Jump to content

Still Infected after thinking I removed it all

mrosentr

By mrosentr
in Resolved Malware Removal Logs

 Share

Recommended Posts

mrosentr

mrosentr

Posted
Posted

Hi all,

I can't get rid of this malware. I have been working on it all day and just when I think I have it gone, here come the pop ups. I need help from the experts.. Ha! I have followed all the tutorials, but this one is way beyond my skill.

here are my hijack log and malwarebyte log. Any help would be appreciated!

thx!

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:21:16 PM, on 1/4/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Fortinet\FortiClient\scheduler.exe

C:\Program Files\Fortinet\FortiClient\FCDBLog.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Jeppesen\JWC\JWC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Fortinet\FortiClient\FortiTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Program Files\Windows Media Player\setup_wm.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Flight Operations\Desktop\Virus Removal\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/Data...6-6D5536C585C9}

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Jeppesen Weather Controller Service (JWC) - Jeppesen - C:\Jeppesen\JWC\JWC.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 6870 bytes

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5457

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

1/4/2011 2:15:58 PM

mbam-log-2011-01-04 (14-15-58).txt

Scan type: Quick scan

Objects scanned: 145191

Time elapsed: 17 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

hijackthis.log

mbam_log_2011_01_04__14_15_58_.txt

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Since your logs are clean we need to dig deeper:

You are running an unsupported version of Windows:

Platform: Windows XP SP2 (WinNT 5.01.2600)

After we clean you up, you should install XP SP3 - is there any reason You have decided not to install it?

Please follow the directions here and copy/paste the requested logs into your topic (Do NOT attach them!)

I'm infected - What do I do now?

Before running the ARK (Gmer) disable your Fortinet AV, and for some reason I also see an ESET Nod 32 service running in your HJT log (this should be disabled, too) - you can re-enable after the logs are produced:

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Do you have more than one antivirus installed or is this just a leftover trace from a previous install and removal. At any rate, one of your antivirus programs must be removed!

Also, please run this additional scan and post the log!

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Thanks!

Link to post
Share on other sites
mrosentr

mrosentr

Posted
  • Author
Posted
Since your logs are clean we need to dig deeper:

You are running an unsupported version of Windows:

After we clean you up, you should install XP SP3 - is there any reason You have decided not to install it?

Please follow the directions here and copy/paste the requested logs into your topic (Do NOT attach them!)

I'm infected - What do I do now?

Before running the ARK (Gmer) disable your Fortinet AV, and for some reason I also see an ESET Nod 32 service running in your HJT log (this should be disabled, too) - you can re-enable after the logs are produced:

Do you have more than one antivirus installed or is this just a leftover trace from a previous install and removal. At any rate, one of your antivirus programs must be removed!

Also, please run this additional scan and post the log!

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Thanks!

I have run through all the steps and here are my logs now. Thank you!

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 11:59 on 05/01/2011 (Flight Operations)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS (Ver_10-12-12.02) - NTFSx86

Run by Flight Operations at 12:27:44.15 on Wed 01/05/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.395 [GMT -6:00]

AV: ESET NOD32 antivirus system 2.70 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Jeppesen\JWC\JWC.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\Program Files\Eset\nod32.exe

C:\Program Files\Eset\nod32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Flight Operations\Desktop\Malware Tools\4-dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\imon.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 Fortigen;Fortigen;c:\windows\system32\drivers\fortigen.sys [2006-6-27 13088]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-10-1 15424]

R2 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2006-6-27 95776]

R2 JWC;Jeppesen Weather Controller Service;c:\jeppesen\jwc\jwc.exe -service --> c:\jeppesen\jwc\JWC.exe -service [?]

