Jump to content

multiple IP malicious blocks/new browser windows open


Recommended Posts

I was recently infected with malware. I have installed the pay version of malwarebytes and I am running avast AV protection. After running malwarebytes I am now getting almost continual notices that a potential malicious site has been blocked. I also have sporadic new browser windows opening. Hopefully someone can assist. My DSS text log is as follows:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Gina at 15:58:34.76 on Wed 08/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.147 [GMT -5:00]

AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: avast! Antivirus *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ImapiRox.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft Location Finder\LocationFinder.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Gina\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"

mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: link = 00000000

mPolicies-explorer: NoResolveTrack = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - c:\amicus\amicus attorney 2008 sfe\research\GetTags.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231883852670

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-4 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-4 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-4 40384]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-7-8 304464]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-4 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-4 40384]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-7-8 20952]

S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-8-4 312912]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-18 136176]

=============== Created Last 30 ================

2010-08-04 20:56:01 0 ----a-w- c:\documents and settings\gina\defogger_reenable

2010-08-04 20:06:39 312912 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2010-08-04 20:05:58 38848 ----a-w- c:\windows\avastSS.scr

2010-08-04 13:55:18 0 d-----w- c:\windows\pss

2010-08-04 13:28:30 0 d--h--w- c:\windows\PIF

2010-08-03 20:50:36 281104 ----a-w- c:\windows\system32\wpcap.dll

2010-08-03 20:50:36 100880 ----a-w- c:\windows\system32\Packet.dll

2010-08-03 20:50:36 0 ----a-w- c:\windows\system32\drivers\npf.sys

2010-07-21 14:57:32 53970344 ----a-w- C:\Avast Setup.exe

2010-07-08 21:07:46 0 d-----w- c:\docume~1\gina\applic~1\Malwarebytes

2010-07-08 20:32:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-08 20:32:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-08 20:32:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-08 20:32:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-08-03 20:47:53 39544 ----a-w- c:\docume~1\gina\applic~1\wklnhst.dat

============= FINISH: 16:00:11.82 ===============

My Malwarebytes log is as follows:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4389

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/4/2010 2:18:11 PM

mbam-log-2010-08-04 (14-18-11).txt

Scan type: Quick scan

Objects scanned: 142908

Time elapsed: 7 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thanks in advanceark.zipAttach.zip

Link to post
Share on other sites

Thanks for the assistance. Attached find the report you requested

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1851392 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF8238000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xF7CD3000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF8026000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xF7EA6000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xF5845000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xF7C5B000 C:\WINDOWS\System32\Drivers\aswSnx.SYS 331776 bytes (ALWIL Software, avast! Virtualization Driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xF5914000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xF7F91000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 233472 bytes (Roxio, CD-UDF NT Filesystem Driver)

0xF7F4C000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 208896 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)

0xF80AC000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF837C000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xF820B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xF7D43000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF7D90000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF7CAC000 C:\WINDOWS\System32\Drivers\aswSP.SYS 159744 bytes (ALWIL Software, avast! self protection module)

0xF8326000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xF814E000 C:\WINDOWS\System32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)

0xF7E58000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xF6CCD000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xF8174000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF8117000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xF7D6E000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806E4000 ACPI_HAL 134400 bytes

0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF82EE000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF834C000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF81F1000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF830E000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF5DAA000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (ALWIL Software, avast! File System Filter Driver for Windows XP)

0xF82C5000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF80ED000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xF813A000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xF7FEA000 C:\WINDOWS\System32\drivers\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xF7EFF000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xF8104000 C:\WINDOWS\System32\Drivers\pwd_2K.SYS 77824 bytes (Roxio, Win2000 Framework for Packet Write Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF82DC000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF836B000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF80DC000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF854B000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF852B000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xF855B000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xF85BB000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF853B000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 57344 bytes (Roxio, CDR4_2k CDR Helper)

0xF86BB000 C:\WINDOWS\System32\Drivers\BrSerIf.sys 53248 bytes (Brother Industries Ltd., Brotehr Serial I/F Driver (WDM))

0xF84EB000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF851B000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF856B000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF84CB000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF858B000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF865B000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF84BB000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF857B000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF85FB000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (ALWIL Software, avast! TDI Filter Driver)

0xF84AB000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF85CB000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF85AB000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF84DB000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF850B000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xF5179000 C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)

0xF859B000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF861B000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xF4FD9000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF860B000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF879B000 C:\WINDOWS\system32\drivers\Afc.sys 32768 bytes (Arcsoft, Inc., Arcsoft® ASPI Shell)

0xF8863000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF888B000 C:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xF872B000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF886B000 C:\WINDOWS\System32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)

0xF883B000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (ALWIL Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)

0xF87BB000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)

