BSOD after Removing Threats with Malwarebytes

[negster22]

This is a well documented threat:

http://www.microsoft.com/security/portal/T...Win32%2FDursg.C

https://www.mysonicwall.com/sonicalert/sear...icle&id=252

http://www.threatexpert.com/report.aspx?md...f1ab521b8c1a5c8

I believe MBAM targets this.

Run a fully updated MBAM scan.

Then delete the current copy of Combofix if it is still on your desktop and download a fresh copy, perform a Combofix scan and post back the Combofix and MBAM logs.

[Hobbit_Pizza]

I ran Mbam first.

Mbam Log:

--------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4999

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/30/2010 12:57:18 PM

mbam-log-2010-10-30 (12-57-18).txt

Scan type: Full scan (C:\|)

Objects scanned: 370606

Time elapsed: 1 hour(s), 0 minute(s), 46 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 4

Files Infected: 3

Memory Processes Infected:

C:\Documents and Settings\User\Application Data\SystemProc\lsass.exe (Trojan.LVBP) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.LVBP) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\User\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\User\Application Data\SystemProc\lsass.exe (Trojan.LVBP) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.

[Hobbit_Pizza]

Combofix said that it detected rookit activity and needed to reboot, then completed the scan after rebooting.

Combofix Log:

---------------

ComboFix 10-10-30.01 - User 10/30/2010 14:19:56.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2438 [GMT -7:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-30 )))))))))))))))))))))))))))))))

.

2010-10-30 20:10 . 2010-10-30 20:10 -------- d-----w- c:\program files\Common Files\Java

2010-10-30 20:10 . 2010-10-30 20:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-30 20:10 . 2010-10-30 20:10 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-30 20:10 . 2010-10-30 20:10 -------- d-----w- c:\program files\Java

2010-10-30 16:41 . 2010-10-30 16:41 -------- d-----w- c:\program files\Common Files\Creative Labs Shared

2010-10-30 16:41 . 2010-10-30 18:01 -------- d-----w- c:\program files\Creative

2010-10-29 06:19 . 2003-06-13 06:25 7062 ----a-w- c:\windows\system32\audiopid.vxd

2010-10-29 06:06 . 2010-10-29 06:06 -------- d-sh--w- c:\documents and settings\LocalService\UserData

2010-10-29 06:06 . 2010-10-29 06:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Zynga

2010-10-29 06:06 . 2010-10-29 06:06 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache

2010-10-27 04:56 . 2010-10-27 04:56 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Conduit

2010-10-27 04:56 . 2010-10-27 04:56 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Zynga

2010-10-25 15:52 . 2010-10-25 15:52 -------- d-----w- c:\program files\Defraggler

2010-10-25 14:49 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys

2010-10-25 07:59 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-10-25 07:59 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-10-25 07:59 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-10-25 07:59 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-10-25 07:59 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-10-25 07:59 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-10-25 07:59 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-10-25 07:58 . 2010-03-30 19:24 317440 -c----w- c:\windows\system32\dllcache\mp4sdecd.dll

2010-10-25 07:55 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-10-25 07:55 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll

2010-10-25 07:55 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll

2010-10-25 07:55 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll

2010-10-25 07:53 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-10-25 07:53 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-10-25 07:53 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-10-25 07:53 . 2010-04-27 13:05 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-10-25 07:53 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-10-25 07:44 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll

2010-10-25 06:33 . 2001-08-23 12:00 4677 -c--a-w- c:\windows\system32\dllcache\zeeverm.dll

2010-10-25 06:33 . 2001-08-23 12:00 41029 -c--a-w- c:\windows\system32\dllcache\zcorem.dll

2010-10-25 06:33 . 2001-08-23 12:00 36937 -c--a-w- c:\windows\system32\dllcache\zclientm.exe

2010-10-25 06:33 . 2001-08-23 12:00 29760 -c--a-w- c:\windows\system32\dllcache\znetm.dll

2010-10-25 06:33 . 2001-08-23 12:00 13894 -c--a-w- c:\windows\system32\dllcache\zonelibm.dll

2010-10-25 06:33 . 2001-08-23 12:00 113222 -c--a-w- c:\windows\system32\dllcache\zoneclim.dll