R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-10-1 552064]

R3 Fortidrv2;FortiNet Fortidrv Service;c:\windows\system32\drivers\fortidrv.sys [2006-6-27 21152]

R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2006-6-27 14368]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-10-3 2944]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2003-3-13 61952]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2007-10-3 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-10-3 10368]

S3 DellBIOS;DellBIOS;c:\windows\DellBIOS.Sys [2007-10-1 5120]

S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2008-9-6 29824]

S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2008-9-6 41344]

S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2008-9-6 39936]

S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2008-9-6 59776]

=============== Created Last 30 ================

2011-01-04 16:27:33 -------- d-----w- c:\program files\FileASSASSIN

2011-01-04 16:26:08 -------- d-----w- c:\windows\system32\%APPDATA%

2011-01-03 23:52:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2011-01-03 21:38:27 -------- d-sh--w- C:\$RECYCLE.BIN

2010-12-30 01:27:47 139264 ----a-w- c:\windows\system32\igfxres.dll

2010-12-30 00:38:20 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2010-12-30 00:38:20 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe

2010-12-30 00:37:41 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll

2010-12-30 00:37:41 32768 ----a-w- c:\program files\internet explorer\connection wizard\icwdl.dll

2010-12-30 00:37:40 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe

2010-12-30 00:37:40 20480 ----a-w- c:\program files\internet explorer\connection wizard\inetwiz.exe

2010-12-30 00:37:39 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe

2010-12-30 00:37:39 86016 ----a-w- c:\program files\internet explorer\connection wizard\icwconn2.exe

2010-12-30 00:37:39 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe

2010-12-30 00:37:39 214528 ----a-w- c:\program files\internet explorer\connection wizard\icwconn1.exe

2010-12-30 00:18:04 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2010-12-30 00:18:04 24661 ----a-w- c:\windows\system32\spxcoins.dll

2010-12-30 00:18:04 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2010-12-30 00:18:04 13312 ----a-w- c:\windows\system32\irclass.dll

2010-12-30 00:17:49 10559 ----a-r- c:\windows\SET94.tmp

2010-12-30 00:17:48 22339 ----a-r- c:\windows\SET93.tmp

2010-12-30 00:17:44 13753 ----a-r- c:\windows\SET58.tmp

2010-12-30 00:17:40 1086058 ----a-r- c:\windows\SET4C.tmp

2010-12-30 00:17:38 1042903 ----a-r- c:\windows\SET49.tmp

2010-12-29 22:45:36 13753 ----a-r- c:\windows\SET51.tmp

2010-12-29 22:45:32 1086058 ----a-r- c:\windows\SET45.tmp

2010-12-29 22:45:30 1042903 ----a-r- c:\windows\SET42.tmp

2010-12-29 21:53:03 0 ----a-w- c:\windows\SET4A.tmp

2010-12-29 21:19:59 14573 ----a-r- c:\windows\SET141.tmp

2010-12-29 21:19:52 13753 ----a-r- c:\windows\SET106.tmp

2010-12-29 21:19:49 1086058 ----a-r- c:\windows\SETFA.tmp

2010-12-29 21:19:46 1042903 ----a-r- c:\windows\SETF7.tmp

2010-12-12 12:25:21 0 ----a-w- c:\windows\Lsunu.bin

2010-12-12 12:25:14 -------- d-----w- c:\docume~1\flight~1\locals~1\applic~1\{B2C5D996-1A1A-45C6-BDC0-6695F69ECA85}

==================== Find3M ====================

1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: SAMSUNG_HM060HC rev.YJ100-15 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x864CEC76]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x864d5514]; MOV EAX, [0x864d5590]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EDE14] -> \Device\Harddisk0\DR0[0x86579AB8]

3 CLASSPNP[0xF75C805B] -> ntkrnlpa!IofCallDriver[0x804EDE14] -> [0x86523A78]

\Driver\atapi[0x8657B5F8] -> IRP_MJ_CREATE -> 0x864CEC76

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskSAMSUNG_HM060HC_________________________YJ100-15#5&2c7c2be&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x864CEABF

user != kernel MBR !!!

sectors 117210238 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 12:31:31.12 ===============