0xF8783000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF878B000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF8773000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xF8843000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF887B000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (ALWIL Software, avast! TDI RDR Driver)

0xF8853000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF8733000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF87EB000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF87FB000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF87DB000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF87D3000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF8098000 C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys 16384 bytes (Brother Industries Ltd., Brother USB Scanner Driver)

0xF601D000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)

0xF8983000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xF5E81000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF8016000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)

0xF8947000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xF5ED5000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (ALWIL Software, avast! File System Access Blocking Driver)

0xF88BB000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF7E9E000 C:\WINDOWS\System32\Drivers\BrUsbSer.sys 12288 bytes (Brother Industries Ltd., Brother USB Serial Driver)

0xF7E82000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xBFF50000 C:\WINDOWS\System32\framebuf.dll 12288 bytes (Microsoft Corporation, Framebuffer Display Driver)

0xF895F000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF80A4000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF89C7000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF89AF000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF89C3000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF89AB000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF89CB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF89DD000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xF89CF000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF89B9000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF89BD000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF89AD000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF8B82000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF8B52000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF8BC8000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF8A73000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

!!!!!!!!!!!Hidden driver: 0x821A1AEA ?_empty_? 1302 bytes

!!!!!!!!!!!Hidden driver: 0x822CC1D0 ?_empty_? 0 bytes

==============================================

>Stealth

==============================================

0xF830E000 WARNING: suspicious driver modification [atapi.sys::0x821A1AEA]

==============================================

>Files

==============================================

==============================================

>Hooks

==============================================

ntkrnlpa.exe+0x0002D620, Type: Inline - RelativeJump 0x80504620-->805045D7 [ntkrnlpa.exe]

ntkrnlpa.exe+0x0002D640, Type: Inline - RelativeJump 0x80504640-->80504614 [ntkrnlpa.exe]

ntkrnlpa.exe+0x0002D730, Type: Inline - RelativeJump 0x80504730-->8050477B [ntkrnlpa.exe]

ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]

ntkrnlpa.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x805D1134-->F7CC1BA0 [aswSP.SYS]

ntkrnlpa.exe-->ObInsertObject, Type: Inline - RelativeJump 0x805C2F86-->F7CBEF6C [aswSP.SYS]

ntkrnlpa.exe-->ObMakeTemporaryObject, Type: Inline - RelativeJump 0x805BC502-->F7CBD5B4 [aswSP.SYS]

[1248]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[1248]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[1248]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[1248]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[1248]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1248]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[1248]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]

[1476]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]

[1476]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]

[1476]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]

[1476]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[1476]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[1476]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[1476]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[1476]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1476]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[1476]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[1476]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]

[4080]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]

[4080]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]

[4080]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]

[4080]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]

[4080]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]

[4080]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]

[4080]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]

[4080]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]

[4080]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]

[4080]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]

[4080]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]

[4080]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]

[4080]iexplore.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[4080]iexplore.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[4080]iexplore.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[4080]iexplore.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[4080]iexplore.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[4080]iexplore.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[4080]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[4080]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]

[4080]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]

[4080]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]

[4080]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]

[4080]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->00000000 [ieframe.dll]

[4080]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->00000000 [ieframe.dll]

[4080]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->00000000 [ieframe.dll]

[4080]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->00000000 [ieframe.dll]

[4080]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->00000000 [ieframe.dll]

[4080]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]

[4080]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [aclayers.dll]

[4080]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]

[4080]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]

[4080]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->00000000 [ieframe.dll]

[4080]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->00000000 [ieframe.dll]

[4080]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->00000000 [ieframe.dll]

[4080]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->00000000 [ieframe.dll]

[780]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x01001094-->00000000 [unknown_code_page]

[780]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001114-->00000000 [unknown_code_page]

[852]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]

[852]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]

[852]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]

[852]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]

[852]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]

[852]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]

[852]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]

[852]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]

[852]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]

[852]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]

[852]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]

[852]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]

[852]iexplore.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[852]iexplore.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[852]iexplore.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[852]iexplore.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[852]iexplore.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[852]iexplore.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[852]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[852]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]

[852]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]

[852]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]

[852]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]

[852]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7E42B3C6-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]

[852]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [aclayers.dll]

[852]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]

[852]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]

[852]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00000000 [ieframe.dll]

[852]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00000000 [ieframe.dll]

Link to post
Share on other sites

ikedad,

You have a very new infection. I need to gather some more data to analyze from you:

1. Start Rootkit Unhooker

2. Wait for the main window to show up. Click on the Tools menu.

3. Click on Dump Memory Region.

4. In the Dump Start At text box, please enter "821A1AEA", without the quotes.

5. In the Dump Length Is text box, please enter "00000516", without the quotes.

6. Click on the Dump button.

7. A dialog will appear, asking you where to save the dump to. Please save it on your Desktop, as Dump.txt

8. Please attach the "Dump.txt" text file on your desktop in your next post.

icon11.gif Please download MBRCheck.exe to your desktop. (It is very important to save the file to your desktop)

  • Click Start > Run or press the Windows Key + R Copy & paste the following command into the run box and press OK
    "%userprofile%\Desktop\MBRCheck.exe" -s 0 -d mbrdump.dat
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop as well as a file called dump.dat Please post the contents of the txt file and attach the dat file.