2010-10-25 06:31 . 2008-04-14 13:41 85504 -c--a-w- c:\windows\system32\dllcache\metada51.dll

2010-10-25 06:30 . 2008-04-14 13:42 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe

2010-10-25 06:29 . 2008-04-14 13:42 30720 -c--a-w- c:\windows\system32\dllcache\iisrstas.exe

2010-10-25 06:28 . 2001-08-23 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2010-10-25 06:28 . 2001-08-23 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe

2010-10-25 06:17 . 2001-08-23 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2010-10-25 06:17 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll

2010-10-25 06:17 . 2001-08-23 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2010-10-25 06:17 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll

2010-10-25 06:16 . 2008-04-14 15:34 16535 ----a-r- c:\windows\SETAF.tmp

2010-10-25 06:16 . 2008-04-14 15:34 1088840 ----a-r- c:\windows\SETA3.tmp

2010-10-25 06:16 . 2008-04-14 15:40 1296669 ----a-r- c:\windows\SETA0.tmp

2010-10-25 05:36 . 2010-10-25 07:24 -------- dc-h--w- c:\windows\ie8

2010-10-24 17:02 . 2010-10-30 21:18 -------- d-----w- c:\windows\system32\CatRoot2

2010-10-24 02:32 . 2010-10-24 02:32 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth

2010-10-24 02:13 . 2010-10-24 02:13 -------- d-sh--w- c:\documents and settings\User\History

2010-10-24 02:04 . 2010-10-24 02:04 -------- d-----w- c:\windows\system32\winrm

2010-10-24 01:24 . 2008-04-14 13:42 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-10-21 06:52 . 2010-10-21 06:52 -------- d-----w- C:\regbackup

2010-10-21 06:47 . 2010-10-21 06:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-21 06:44 . 2010-10-21 06:44 -------- d-sh--w- c:\documents and settings\NetworkService\History

2010-10-21 03:38 . 2010-10-21 03:38 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2010-10-21 03:38 . 2009-10-05 01:30 210304 ----a-w- c:\windows\system32\drivers\m5288.sys

2010-10-21 03:38 . 2010-10-21 03:38 990208 ----a-w- c:\windows\system32\syssetup.dll

2010-10-20 05:44 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-20 05:44 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-20 05:18 . 2010-10-21 06:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-10-20 04:32 . 2010-10-20 04:32 -------- d-----w- c:\documents and settings\User\DoctorWeb

2010-10-20 04:09 . 2010-10-21 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-10-19 15:57 . 2010-10-19 15:57 2 --shatr- c:\windows\winstart.bat

2010-10-19 08:40 . 2010-07-09 20:18 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys

2010-10-19 08:40 . 2010-10-19 08:40 -------- d-----w- c:\program files\CPUID

2010-10-19 07:19 . 2010-10-19 07:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-10-19 07:19 . 2010-10-19 07:19 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-10-17 11:42 . 2010-10-17 11:42 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp

2010-10-07 06:42 . 2010-10-07 06:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-10-07 06:37 . 2010-10-07 06:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-10-07 06:37 . 2010-10-19 07:11 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Google

2010-10-07 06:34 . 2010-10-19 07:11 -------- d-----w- c:\program files\Google

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-30 16:41 . 2009-10-05 06:54 445016 ----a-w- c:\windows\system32\wrap_oal.dll

2010-10-30 16:41 . 2009-10-05 06:54 109144 ----a-w- c:\windows\system32\OpenAL32.dll

2010-09-19 04:11 . 2010-05-16 05:11 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-09-19 04:11 . 2010-05-16 05:11 215128 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-09-19 04:11 . 2010-05-16 05:11 215128 ----a-w- c:\windows\system32\PnkBstrB.xtr

2010-09-18 19:23 . 2007-04-03 16:44 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-14 13:41 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-14 13:41 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-10 05:58 . 2008-04-14 13:42 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2008-04-14 13:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-10 05:58 . 2008-04-14 13:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-01 11:51 . 2008-04-14 13:39 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2008-04-14 09:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2008-04-14 13:42 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2008-04-14 13:42 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2008-04-14 08:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-10-05 07:50 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2008-04-14 13:41 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2008-04-14 13:42 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2008-04-14 13:42 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