2011/01/05 14:20:31.0140 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2011/01/05 14:20:31.0140 ================================================================================

2011/01/05 14:20:31.0140 SystemInfo:

2011/01/05 14:20:31.0140

2011/01/05 14:20:31.0140 OS Version: 5.1.2600 ServicePack: 2.0

2011/01/05 14:20:31.0140 Product type: Workstation

2011/01/05 14:20:31.0140 ComputerName: DTOLAPTOP1

2011/01/05 14:20:31.0140 UserName: Flight Operations

2011/01/05 14:20:31.0140 Windows directory: C:\WINDOWS

2011/01/05 14:20:31.0140 System windows directory: C:\WINDOWS

2011/01/05 14:20:31.0140 Processor architecture: Intel x86

2011/01/05 14:20:31.0140 Number of processors: 1

2011/01/05 14:20:31.0140 Page size: 0x1000

2011/01/05 14:20:31.0140 Boot type: Normal boot

2011/01/05 14:20:31.0140 ================================================================================

2011/01/05 14:20:42.0078 Initialize success

2011/01/05 14:21:34.0046 ================================================================================

2011/01/05 14:21:34.0046 Scan started

2011/01/05 14:21:34.0046 Mode: Manual;

2011/01/05 14:21:34.0046 ================================================================================

2011/01/05 14:21:35.0109 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/01/05 14:21:35.0187 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/01/05 14:21:35.0281 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2011/01/05 14:21:35.0359 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/01/05 14:21:35.0421 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys

2011/01/05 14:21:35.0656 AMON (78ece71701d5d65cc42125a4ef2d76aa) C:\WINDOWS\system32\drivers\amon.sys

2011/01/05 14:21:35.0921 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/01/05 14:21:35.0953 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/01/05 14:21:36.0031 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/01/05 14:21:36.0078 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/01/05 14:21:36.0156 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/01/05 14:21:36.0250 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2011/01/05 14:21:36.0312 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/01/05 14:21:36.0375 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys

2011/01/05 14:21:36.0453 BrSerWDM (791ef93168dcf057715493d607e37983) C:\WINDOWS\system32\Drivers\BrSerWdm.sys

2011/01/05 14:21:36.0515 BrUsbMdm (37e2d0b12ddf536cd64af6eb3b580ef8) C:\WINDOWS\system32\Drivers\BrUsbMdm.sys

2011/01/05 14:21:36.0578 BrUsbScn (1c5f014048e5b2748c1a8ad297c50b6f) C:\WINDOWS\system32\Drivers\BrUsbScn.sys

2011/01/05 14:21:36.0984 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/01/05 14:21:37.0078 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/01/05 14:21:37.0187 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/01/05 14:21:37.0265 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/01/05 14:21:37.0343 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

2011/01/05 14:21:37.0453 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/01/05 14:21:37.0531 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/01/05 14:21:37.0703 DellBIOS (637cf50b06bc53deae846b252d56bbdc) C:\WINDOWS\DellBIOS.Sys

2011/01/05 14:21:37.0734 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/01/05 14:21:37.0984 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/01/05 14:21:38.0046 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys

2011/01/05 14:21:38.0078 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/01/05 14:21:38.0125 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/01/05 14:21:38.0218 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/01/05 14:21:38.0312 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/01/05 14:21:38.0390 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys

2011/01/05 14:21:38.0437 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/01/05 14:21:38.0484 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/01/05 14:21:38.0546 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/01/05 14:21:38.0640 Fortidrv2 (b1e560f7a4336d478e71edcf7d59351d) C:\WINDOWS\system32\DRIVERS\fortidrv.sys

2011/01/05 14:21:38.0671 Fortigen (8410077fdbe46ab93c1061390b87fffe) C:\WINDOWS\system32\drivers\fortigen.sys

2011/01/05 14:21:38.0734 Fortips (f80fee02d88baae0f11c2f9ee99613cc) C:\WINDOWS\system32\drivers\fortips.sys