Please include the following in your next post:

  • MBRCheck log
  • Attach the dump.txt file from Rootkit Unhooker
  • Attach the mbrdump.dat file from MBRCheck

Link to post
Share on other sites

Attached find the dump.txt file. I am getting an error message "Upload failed. You are not permitted to upload this type of file" when i try to upload the mbrdump.dat file. I have copied and pasted the MBR log. Let me know what else you need or how to attach the .dat file

MBRCheck, version 1.2.3

© 2010, AD

Command-line: -s 0 -d mbrdump.dat

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0004000c

Kernel Drivers (total 111):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0xF89AB000 \WINDOWS\system32\KDCOM.DLL

0xF88BB000 \WINDOWS\system32\BOOTVID.dll

0xF837C000 ACPI.sys

0xF89AD000 \WINDOWS\System32\DRIVERS\WMILIB.SYS

0xF836B000 pci.sys

0xF84AB000 isapnp.sys

0xF8A73000 pciide.sys

0xF872B000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

0xF84BB000 MountMgr.sys

0xF834C000 ftdisk.sys

0xF89AF000 dmload.sys

0xF8326000 dmio.sys

0xF8733000 PartMgr.sys

0xF84CB000 VolSnap.sys

0xF830E000 atapi.sys

0xF84DB000 disk.sys

0xF84EB000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

0xF82EE000 fltmgr.sys

0xF82DC000 sr.sys

0xF82C5000 KSecDD.sys

0xF8238000 Ntfs.sys

0xF820B000 NDIS.sys

0xF81F1000 Mup.sys

0xF850B000 \SystemRoot\System32\DRIVERS\intelppm.sys

0xF877B000 \SystemRoot\System32\DRIVERS\usbuhci.sys

0xF8174000 \SystemRoot\System32\DRIVERS\USBPORT.SYS

0xF814E000 \SystemRoot\System32\DRIVERS\e100b325.sys

0xF851B000 \SystemRoot\System32\DRIVERS\i8042prt.sys

0xF878B000 \SystemRoot\System32\DRIVERS\kbdclass.sys

0xF8793000 \SystemRoot\System32\DRIVERS\mouclass.sys

0xF813A000 \SystemRoot\System32\DRIVERS\parport.sys

0xF852B000 \SystemRoot\System32\DRIVERS\serial.sys

0xF8947000 \SystemRoot\System32\DRIVERS\serenum.sys

0xF87A3000 \SystemRoot\system32\drivers\Afc.sys

0xF853B000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS

0xF854B000 \SystemRoot\System32\DRIVERS\cdrom.sys

0xF855B000 \SystemRoot\System32\DRIVERS\redbook.sys

0xF8117000 \SystemRoot\System32\DRIVERS\ks.sys

0xF87C3000 \SystemRoot\System32\Drivers\Cdralw2k.SYS

0xF8104000 \SystemRoot\System32\Drivers\pwd_2K.SYS

0xF8B2C000 \SystemRoot\System32\DRIVERS\audstub.sys

0xF856B000 \SystemRoot\System32\DRIVERS\rasl2tp.sys

0xF895F000 \SystemRoot\System32\DRIVERS\ndistapi.sys

0xF80ED000 \SystemRoot\System32\DRIVERS\ndiswan.sys

0xF857B000 \SystemRoot\System32\DRIVERS\raspppoe.sys

0xF858B000 \SystemRoot\System32\DRIVERS\raspptp.sys

0xF87E3000 \SystemRoot\System32\DRIVERS\TDI.SYS

0xF80DC000 \SystemRoot\System32\DRIVERS\psched.sys

0xF859B000 \SystemRoot\System32\DRIVERS\msgpc.sys

0xF87F3000 \SystemRoot\System32\DRIVERS\ptilink.sys

0xF8803000 \SystemRoot\System32\DRIVERS\raspti.sys

0xF80AC000 \SystemRoot\System32\DRIVERS\rdpdr.sys

0xF85AB000 \SystemRoot\System32\DRIVERS\termdd.sys

0xF89C1000 \SystemRoot\System32\DRIVERS\swenum.sys

0xF8026000 \SystemRoot\System32\DRIVERS\update.sys

0xF8983000 \SystemRoot\System32\DRIVERS\mssmbios.sys

0xF85BB000 \SystemRoot\System32\DRIVERS\usbhub.sys

0xF89C5000 \SystemRoot\System32\DRIVERS\USBD.SYS

0xF85CB000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF89CB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF8B72000 \SystemRoot\System32\Drivers\Null.SYS