------- Sigcheck -------

[-] 2010-10-21 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-02-26 1682368]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-31 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-17 153608]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 102400]

"CTxfiHlp"="CTXFIHLP.EXE" [2010-07-08 24576]

"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-6 813584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gupdate"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

"1037:TCP"= 1037:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [10/20/2010 8:38 PM 210304]

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [10/19/2010 1:40 AM 20328]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/6/2009 9:20 AM 10384]

R3 ct20xflt;ct20xflt;c:\windows\system32\drivers\ct20xflt.sys [7/7/2010 10:15 PM 1811288]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 198232]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1353304]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 73816]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/19/2010 1:23 AM 102448]

R3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [7/7/2010 10:15 PM 1227352]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [10/30/2010 9:41 AM 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 198232]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1353304]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 73816]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]

S3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys --> c:\windows\system32\DRIVERS\S3G700m.sys [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 6:42 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/6/2010 11:37 PM 136176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

.

.

------- File Associations -------

.

.scr=AutoCADScriptFile

.txt=

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\Zynga\tbZyng.dll

BHO-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\Zynga\tbZyng.dll

Toolbar-Locked - (no file)

Toolbar-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\Zynga\tbZyng.dll

WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - c:\program files\Zynga\tbZyng.dll

HKU-Default-RunOnce-tscuninstall - c:\windows\system32\tscupgrd.exe

MSConfigStartUp-CTFMON - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-30 14:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1052)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

Completion time: 2010-10-30 14:27:32

ComboFix-quarantined-files.txt 2010-10-30 21:27

Pre-Run: 23,500,775,424 bytes free

Post-Run: 23,470,440,448 bytes free

- - End Of File - - 9C1949DAC08874B910070A76E693A01F

[Hobbit_Pizza]

FYI - I installed a new soundcard, this may account for recently created files...

[Hobbit_Pizza]

Here is a new TDSSKiller Log:

It said some files were suspicious, but didn't confirm that they were infected so I ignored them.

---------------------------------------------------------------------------------------------------------------

2010/10/30 14:08:21.0062 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49

2010/10/30 14:08:21.0062 ================================================================================

2010/10/30 14:08:21.0062 SystemInfo:

2010/10/30 14:08:21.0062

2010/10/30 14:08:21.0062 OS Version: 5.1.2600 ServicePack: 3.0

2010/10/30 14:08:21.0062 Product type: Workstation

2010/10/30 14:08:21.0062 ComputerName: GBOX

2010/10/30 14:08:21.0062 UserName: User

2010/10/30 14:08:21.0062 Windows directory: C:\WINDOWS

2010/10/30 14:08:21.0062 System windows directory: C:\WINDOWS

2010/10/30 14:08:21.0062 Processor architecture: Intel x86

2010/10/30 14:08:21.0062 Number of processors: 1

2010/10/30 14:08:21.0062 Page size: 0x1000

2010/10/30 14:08:21.0062 Boot type: Normal boot

2010/10/30 14:08:21.0062 ================================================================================

2010/10/30 14:08:21.0234 Initialize success

2010/10/30 14:08:22.0250 ================================================================================

2010/10/30 14:08:22.0250 Scan started

2010/10/30 14:08:22.0250 Mode: Manual;

2010/10/30 14:08:22.0250 ================================================================================

2010/10/30 14:08:23.0234 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/30 14:08:24.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/10/30 14:08:25.0187 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/10/30 14:08:25.0390 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/10/30 14:08:25.0625 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/10/30 14:08:25.0781 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2010/10/30 14:08:25.0890 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys

2010/10/30 14:08:26.0046 AnyDVD (4632cb35daef8dd01d25aa5aed4b3102) C:\WINDOWS\system32\Drivers\AnyDVD.sys

2010/10/30 14:08:26.0125 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/10/30 14:08:26.0328 AsIO (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys

2010/10/30 14:08:26.0406 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/30 14:08:26.0609 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/30 14:08:27.0015 ati2mtag (eb0531822aabcf843a0940d4ca8a90a9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/10/30 14:08:27.0421 AtiHdmiService (b9bc23b57765c167806a1feb7a3d16a6) C:\WINDOWS\system32\drivers\AtiHdmi.sys

