31 16:05:45.0656 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/07/31 16:05:45.0718 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2010/07/31 16:05:45.0765 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/07/31 16:05:45.0859 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/07/31 16:05:45.0890 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/07/31 16:05:45.0937 ================================================================================

2010/07/31 16:05:45.0937 Scan finished

2010/07/31 16:05:45.0937 ================================================================================

2010/07/31 16:05:45.0953 Detected object count: 1

2010/07/31 16:06:15.0359 dmload (27eb95a1b5a566d2b649e52950b2da86) C:\WINDOWS\system32\drivers\dmload.sys

2010/07/31 16:06:15.0359 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmload.sys. Real md5: 27eb95a1b5a566d2b649e52950b2da86, Fake md5: e9317282a63ca4d188c0df5e09c6ac5f

2010/07/31 16:06:15.0921 Backup copy found, using it..

2010/07/31 16:06:15.0968 C:\WINDOWS\system32\drivers\dmload.sys - will be cured after reboot

2010/07/31 16:06:15.0968 Rootkit.Win32.TDSS.tdl3(dmload) - User select action: Cure

ComboFix 10-07-31.01 - Compaq_Administrator 07/31/2010 16:28:11.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1372 [GMT -7:00]

Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Compaq_Administrator\xxg2mdlhlpx.exx

c:\windows\system32\ps2.bat

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))

.

2010-07-31 20:28 . 2010-07-31 20:28 -------- d-----w- c:\windows\Performance

2010-07-31 20:28 . 2010-07-31 20:28 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Microsoft Corporation

2010-07-31 20:27 . 2010-07-31 20:27 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor

2010-07-29 04:39 . 2010-07-29 04:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-25 01:15 . 2010-06-20 01:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-22 07:32 . 2010-07-22 07:32 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Sunbelt Software

2010-07-22 07:04 . 2010-07-22 07:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}

2010-07-22 07:04 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe

2010-07-22 03:23 . 2010-07-22 03:23 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-07-22 03:23 . 2010-07-22 03:23 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache

2010-07-22 03:22 . 2010-07-22 03:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2010-07-22 03:13 . 2010-07-22 03:13 -------- d-----w- c:\program files\Common Files\Adobe

2010-07-22 03:12 . 2010-07-22 03:12 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-07-22 03:11 . 2010-07-22 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-07-22 03:11 . 2010-07-22 03:11 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-07-22 03:11 . 2010-07-23 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-16 14:33 . 2010-07-16 14:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-31 23:08 . 2004-08-09 21:00 5888 ----a-w- c:\windows\system32\drivers\dmload.sys

2010-07-31 22:57 . 2010-06-18 20:41 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-25 00:29 . 2010-06-21 07:22 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-25 00:27 . 2010-06-21 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-24 18:07 . 2007-07-22 06:48 -------- d-----w- c:\program files\ESET

2010-07-22 07:02 . 2009-02-09 04:06 -------- d-----w- c:\program files\Lavasoft

2010-07-22 04:54 . 2010-06-12 19:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-13 00:19 . 2006-02-14 19:36 -------- d-----w- c:\program files\Google

2010-07-12 08:55 . 2009-02-09 04:08 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-07-12 08:55 . 2009-02-09 04:16 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-26 07:25 . 2010-06-21 06:57 -------- d-----w- c:\program files\Opera

2010-06-20 00:52 . 2006-02-14 18:49 -------- d-----w- c:\program files\Java

2010-06-20 00:47 . 2006-07-07 23:38 -------- d-----w- c:\program files\Encore

2010-06-20 00:46 . 2006-02-14 19:02 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-20 00:41 . 2006-02-14 19:13 -------- d-----w- c:\program files\WildTangent

2010-06-20 00:38 . 2006-04-18 04:34 -------- d-----w- c:\program files\GameHouse

2010-06-20 00:37 . 2010-01-23 23:40 -------- d-----w- c:\program files\QuickTime

2010-06-20 00:35 . 2006-02-14 19:10 -------- d-----w- c:\program files\Common Files\Real

2010-06-20 00:02 . 2008-08-05 04:25 -------- d-----w- c:\program files\7-Zip

2010-06-19 23:54 . 2006-04-18 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2010-06-19 22:27 . 2010-06-19 22:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-19 22:27 . 2006-02-14 19:39 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-06-19 04:20 . 2010-06-19 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt

2010-06-12 19:07 . 2010-06-12 19:07 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes

2010-06-12 19:07 . 2010-06-12 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-11 06:19 . 2008-04-07 23:51 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer

2010-05-28 15:38 . 2010-05-28 15:38 503808 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-18e84440-n\msvcp71.dll

2010-05-28 15:38 . 2010-05-28 15:38 348160 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-18e84440-n\msvcr71.dll

2010-05-28 15:38 . 2010-05-28 15:38 499712 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-18e84440-n\jmc.dll

2010-05-14 18:38 . 2010-05-14 18:37 11780792 ----a-w- c:\documents and settings\All Users\Tempmozy-update-aae5499c7263a63d49c6c545d4b0cc48.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-05-13 23:39 2224440 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-05-13 23:39 2224440 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-07-12 864112]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-14 27136]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/8/2009 9:08 PM 64288]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 9:03 AM 108792]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [7/24/2010 6:15 PM 95024]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 1352832]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/12/2010 5:21 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 00:19]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 00:19]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-569565744-1746429389-1434109839-1011Core.job

- c:\documents and settings\family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 05:01]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-569565744-1746429389-1434109839-1011UA.job

- c:\documents and settings\family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 05:01]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

HKCU-Run-Google Update - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

HKLM-Run-PCDrProfiler - (no file)

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-31 16:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-07-31 16:33:51

ComboFix-quarantined-files.txt 2010-07-31 23:33

Pre-Run: 163,792,564,224 bytes free

Post-Run: 163,899,437,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 73429F24E035BF2CB5F6F0153F8BDE62

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

You have or had what has been identified as a flash drive infection.

Please download Flash_Disinfector from HERE

  • First, download it to your desktop.
  • Now double click it to run it and will tell it you what to do when you open it.
  • It will temporarily kill explorer.exe and your desktop will go blank.
  • Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  • It will make a dummy autorun.inf in the root of every drive.
  • You can now delete Flash_Disinfector.exe.

=============================

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites
sdstuck

sdstuck

Posted
  • Author
Posted

The ESET online scanner found 3 threats, in old backup email folders. I've left them alone for now, but the files can be deleted.

I've pasted the ESET log and the Securitycheck log below.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=e57730bf3c037846b0a749b51cb76b58

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-08-01 04:01:26

# local_time=2010-07-31 09:01:26 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8201 39157157 100 100 0 21316336 0 0

# scanned=257325

# found=3

# cleaned=0

# scan_time=13984

# nod_component=V3 Build:0x30000000

J:\pb\Outlook Express\Jayne inbox.bak multiple threats 00000000000000000000000000000000 I

J:\pb\Outlook Express\Jayne inbox.dbx multiple threats 00000000000000000000000000000000 I

J:\pb\Outlook Express\Peter inbox.dbx Win32/Magistr.29188 worm 00000000000000000000000000000000 I

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

ESET Smart Security

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Adobe Flash Player

Adobe Reader 9.3.3

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.