0xF89CF000 \SystemRoot\System32\Drivers\Beep.SYS

0xF884B000 \SystemRoot\System32\drivers\vga.sys

0xF7FEA000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0xF89D3000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF89D7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF7F91000 \SystemRoot\System32\Drivers\cdudf_xp.SYS

0xF885B000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF886B000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF7F4C000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS

0xF80A4000 \SystemRoot\System32\DRIVERS\rasacd.sys

0xF7EFF000 \SystemRoot\System32\DRIVERS\ipsec.sys

0xF7EA6000 \SystemRoot\System32\DRIVERS\tcpip.sys

0xF85FB000 \SystemRoot\System32\Drivers\aswTdi.SYS

0xF7E58000 \SystemRoot\System32\DRIVERS\ipnat.sys

0xF860B000 \SystemRoot\System32\DRIVERS\wanarp.sys

0xF7D90000 \SystemRoot\System32\DRIVERS\netbt.sys

0xF7D6E000 \SystemRoot\System32\drivers\afd.sys

0xF861B000 \SystemRoot\System32\DRIVERS\netbios.sys

0xF7D43000 \SystemRoot\System32\DRIVERS\rdbss.sys

0xF889B000 \SystemRoot\System32\DRIVERS\usbccgp.sys

0xF800E000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

0xF7CD3000 \SystemRoot\System32\DRIVERS\mrxsmb.sys

0xF865B000 \SystemRoot\System32\Drivers\Fips.SYS

0xF7CAC000 \SystemRoot\System32\Drivers\aswSP.SYS

0xF88AB000 \SystemRoot\System32\DRIVERS\usbprint.sys

0xF8002000 \SystemRoot\system32\DRIVERS\BrScnUsb.sys

0xF81B4000 \SystemRoot\System32\Drivers\BrUsbSer.sys

0xF866B000 \SystemRoot\System32\Drivers\BrSerIf.sys

0xF7C5B000 \SystemRoot\System32\Drivers\aswSnx.SYS

0xF87B3000 \SystemRoot\System32\Drivers\Aavmker4.SYS

0xF86AB000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF800A000 \SystemRoot\System32\drivers\Dxapi.sys

0xF8893000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF8ADE000 \SystemRoot\System32\drivers\dxgthk.sys

0xBFF50000 \SystemRoot\System32\framebuf.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xF8006000 \??\C:\WINDOWS\system32\drivers\mbam.sys

0xF81B8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS

0xF6CFD000 \SystemRoot\System32\DRIVERS\ndisuio.sys

0xF6BE6000 \SystemRoot\System32\Drivers\aswMon2.SYS

0xF89CD000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xF694D000 \SystemRoot\System32\Drivers\HTTP.sys

0xF687E000 \SystemRoot\System32\DRIVERS\srv.sys

0xF7A52000 \SystemRoot\System32\Drivers\aswRdr.SYS

0xF600E000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):

0 System Idle Process

4 System

652 C:\WINDOWS\system32\smss.exe

712 csrss.exe

736 C:\WINDOWS\system32\winlogon.exe

784 C:\WINDOWS\system32\services.exe

796 C:\WINDOWS\system32\lsass.exe

988 C:\WINDOWS\system32\svchost.exe

1080 svchost.exe

1248 C:\WINDOWS\system32\svchost.exe

1320 svchost.exe

1460 svchost.exe

1548 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

1836 C:\WINDOWS\system32\spoolsv.exe

2012 alg.exe

248 C:\WINDOWS\system32\ImapiRox.exe

308 C:\Program Files\Java\jre6\bin\jqs.exe

444 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

516 C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

640 C:\WINDOWS\system32\svchost.exe

2352 C:\WINDOWS\explorer.exe

2780 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe

2788 C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

2800 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

2836 C:\Program Files\Java\jre6\bin\jusched.exe

2864 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

2892 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

2988 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

3004 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe

3012 C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe

3020 C:\Program Files\Messenger\msmsgs.exe

3028 C:\Program Files\Microsoft Location Finder\LocationFinder.exe

3036 C:\WINDOWS\system32\ctfmon.exe

3072 C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe

532 C:\Program Files\Internet Explorer\iexplore.exe

2732 C:\Program Files\Internet Explorer\iexplore.exe

3000 C:\Program Files\Java\jre6\bin\jucheck.exe

2928 C:\Documents and Settings\Gina\Desktop\MBRCheck.exe

Dumping \\.\PhysicalDrive0 to mbrdump.dat...