2010/10/30 14:08:27.0468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/30 14:08:27.0609 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/30 14:08:27.0750 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/10/30 14:08:27.0984 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/30 14:08:28.0171 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/30 14:08:28.0312 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/30 14:08:28.0453 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/30 14:08:28.0640 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/10/30 14:08:28.0828 cpuz134 (75fa19142531cbf490770c2988a7db64) C:\WINDOWS\system32\drivers\cpuz134_x32.sys

2010/10/30 14:08:29.0031 ct20xflt (3c8f74423c50e39972d92f8dd04efa89) C:\WINDOWS\system32\drivers\ct20xflt.sys

2010/10/30 14:08:29.0171 CT20XUT (444117d74af76d4bc0b5fd3398fc0cf8) C:\WINDOWS\system32\drivers\CT20XUT.SYS

2010/10/30 14:08:29.0218 CT20XUT.SYS (444117d74af76d4bc0b5fd3398fc0cf8) C:\WINDOWS\System32\drivers\CT20XUT.SYS

2010/10/30 14:08:29.0265 ctac32k (3854ae2d02880ed877e9b4dfda15e0e1) C:\WINDOWS\system32\drivers\ctac32k.sys

2010/10/30 14:08:29.0359 ctaud2k (c365234b800a70afa95ded3c6bfeeaef) C:\WINDOWS\system32\drivers\ctaud2k.sys

2010/10/30 14:08:29.0468 CTEXFIFX (7cc5e7224125a29ec0ca45fb437c953e) C:\WINDOWS\system32\drivers\CTEXFIFX.SYS

2010/10/30 14:08:29.0593 CTEXFIFX.SYS (7cc5e7224125a29ec0ca45fb437c953e) C:\WINDOWS\System32\drivers\CTEXFIFX.SYS

2010/10/30 14:08:29.0671 CTHWIUT (2941bdb22acc6a1be9d6128a1afeae2d) C:\WINDOWS\system32\drivers\CTHWIUT.SYS

2010/10/30 14:08:29.0687 CTHWIUT.SYS (2941bdb22acc6a1be9d6128a1afeae2d) C:\WINDOWS\System32\drivers\CTHWIUT.SYS

2010/10/30 14:08:29.0718 ctprxy2k (ffa0e7da970749e0bf92822e82f94a1c) C:\WINDOWS\system32\drivers\ctprxy2k.sys

2010/10/30 14:08:29.0765 ctsfm2k (3487c97492dcfa3b1aa474f3d1024b94) C:\WINDOWS\system32\drivers\ctsfm2k.sys

2010/10/30 14:08:29.0796 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2010/10/30 14:08:29.0890 CVPNDRVA (1c2999966f0f36aa44eaecbee70cf770) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2010/10/30 14:08:29.0906 CVPNDRVA - detected Unsigned file (1)

2010/10/30 14:08:29.0984 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/30 14:08:30.0140 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/30 14:08:30.0328 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys

2010/10/30 14:08:30.0468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/10/30 14:08:30.0625 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/30 14:08:30.0781 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2010/10/30 14:08:30.0828 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/30 14:08:31.0000 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/10/30 14:08:31.0046 ElbyCDIO (aaa8999a169e39fb8b48ae49cd6ac30a) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys

2010/10/30 14:08:31.0093 emupia (dd5bbc069d01082d0273e03053c34c38) C:\WINDOWS\system32\drivers\emupia2k.sys

2010/10/30 14:08:31.0156 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2010/10/30 14:08:31.0437 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/30 14:08:31.0781 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/10/30 14:08:31.0921 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/10/30 14:08:32.0078 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/10/30 14:08:32.0218 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/10/30 14:08:32.0359 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/30 14:08:32.0500 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/30 14:08:32.0609 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/10/30 14:08:32.0734 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/30 14:08:32.0937 ha20x22k (e9eed44cf043a23a1a74544c5fe9e927) C:\WINDOWS\system32\drivers\ha20x22k.sys

2010/10/30 14:08:33.0062 ha20x2k (b10ca02f917ddff5abc6c9408c691fc6) C:\WINDOWS\system32\drivers\ha20x2k.sys

2010/10/30 14:08:33.0156 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/10/30 14:08:33.0234 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys

2010/10/30 14:08:33.0390 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/10/30 14:08:33.0546 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/30 14:08:33.0656 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/10/30 14:08:33.0812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/30 14:08:34.0062 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/10/30 14:08:34.0406 IntcAzAudAddService - detected Unsigned file (1)

2010/10/30 14:08:34.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/10/30 14:08:34.0625 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/30 14:08:34.0765 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/30 14:08:34.0875 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/30 14:08:35.0000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/10/30 14:08:35.0125 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/30 14:08:35.0203 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/30 14:08:35.0328 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/30 14:08:35.0484 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/10/30 14:08:35.0640 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/30 14:08:35.0765 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/30 14:08:35.0843 LBeepKE (9ffd1cf2a782f2560e78eec4b8b8689e) C:\WINDOWS\system32\Drivers\LBeepKE.sys

2010/10/30 14:08:35.0937 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

2010/10/30 14:08:35.0984 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

2010/10/30 14:08:36.0062 m5288 (485ed377977dc9661626aaab614504cf) C:\WINDOWS\system32\DRIVERS\m5288.sys

2010/10/30 14:08:36.0140 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys

2010/10/30 14:08:36.0171 mcdbus - detected Unsigned file (1)

2010/10/30 14:08:36.0218 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/30 14:08:36.0421 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/10/30 14:08:36.0546 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/30 14:08:36.0687 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/10/30 14:08:36.0812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/30 14:08:36.0937 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/30 14:08:37.0093 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/30 14:08:37.0140 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/30 14:08:37.0265 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/30 14:08:37.0375 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/30 14:08:37.0500 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/30 14:08:37.0609 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/30 14:08:37.0750 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys

2010/10/30 14:08:37.0875 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys

2010/10/30 14:08:37.0906 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/10/30 14:08:38.0109 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101029.003\naveng.sys

2010/10/30 14:08:38.0171 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101029.003\navex15.sys

2010/10/30 14:08:38.0312 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/30 14:08:38.0453 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/30 14:08:38.0578 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/30 14:08:38.0687 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/30 14:08:38.0812 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/30 14:08:38.0968 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/30 14:08:39.0109 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/30 14:08:39.0234 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/10/30 14:08:39.0359 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/30 14:08:39.0500 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/30 14:08:39.0671 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/10/30 14:08:39.0781 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/30 14:08:39.0890 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/30 14:08:40.0000 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/10/30 14:08:40.0125 ossrv (54c4bcfd5336ea6ceafcb0d4b6978408) C:\WINDOWS\system32\drivers\ctoss2k.sys

2010/10/30 14:08:40.0187 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/10/30 14:08:40.0328 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/30 14:08:40.0421 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/30 14:08:40.0562 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/30 14:08:40.0703 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/10/30 14:08:40.0984 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/30 14:08:41.0109 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/10/30 14:08:41.0218 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/30 14:08:41.0328 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/30 14:08:41.0625 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/30 14:08:41.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/30 14:08:41.0937 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/30 14:08:42.0062 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/30 14:08:42.0171 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/30 14:08:42.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/30 14:08:42.0390 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/10/30 14:08:42.0531 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/30 14:08:42.0671 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/30 14:08:42.0859 rt2870 (4311d22a38f7e403475aa2c338768c11) C:\WINDOWS\system32\DRIVERS\rt2870.sys

2010/10/30 14:08:43.0031 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys

2010/10/30 14:08:43.0078 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

2010/10/30 14:08:43.0125 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/30 14:08:43.0187 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/10/30 14:08:43.0328 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/10/30 14:08:43.0453 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/10/30 14:08:43.0593 Si3132 (0b9b5c6df6226497ef4819b6e1b2efd5) C:\WINDOWS\system32\DRIVERS\SI3132.sys

2010/10/30 14:08:43.0625 SiFilter (ad29a80543c63e5b3588d118fb327e22) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys

2010/10/30 14:08:43.0671 SiRemFil (b19efe5e45ae31f3c3e4c4f0f9da3c49) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys

2010/10/30 14:08:43.0843 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2010/10/30 14:08:43.0890 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/10/30 14:08:44.0000 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/10/30 14:08:44.0078 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/30 14:08:44.0171 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/30 14:08:44.0312 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/30 14:08:44.0640 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS

2010/10/30 14:08:44.0687 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2010/10/30 14:08:44.0734 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2010/10/30 14:08:44.0796 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/30 14:08:44.0937 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/30 14:08:45.0000 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/30 14:08:45.0109 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/30 14:08:45.0250 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/30 14:08:45.0390 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/30 14:08:45.0531 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/30 14:08:45.0671 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/10/30 14:08:45.0796 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/10/30 14:08:45.0906 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/30 14:08:46.0000 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/30 14:08:46.0109 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/10/30 14:08:46.0234 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/10/30 14:08:46.0343 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/30 14:08:46.0437 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/10/30 14:08:46.0578 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/30 14:08:46.0781 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys

2010/10/30 14:08:46.0859 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/30 14:08:46.0968 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys

2010/10/30 14:08:47.0031 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/10/30 14:08:47.0109 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/30 14:08:47.0265 WmBEnum (84a90f13eebf4380345ef9474d30f10e) C:\WINDOWS\system32\drivers\WmBEnum.sys

2010/10/30 14:08:47.0328 WmFilter (eb0034ac02a44dc784a3174d2b81e764) C:\WINDOWS\system32\drivers\WmFilter.sys

2010/10/30 14:08:47.0375 WmVirHid (72c4f5a748c74d8d4016ccfa7367210f) C:\WINDOWS\system32\drivers\WmVirHid.sys

2010/10/30 14:08:47.0390 WmXlCore (eacdcced934a185e61ce0684f71c2dec) C:\WINDOWS\system32\drivers\WmXlCore.sys

2010/10/30 14:08:47.0437 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/10/30 14:08:47.0437 WpdUsb - detected Unsigned file (1)

2010/10/30 14:08:47.0500 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/10/30 14:08:47.0546 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/10/30 14:08:47.0609 yukonwxp (91ef29d374ca305737401a6505efa9ed) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

2010/10/30 14:08:47.0796 ================================================================================

2010/10/30 14:08:47.0796 Scan finished

2010/10/30 14:08:47.0796 ================================================================================

2010/10/30 14:08:47.0906 Detected object count: 4

2010/10/30 14:10:02.0359 Unsigned file(CVPNDRVA) - User select action: Skip

2010/10/30 14:10:02.0359 Unsigned file(IntcAzAudAddService) - User select action: Skip

2010/10/30 14:10:02.0359 Unsigned file(mcdbus) - User select action: Skip

2010/10/30 14:10:02.0359 Unsigned file(WpdUsb) - User select action: Skip

2010/10/30 14:10:07.0234 Deinitialize success

[negster22]

It looks like MBAM clobbered that infection!

I don't see that Combofix removed any files in that last run which it should have if a rootkit was present.

Can you please copy/paste this file into your next reply:

C:\Qoobox\ComboFix-quarantined-files.txt

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the "Quick" scan is finished (a minute or so), save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
  

I would also like you to perform another ESET online scanner. Be sure to update the definitions before scanning and when the scan is done, post back the log located here

C:\Program Files\EsetOnlineScanner\log.txt

Re-enable your active protection.

Post back:

1.C:\Qoobox\ComboFix-quarantined-files.txt

2. ARK.txt

3. C:\Program Files\EsetOnlineScanner\log.txt

[Hobbit_Pizza]

Here is C:\Qoobox\ComboFix-quarantined-files.txt:

-----------------------------------------------------------

2010-10-30 21:26:55 . 2010-10-30 21:26:55 256 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-CTFMON.reg.dat

2010-10-30 21:26:49 . 2010-10-30 21:26:49 167 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-RunOnce-tscuninstall.reg.dat

2010-10-30 21:26:47 . 2010-10-30 21:26:47 423 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822}.reg.dat

2010-10-30 21:26:46 . 2010-10-30 21:26:46 458 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{7b13ec3e-999a-4b70-b9cb-2617b8323822}.reg.dat

2010-10-30 21:26:46 . 2010-10-30 21:26:46 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat

2010-10-30 21:26:46 . 2010-10-30 21:26:46 434 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{7b13ec3e-999a-4b70-b9cb-2617b8323822}.reg.dat