2011/01/05 14:21:38.0812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/01/05 14:21:38.0906 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/01/05 14:21:38.0968 ft_vnic (e024e73c607e6c62d8a65467e371e95e) C:\WINDOWS\system32\DRIVERS\ftvnic.sys

2011/01/05 14:21:39.0031 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/01/05 14:21:39.0078 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/01/05 14:21:39.0156 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/01/05 14:21:39.0218 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/01/05 14:21:39.0328 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/01/05 14:21:39.0468 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/01/05 14:21:39.0578 ialm (d705558b6a678e894c5c67430eef67a2) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/01/05 14:21:39.0671 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/01/05 14:21:39.0781 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/01/05 14:21:39.0937 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/01/05 14:21:40.0000 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/01/05 14:21:40.0078 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/01/05 14:21:40.0125 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/01/05 14:21:40.0187 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/01/05 14:21:40.0250 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/01/05 14:21:40.0312 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/01/05 14:21:40.0375 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/01/05 14:21:40.0437 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/01/05 14:21:40.0515 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

2011/01/05 14:21:40.0562 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/01/05 14:21:40.0734 mf (729d83e56c29c510258a6e9e79ffddc3) C:\WINDOWS\system32\DRIVERS\mf.sys

2011/01/05 14:21:40.0906 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/01/05 14:21:40.0968 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/01/05 14:21:41.0015 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/01/05 14:21:41.0093 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/01/05 14:21:41.0125 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/01/05 14:21:41.0218 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/01/05 14:21:41.0281 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/01/05 14:21:41.0359 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/01/05 14:21:41.0437 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/01/05 14:21:41.0484 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/01/05 14:21:41.0531 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/01/05 14:21:41.0578 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/01/05 14:21:41.0625 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/01/05 14:21:41.0671 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/01/05 14:21:41.0718 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/01/05 14:21:41.0828 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/01/05 14:21:41.0906 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/01/05 14:21:41.0953 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/01/05 14:21:42.0031 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/01/05 14:21:42.0078 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/01/05 14:21:42.0187 nod32drv (0d91989c0c37fdc7f6ffbef238fe9dfb) C:\WINDOWS\system32\drivers\nod32drv.sys

2011/01/05 14:21:42.0234 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/01/05 14:21:42.0312 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/01/05 14:21:42.0406 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/01/05 14:21:42.0468 NWADI (039e60681bb68fd38d18684fd6b9db84) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys

2011/01/05 14:21:42.0531 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/01/05 14:21:42.0593 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/01/05 14:21:42.0656 NWUSBModem (a12b91c592b3cfaedf85f87a624cfb98) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys

2011/01/05 14:21:42.0718 NWUSBPort (a12b91c592b3cfaedf85f87a624cfb98) C:\WINDOWS\system32\DRIVERS\nwusbser.sys

2011/01/05 14:21:42.0906 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys

2011/01/05 14:21:42.0968 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/01/05 14:21:43.0015 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/01/05 14:21:43.0078 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/01/05 14:21:43.0140 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2011/01/05 14:21:43.0234 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/01/05 14:21:43.0500 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/01/05 14:21:43.0531 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/01/05 14:21:43.0593 PTDUBus (ecd01774cdf331304f3ccb6f3a58ece0) C:\WINDOWS\system32\DRIVERS\PTDUBus.sys

2011/01/05 14:21:43.0656 PTDUMdm (0a78b7b548549139de7ae500f6003a21) C:\WINDOWS\system32\DRIVERS\PTDUMdm.sys

2011/01/05 14:21:43.0687 PTDUVsp (b12c6736d3f10004fcf748984431ee7f) C:\WINDOWS\system32\DRIVERS\PTDUVsp.sys

2011/01/05 14:21:43.0718 PTDUWWAN (166e6e959b8daccab77f662908958885) C:\WINDOWS\system32\DRIVERS\PTDUWWAN.sys