Dumped successfully!

Done!dump.txt

MBRCheck_08.06.10_10.06.14.txt

dump.txt

Link to post
Share on other sites

Here's the MBRcheck log:

MBRCheck, version 1.2.3

© 2010, AD

Command-line: -c

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0004000c

Kernel Drivers (total 111):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0xF89AB000 \WINDOWS\system32\KDCOM.DLL

0xF88BB000 \WINDOWS\system32\BOOTVID.dll

0xF837C000 ACPI.sys

0xF89AD000 \WINDOWS\System32\DRIVERS\WMILIB.SYS

0xF836B000 pci.sys

0xF84AB000 isapnp.sys

0xF8A73000 pciide.sys

0xF872B000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

0xF84BB000 MountMgr.sys

0xF834C000 ftdisk.sys

0xF89AF000 dmload.sys

0xF8326000 dmio.sys

0xF8733000 PartMgr.sys

0xF84CB000 VolSnap.sys

0xF830E000 atapi.sys

0xF84DB000 disk.sys

0xF84EB000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

0xF82EE000 fltmgr.sys

0xF82DC000 sr.sys

0xF82C5000 KSecDD.sys

0xF8238000 Ntfs.sys

0xF820B000 NDIS.sys

0xF81F1000 Mup.sys

0xF850B000 \SystemRoot\System32\DRIVERS\intelppm.sys

0xF8773000 \SystemRoot\System32\DRIVERS\usbuhci.sys

0xF8174000 \SystemRoot\System32\DRIVERS\USBPORT.SYS

0xF814E000 \SystemRoot\System32\DRIVERS\e100b325.sys

0xF851B000 \SystemRoot\System32\DRIVERS\i8042prt.sys

0xF8783000 \SystemRoot\System32\DRIVERS\kbdclass.sys

0xF878B000 \SystemRoot\System32\DRIVERS\mouclass.sys

0xF813A000 \SystemRoot\System32\DRIVERS\parport.sys

0xF852B000 \SystemRoot\System32\DRIVERS\serial.sys

0xF8947000 \SystemRoot\System32\DRIVERS\serenum.sys

0xF879B000 \SystemRoot\system32\drivers\Afc.sys

0xF853B000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS

0xF854B000 \SystemRoot\System32\DRIVERS\cdrom.sys

0xF855B000 \SystemRoot\System32\DRIVERS\redbook.sys

0xF8117000 \SystemRoot\System32\DRIVERS\ks.sys

0xF87BB000 \SystemRoot\System32\Drivers\Cdralw2k.SYS

0xF8104000 \SystemRoot\System32\Drivers\pwd_2K.SYS

0xF8B64000 \SystemRoot\System32\DRIVERS\audstub.sys

0xF856B000 \SystemRoot\System32\DRIVERS\rasl2tp.sys

0xF895F000 \SystemRoot\System32\DRIVERS\ndistapi.sys

0xF80ED000 \SystemRoot\System32\DRIVERS\ndiswan.sys

0xF857B000 \SystemRoot\System32\DRIVERS\raspppoe.sys

0xF858B000 \SystemRoot\System32\DRIVERS\raspptp.sys

0xF87DB000 \SystemRoot\System32\DRIVERS\TDI.SYS

0xF80DC000 \SystemRoot\System32\DRIVERS\psched.sys

0xF859B000 \SystemRoot\System32\DRIVERS\msgpc.sys

0xF87EB000 \SystemRoot\System32\DRIVERS\ptilink.sys

0xF87FB000 \SystemRoot\System32\DRIVERS\raspti.sys

0xF80AC000 \SystemRoot\System32\DRIVERS\rdpdr.sys

0xF85AB000 \SystemRoot\System32\DRIVERS\termdd.sys

0xF89B9000 \SystemRoot\System32\DRIVERS\swenum.sys

0xF8026000 \SystemRoot\System32\DRIVERS\update.sys

0xF8983000 \SystemRoot\System32\DRIVERS\mssmbios.sys

0xF85BB000 \SystemRoot\System32\DRIVERS\usbhub.sys

0xF89BD000 \SystemRoot\System32\DRIVERS\USBD.SYS

0xF85CB000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF89C3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF8BAA000 \SystemRoot\System32\Drivers\Null.SYS

0xF89C7000 \SystemRoot\System32\Drivers\Beep.SYS

0xF8843000 \SystemRoot\System32\drivers\vga.sys

0xF7FEA000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0xF89CB000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF89CF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF7F91000 \SystemRoot\System32\Drivers\cdudf_xp.SYS

0xF8853000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF8863000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF7F4C000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS

0xF80A4000 \SystemRoot\System32\DRIVERS\rasacd.sys

0xF7EFF000 \SystemRoot\System32\DRIVERS\ipsec.sys

0xF7EA6000 \SystemRoot\System32\DRIVERS\tcpip.sys

0xF85FB000 \SystemRoot\System32\Drivers\aswTdi.SYS

0xF7E58000 \SystemRoot\System32\DRIVERS\ipnat.sys

0xF860B000 \SystemRoot\System32\DRIVERS\wanarp.sys

0xF7D90000 \SystemRoot\System32\DRIVERS\netbt.sys

0xF7D6E000 \SystemRoot\System32\drivers\afd.sys

0xF861B000 \SystemRoot\System32\DRIVERS\netbios.sys

0xF7D43000 \SystemRoot\System32\DRIVERS\rdbss.sys

0xF801A000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

0xF7CD3000 \SystemRoot\System32\DRIVERS\mrxsmb.sys

0xF888B000 \SystemRoot\System32\DRIVERS\usbccgp.sys

0xF865B000 \SystemRoot\System32\Drivers\Fips.SYS

0xF7CAC000 \SystemRoot\System32\Drivers\aswSP.SYS

0xF7C5B000 \SystemRoot\System32\Drivers\aswSnx.SYS

0xF88AB000 \SystemRoot\System32\DRIVERS\usbprint.sys

0xF8002000 \SystemRoot\system32\DRIVERS\BrScnUsb.sys

0xF81B4000 \SystemRoot\System32\Drivers\BrUsbSer.sys

0xF868B000 \SystemRoot\System32\Drivers\BrSerIf.sys

0xF87A3000 \SystemRoot\System32\Drivers\Aavmker4.SYS

0xF86AB000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF7E92000 \SystemRoot\System32\drivers\Dxapi.sys

0xF8883000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF8B23000 \SystemRoot\System32\drivers\dxgthk.sys

0xBFF50000 \SystemRoot\System32\framebuf.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xF7C43000 \??\C:\WINDOWS\system32\drivers\mbam.sys

0xF7C3B000 \SystemRoot\System32\Drivers\aswFsBlk.SYS

0xF6CD4000 \SystemRoot\System32\DRIVERS\ndisuio.sys

0xF6C1D000 \SystemRoot\System32\Drivers\aswMon2.SYS

0xF8A5B000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xF675C000 \SystemRoot\System32\Drivers\HTTP.sys

0xF6554000 \SystemRoot\System32\DRIVERS\srv.sys

0xF887B000 \SystemRoot\System32\Drivers\aswRdr.SYS

0xF7B63000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):

0 System Idle Process

4 System

652 C:\WINDOWS\system32\smss.exe

712 csrss.exe

736 C:\WINDOWS\system32\winlogon.exe

784 C:\WINDOWS\system32\services.exe

796 C:\WINDOWS\system32\lsass.exe

976 C:\WINDOWS\system32\svchost.exe

1080 svchost.exe

1236 C:\WINDOWS\system32\svchost.exe

1328 svchost.exe

1464 svchost.exe

1588 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

1880 C:\WINDOWS\system32\spoolsv.exe

2016 alg.exe

252 C:\WINDOWS\system32\ImapiRox.exe

316 C:\Program Files\Java\jre6\bin\jqs.exe

464 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

556 C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

1044 C:\WINDOWS\system32\svchost.exe

1244 C:\WINDOWS\explorer.exe

2636 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe

2660 C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

2792 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

2856 C:\Program Files\Java\jre6\bin\jusched.exe

2896 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

2928 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

2992 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

3000 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe

3008 C:\Program Files\Messenger\msmsgs.exe

3024 C:\Program Files\Microsoft Location Finder\LocationFinder.exe

3036 C:\WINDOWS\system32\ctfmon.exe

3084 C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe

3188 C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe

3700 C:\Program Files\Java\jre6\bin\jucheck.exe

4044 C:\Program Files\Internet Explorer\iexplore.exe

2076 C:\Program Files\Internet Explorer\iexplore.exe

2536 C:\Documents and Settings\Gina\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6Y080M0, Rev: YAR51HW0

Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Let me know what you need next.

Link to post
Share on other sites

ikedad,

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

The log after combofix follows:

ComboFix 10-08-09.01 - Gina 08/09/2010 16:43:32.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.311 [GMT -5:00]

Running from: c:\documents and settings\Gina\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Gina\PNPrint3.exe

c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server

c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\wpcap.dll

.

((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))

.