2010-10-30 21:26:45 . 2010-10-30 21:26:45 370 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{7b13ec3e-999a-4b70-b9cb-2617b8323822}.reg.dat

2010-10-30 21:24:35 . 2010-10-30 21:24:35 10,161 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-10-30 21:15:11 . 2010-10-30 21:18:30 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

[Hobbit_Pizza]

ARK.txt

---------

GMER 1.0.15.15477 - http://www.gmer.net

Rootkit quick scan 2010-10-30 15:30:01

Windows 5.1.2600 Service Pack 3

Running: 1nwidplm.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\fxtdqpod.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

Disk \Device\Harddisk0\DR0 sector 02: copy of MBR

Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 06: copy of MBR

Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 41: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 44: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 46: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 47: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 48: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 50: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 51: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 52: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sectors 145225728 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS

---- EOF - GMER 1.0.15 ----

[Hobbit_Pizza]

I cannot get ESET Online Scanner to run. It says it cannot get updates.

I have MSE active protection disabled, and no proxy is configured.

:/

[negster22]

At least part of that is from Symantec.

Download mbr.exe to your desktop.

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

"%userprofile%\desktop\mbr.exe" -t > "%userprofile%\desktop\mbr.log"

Open the log it created by double-clicking mbr.log on your desktop, and copy and paste the contents of mbr.log into your next reply.

[Hobbit_Pizza]

At least part of that is from Symantec.

Download mbr.exe to your desktop.

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

"%userprofile%\desktop\mbr.exe" -t > "%userprofile%\desktop\mbr.log"

Open the log it created by double-clicking mbr.log on your desktop, and copy and paste the contents of mbr.log into your next reply.

I removed Symantec and instaleld MSE prior to the ESET problem.

[Hobbit_Pizza]

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ULiSATA_ rev.___ -> \Device\Scsi\Si31321Port3Path0Target1Lun0

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS m5288.sys

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AC6E968]

3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000083[0x8AC4F920]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Scsi\m52881Port2Path0Target0Lun0[0x8AC4FA38]

kernel: MBR read successfully

BIOS signateure not found

[negster22]

These are all symantec drivers:

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS

It's now wonder the removal tool is necessary!

[Hobbit_Pizza]

These are all symantec drivers:

It's now wonder the removal tool is necessary!

I have symnonav, should I use it?

[Hobbit_Pizza]

I have symnonav, should I use it?

I ran symnonav, then rebooted.

I tried ESET again, this time it worked. It's still scanning...

[negster22]

Great and if You have an MSE log to compare it to that would be interesting.

[Hobbit_Pizza]

Great and if You have an MSE log to compare it to that would be interesting.

Nothing found by ESET, and MSE did a quick scan upon install but found nothing.

[negster22]

It's great that those scans are clean, but I'm still concerned about your MBR code so I want you to do the following so it can be analyzed for TDL3 / TDL4 infection:

Download a fresh copy mbr.exe and save it to your C:\ (your root directory)

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

mbr.exe -s

This will create C:\mbr.log - please post C:\mbr.log in your next reply

Now I want you to make a copy of your MBR by executing (copy/pasting) the following command at the Command Prompt:

mbr.exe -c 0 1 MBR_copy.bin

Hit Enter

Please verify that the file MBR_copy.bin with a size of 512 bytes exists in your C: directory

Please zip that file up.

Then Upload your MBR copy for analysis as follows:

Go to the upload page here

http://www.bleepingcomputer.com/submit-mal....php?channel=75

Click Browse to "Browse to the file you want to submit"

Find this file:

C:\MBR_copy.zip

Select the file, then click Open

Click Send File

If you had trouble zipping it, then simply upload:

MBR_copy.bin

Also, please copy and paste the contents of C:\mbr.log into your next reply.

[Hobbit_Pizza]

File Uploaded.

Here's the MBR.log

I had to run mbr.exe -s again before pasting it here, because when I ran mbr.exe -c 0 1 MBR_copy.bin, it changed the contents of the log.

----------------------

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ULiSATA_ rev.___ -> \Device\Scsi\Si31321Port3Path0Target1Lun0

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

_asm { ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; }

BIOS signateure not found

[negster22]

Thank You for the goodies and I'll get back to you with some analysis information, but I also request the output from two other mbr commands.