2011/01/05 14:21:43.0750 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/01/05 14:21:44.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/01/05 14:21:44.0046 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/01/05 14:21:44.0093 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/01/05 14:21:44.0125 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/01/05 14:21:44.0187 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/01/05 14:21:44.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/01/05 14:21:44.0296 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/01/05 14:21:44.0421 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/01/05 14:21:44.0468 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/01/05 14:21:44.0593 s24trans (e2c6abcbefb1d44f6aaeb1cd5d6062d4) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2011/01/05 14:21:44.0671 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/01/05 14:21:44.0734 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys

2011/01/05 14:21:44.0890 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/01/05 14:21:45.0046 SMNDIS5 (4ef5ea44583c37383c289d4b8c354698) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS

2011/01/05 14:21:45.0156 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

2011/01/05 14:21:45.0234 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/01/05 14:21:45.0328 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/01/05 14:21:45.0453 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys

2011/01/05 14:21:45.0546 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

2011/01/05 14:21:45.0593 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/01/05 14:21:45.0640 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/01/05 14:21:45.0890 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/01/05 14:21:45.0953 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/01/05 14:21:46.0015 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/01/05 14:21:46.0062 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/01/05 14:21:46.0093 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/01/05 14:21:46.0203 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/01/05 14:21:46.0328 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2011/01/05 14:21:46.0453 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/01/05 14:21:46.0500 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/01/05 14:21:46.0562 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/01/05 14:21:46.0625 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/01/05 14:21:46.0687 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/01/05 14:21:46.0734 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/01/05 14:21:46.0796 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/01/05 14:21:46.0937 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/01/05 14:21:47.0046 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/01/05 14:21:47.0125 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/01/05 14:21:47.0203 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/01/05 14:21:47.0343 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/01/05 14:21:47.0453 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/01/05 14:21:47.0500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/01/05 14:21:47.0609 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/01/05 14:21:47.0656 ================================================================================

2011/01/05 14:21:47.0656 Scan finished

2011/01/05 14:21:47.0656 ================================================================================

2011/01/05 14:21:47.0687 Detected object count: 1

2011/01/05 14:24:32.0968 \HardDisk0 - will be cured after reboot

2011/01/05 14:24:32.0968 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/01/05 14:25:02.0312 Deinitialize success

Attach.zip

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Your'e Welcome!!

You had an MBR rootkit infection aka as a bootkit which looks like it's cured now. You can read about it here:

http://secure-computer-solutions.com/blog/2010/10/

Please copy/paste all logs (you zipped and attached ARK and attach)!!! Also, please do NOT quote my reply in your replies!!

NOTE: I am still seeing both Fortinet and ESET running in your DDS.txt - please remove one of them as I requested:

R1 Fortigen;Fortigen;c:\windows\system32\drivers\fortigen.sys [2006-6-27 13088]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-10-1 15424]

R2 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2006-6-27 95776]

R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-10-1 552064]

R3 Fortidrv2;FortiNet Fortidrv Service;c:\windows\system32\drivers\fortidrv.sys [2006-6-27 21152]

R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2006-6-27 14368]

It's entirely up to you but I have ESET and can vouch for it's effectiveness!

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers and programs.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
  • If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste) this command exactly as shown (include the quotes):

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

ONLY If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading normally, the Advanced Options Menu should appear;
  • Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
  • Choose your usual account.
  • Then launch Combofix in exact same way as described above in the Running Combofix section

Link to post
Share on other sites
mrosentr

mrosentr

Posted
  • Author
Posted

Ok, machine looks like its running better. Here is the results of the combo fix:

ComboFix 11-01-05.01 - Flight Operations 01/05/2011 17:45:20.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.709 [GMT -6:00]