2010-08-09 18:16 . 2010-08-09 18:16 -------- d-----w- c:\windows\LastGood

2010-08-06 16:59 . 2010-08-06 16:59 -------- d-----w- c:\windows\Cache

2010-08-04 20:06 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-08-04 20:06 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-08-04 20:06 . 2010-06-28 20:39 312912 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2010-08-04 20:06 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-08-04 20:06 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-08-04 20:06 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-08-04 20:06 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-08-04 20:06 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-08-04 20:05 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

2010-08-04 20:05 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-08-04 18:25 . 2010-08-04 18:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS

2010-08-04 14:20 . 2010-08-04 14:20 -------- d-----w- c:\documents and settings\Gina\Local Settings\Application Data\Threat Expert

2010-08-04 14:00 . 2010-08-04 18:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-04 13:28 . 2010-08-04 13:28 -------- d--h--w- c:\windows\PIF

2010-07-21 14:57 . 2010-07-21 15:03 53970344 ----a-w- C:\Avast Setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-09 21:31 . 2008-10-21 17:30 39990 ----a-w- c:\documents and settings\Gina\Application Data\wklnhst.dat

2010-08-06 16:25 . 2009-02-05 21:01 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-04 18:09 . 2010-07-08 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-08 21:07 . 2010-07-08 21:07 -------- d-----w- c:\documents and settings\Gina\Application Data\Malwarebytes

2010-07-08 20:32 . 2010-07-08 20:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-08 20:32 . 2010-07-08 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-08 20:21 . 2010-07-08 20:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Netscape

2010-06-21 13:26 . 2009-04-01 20:43 -------- d-----w- c:\program files\Alwil Software

2010-06-18 17:02 . 2008-11-11 14:43 -------- d-----w- c:\program files\Google

2010-06-18 17:00 . 2010-06-18 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-24 13:09 . 2010-05-24 13:09 503808 ----a-w- c:\documents and settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-323f9ff3-n\msvcp71.dll

2010-05-24 13:09 . 2010-05-24 13:09 499712 ----a-w- c:\documents and settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-323f9ff3-n\jmc.dll

2010-05-24 13:09 . 2010-05-24 13:09 348160 ----a-w- c:\documents and settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-323f9ff3-n\msvcr71.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]

@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"

[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]

2010-06-28 20:59 153184 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]

"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-03 148888]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoThumbnailCache"= 1 (0x1)

"link"= 00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/4/2010 3:06 PM 312912]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/4/2010 3:06 PM 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/4/2010 3:06 PM 17744]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/8/2010 3:32 PM 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/8/2010 3:32 PM 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/18/2010 12:01 PM 136176]

.

Contents of the 'Scheduled Tasks' folder

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 17:01]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 17:01]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

Completion time: 2010-08-09 16:55:25

ComboFix-quarantined-files.txt 2010-08-09 21:55

Pre-Run: 68,020,142,080 bytes free

Post-Run: 68,189,687,808 bytes free

- - End Of File - - 7482BDE159F66D3619EED98427859E25

Link to post
Share on other sites

ikedad,

icon11.gif Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:

c:\Qoobox\ComboFix-quarantined-files.txt

Please post the contents of the file that opens in your next reply.

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please include the following in your next post:

  • ComboFix quarantine log
  • ComboFix log
  • MBAM log

Link to post
Share on other sites

I ran the requested scans/programs. I inadvertently ran combofix again before running the scans/programs you requested. Here are the logs you requested:

quaratine log:

2010-08-09 21:48:19 . 2010-08-10 13:00:44 4,932 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-08-09 16:27:09 . 2010-08-10 12:53:50 255 ----a-w- C:\Qoobox\Quarantine\catchme.log

2010-08-03 20:50:36 . 2010-08-03 20:50:36 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\npf.sys.vir

2010-08-03 20:50:36 . 2010-08-03 20:50:36 281,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir

2010-08-03 20:50:36 . 2010-08-03 20:50:36 100,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir

2009-12-31 17:45:08 . 2009-12-31 17:45:08 49,152 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Gina\PNPrint3.exe.vir

combofix log:

ComboFix 10-08-09.03 - Gina 08/10/2010 8:14.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.176 [GMT -5:00]

Running from: c:\documents and settings\Gina\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Gina\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))

.

2010-08-09 18:16 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-08-06 16:59 . 2010-08-06 16:59 -------- d-----w- c:\windows\Cache

2010-08-04 20:06 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-08-04 20:06 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-08-04 20:06 . 2010-06-28 20:39 312912 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2010-08-04 20:06 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-08-04 20:06 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-08-04 20:06 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-08-04 20:06 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-08-04 20:06 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-08-04 20:05 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

2010-08-04 20:05 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-08-04 18:25 . 2010-08-04 18:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS

2010-08-04 14:20 . 2010-08-04 14:20 -------- d-----w- c:\documents and settings\Gina\Local Settings\Application Data\Threat Expert

2010-08-04 14:00 . 2010-08-04 18:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-04 13:28 . 2010-08-04 13:28 -------- d--h--w- c:\windows\PIF