Yes, You noticed this: the mbr.log is overwritten each time mbr.exe is run.

First, it is IMPORTANT to download a fresh copy mbr.exe and save it to your C:\ (your root directory):

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

C:\mbr.exe -u

Copy / Paste the following command at the command prompt, and hit Enter

C:\mbr.exe -tDFR

The last command will create another C:\mbr.log - please post that C:\mbr.log in your next reply.

Then run this command and post the new mbr.log:

C:\mbr.exe -k

Please post C:\mbr.log in your next reply.

Please check to see if you have a file called C:\dump.dat

If not, then copy/paste the following command at the command line, and hit Enter:

%userprofile%\desktop\mbrcheck.exe -s 0 -d dump.dat

This assumes You still have MBRCheck.exe on your desktop.

If you don't, then download MBRCheck to your desktop again, and then issue that command.

Then Upload C:\dump.dat for analysis as follows:

First, Zip up the file

Go to the upload page here:

http://www.bleepingcomputer.com/submit-mal....php?channel=75

Click Browse to "Browse to the file you want to submit"

Find this file:

C:\dump.zip

Select the file, then click Open

Click Send File

Thanks alot!!

[Hobbit_Pizza]

I'm sorry but none of the commands that I've pasted leave a log file afterwards.

[Hobbit_Pizza]

Never mind, I did the -s first to create the log, then the other commands added to it.

Here's the first:

-----------------

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ULiSATA_ rev.___ -> \Device\Scsi\Si31321Port3Path0Target1Lun0

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS m5288.sys

C:\WINDOWS\system32\drivers\m5288.sys ULi Electronics Inc. ULi SATA Controller Driver

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AC7E030]

3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000079[0x8AC7F920]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Scsi\m52881Port2Path0Target0Lun0[0x8AC7FA38]

kernel: MBR read successfully

BIOS signateure not found

Filesystem trace:

called modules: ntkrnlpa.exe hal.dll fltMgr.sys MpFilter.sys SiWinAcc.sys sr.sys Ntfs.sys

C:\WINDOWS\system32\drivers\SiWinAcc.sys Silicon Image, Inc SATALink Accelerator driver

1 ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89DCC1C8]

3 fltMgr[0xB9E8BE95] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AC69938]

5 SiWinAcc[0xBA4C44B4] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AB02800]

7 sr[0xB9E7B870] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AC6B020]

9 ntkrnlpa[0x80574DCB] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89DCC1C8]

11 fltMgr[0xB9E8C098] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AC69938]

13 SiWinAcc[0xBA4C44B4] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AB02800]

15 sr[0xB9E76453] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AC6B020]

Registry trace:

called modules: ntkrnlpa.exe hal.dll MpFilter.sys

And the second:

-------------------

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ULiSATA_ rev.___ -> \Device\Scsi\Si31321Port3Path0Target1Lun0

\Device\Scsi\Si31321Port3Path0Target1Lun0 \??\SCSI#Disk&Ven_Config&Prod_Disk&Rev_RGL1#5&1258ba2d&0&010#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

\Device\Scsi\Si31321Port3Path0Target0Lun0 \??\SCSI#Disk&Ven_External&Prod__Disk_0&Rev_RGL1#5&1258ba2d&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

\Device\Scsi\m52881Port2Path0Target0Lun0 \??\SCSI#Disk&Ven_ULiSATA&Prod_RAID1_ULi_RAID&Rev_#4&71285c5&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

\Device\00000089 \??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-CF&Rev_1.40#000000151C0F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

\Device\0000008c \??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-MS&Rev_1.40#000000151C0F&3#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

\Device\0000008b \??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-SD&Rev_1.40#000000151C0F&2#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

\Device\0000008a \??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-SM#xD&Rev_1.40#000000151C0F&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Dump.zip submitted!

[negster22]

Thank You for your persistence. The MBR dump was a success and I'll get back to you with more info.

[negster22]

Good News! Your MBR isn't infected!!

Now, can You please do this for me:

Right-click the following file, select Edit from the context menu and it will open in Notepad:

c:\windows\winstart.bat

Can You please post the contents of that file in your next reply.

[Hobbit_Pizza]

That file is blank.