2010-07-21 14:57 . 2010-07-21 15:03 53970344 ----a-w- C:\Avast Setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-09 21:31 . 2008-10-21 17:30 39990 ----a-w- c:\documents and settings\Gina\Application Data\wklnhst.dat

2010-08-06 16:25 . 2009-02-05 21:01 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-04 18:09 . 2010-07-08 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-08 21:07 . 2010-07-08 21:07 -------- d-----w- c:\documents and settings\Gina\Application Data\Malwarebytes

2010-07-08 20:32 . 2010-07-08 20:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-08 20:32 . 2010-07-08 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-08 20:21 . 2010-07-08 20:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Netscape

2010-06-21 13:26 . 2009-04-01 20:43 -------- d-----w- c:\program files\Alwil Software

2010-06-18 17:02 . 2008-11-11 14:43 -------- d-----w- c:\program files\Google

2010-06-18 17:00 . 2010-06-18 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-06-14 14:31 . 2008-10-09 01:51 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

2010-05-24 13:09 . 2010-05-24 13:09 503808 ----a-w- c:\documents and settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-323f9ff3-n\msvcp71.dll

2010-05-24 13:09 . 2010-05-24 13:09 499712 ----a-w- c:\documents and settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-323f9ff3-n\jmc.dll

2010-05-24 13:09 . 2010-05-24 13:09 348160 ----a-w- c:\documents and settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-323f9ff3-n\msvcr71.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-08-09_21.52.52 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-10 08:18 . 2010-08-10 08:18 16384 c:\windows\Temp\Perflib_Perfdata_1e8.dat

+ 2002-06-25 19:25 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll

+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll

+ 2009-01-14 14:26 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]

@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"

[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]

2010-06-28 20:59 153184 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]

"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-03 148888]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoThumbnailCache"= 1 (0x1)

"link"= 00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/4/2010 3:06 PM 312912]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/4/2010 3:06 PM 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/4/2010 3:06 PM 17744]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/8/2010 3:32 PM 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/8/2010 3:32 PM 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/18/2010 12:01 PM 136176]

.

Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 17:01]

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 17:01]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-10 08:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2156)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-08-10 08:25:06

ComboFix-quarantined-files.txt 2010-08-10 13:25

ComboFix2.txt 2010-08-10 13:06

ComboFix3.txt 2010-08-09 21:55

Pre-Run: 68,098,437,120 bytes free

Post-Run: 68,083,081,216 bytes free

- - End Of File - - CB1654A26E3A8E038DEB6CEF76D8B6B0

malware bytes log: (malwarebytes message was that no infections were found)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4412

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/10/2010 8:42:27 AM

mbam-log-2010-08-10 (08-42-27).txt

Scan type: Quick scan

Objects scanned: 136671

Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ikedad,

How is it running now? Please do this next:

icon11.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java 6 Update 13 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • Kaspersky log
  • How is the computer running?

Link to post
Share on other sites

Computer seems to be running well. I am not receiving notices of IP's being blocked, nor are new browser windows opening. THANKS A LOT for your help. The log you requested is attached:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, August 11, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, August 10, 2010 08:52:02

Records in database: 4131149

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

S:\

Scan statistics:

Objects scanned: 133286

Threats found: 4

Infected objects found: 4

Suspicious objects found: 0

Scan duration: 07:46:35

File name / Threat / Threats count

C:\Documents and Settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\62\18d55bbe-3833bdd7 Infected: Trojan-Downloader.Java.Agent.ft 1

C:\Documents and Settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\62\18d55bbe-3833bdd7 Infected: Trojan-Downloader.Java.Agent.fu 1

C:\Documents and Settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\62\18d55bbe-3833bdd7 Infected: Trojan-Downloader.Java.Agent.fv 1

C:\Qoobox\32788R22FWJFW\ipsec.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

Let me know what you need next.

Link to post
Share on other sites

ikedad,

This will take care of those Kaspersky detections, then I have some very important cleanup for you to take care of:

icon11.gif Go to Start > Run and copy/paste the contents of the codebox below into the Run box and click OK:

cmd /c del /a/f/q "C:\Documents and Settings\Gina\Application Data\Sun\Java\Deployment\cache\6.0\62\18d55bbe-3833bdd7"

A DOS window will open and close again, this is normal.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER
  • Rootkit Unhooker
  • MBRCheck

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please visit our General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

You're welcome. TFC was just for housekeeping purposes - if it's not working just delete it. Here is another you can try:

icon11.gif Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to start the program.

Click
Run

Under the Main menu choose:
Select All

Click the
Empty Selected
button.

(If you use FireFox or the Opera browser

To keep saved passwords, click
No
at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.