Running from: c:\documents and settings\Flight Operations\desktop\randomDude.exe

Command switches used :: /killall

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Flight Operations\Local Settings\Application Data\{B2C5D996-1A1A-45C6-BDC0-6695F69ECA85}

c:\documents and settings\Flight Operations\Local Settings\Application Data\{B2C5D996-1A1A-45C6-BDC0-6695F69ECA85}\chrome.manifest

c:\documents and settings\Flight Operations\Local Settings\Application Data\{B2C5D996-1A1A-45C6-BDC0-6695F69ECA85}\chrome\content\_cfg.js

c:\documents and settings\Flight Operations\Local Settings\Application Data\{B2C5D996-1A1A-45C6-BDC0-6695F69ECA85}\chrome\content\overlay.xul

c:\documents and settings\Flight Operations\Local Settings\Application Data\{B2C5D996-1A1A-45C6-BDC0-6695F69ECA85}\install.rdf

c:\windows\system32\zip32.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_IAS

-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))

.

2011-01-05 23:22 . 2011-01-05 23:22 -------- d-----w- c:\program files\CONEXANT

2011-01-05 22:54 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2011-01-05 22:54 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2011-01-05 22:53 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

2011-01-05 22:53 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2011-01-05 22:53 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2011-01-05 22:52 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2011-01-05 22:50 . 2010-08-26 13:39 357248 -c----w- c:\windows\system32\dllcache\srv.sys

2011-01-05 22:36 . 2011-01-05 22:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-01-05 22:06 . 2009-07-31 16:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll

2011-01-05 22:06 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll

2011-01-05 22:05 . 2004-03-17 17:04 13059 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys

2011-01-05 22:05 . 2004-03-17 17:00 86016 ----a-w- c:\windows\system32\mdmxsdk.dll

2011-01-05 22:05 . 2008-04-14 00:11 81920 ------w- c:\windows\system32\ieencode.dll

2011-01-05 22:04 . 2006-12-28 19:01 19569 ----a-w- c:\windows\003190_.tmp

2011-01-05 22:04 . 2008-04-14 00:12 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe

2011-01-05 22:04 . 2008-04-14 00:12 294912 ------w- c:\program files\Windows Media Player\dlimport.exe

2011-01-05 21:18 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-01-05 21:18 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2011-01-05 21:16 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-01-05 21:16 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2011-01-05 21:15 . 2010-11-06 00:26 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-01-05 21:15 . 2010-11-06 00:26 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-01-05 21:15 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-01-05 21:15 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-01-05 21:15 . 2010-11-06 00:26 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-01-05 21:15 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-01-05 21:15 . 2010-11-06 00:26 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-01-05 21:13 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2011-01-05 21:12 . 2010-07-12 12:55 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe

2011-01-04 16:27 . 2011-01-04 16:27 -------- d-----w- c:\program files\FileASSASSIN

2011-01-04 16:26 . 2011-01-04 16:26 -------- d-----w- c:\windows\system32\%APPDATA%

2011-01-03 23:52 . 2011-01-03 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-12-30 01:27 . 2006-06-06 21:05 139264 ----a-w- c:\windows\system32\igfxres.dll

2010-12-30 00:38 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2010-12-30 00:38 . 2004-08-04 10:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe

2010-12-30 00:37 . 2008-04-14 00:11 32768 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwdl.dll

2010-12-30 00:37 . 2008-04-14 00:12 20480 ----a-w- c:\program files\Internet Explorer\Connection Wizard\inetwiz.exe

2010-12-30 00:37 . 2008-04-14 00:12 86016 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe

2010-12-30 00:37 . 2008-04-14 00:12 214528 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe

2010-12-30 00:18 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2010-12-30 00:18 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll

2010-12-30 00:18 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2010-12-30 00:18 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll

2010-12-30 00:17 . 2005-03-30 17:54 10559 ----a-r- c:\windows\SET94.tmp

2010-12-30 00:17 . 2006-03-30 10:03 22339 ----a-r- c:\windows\SET93.tmp

2010-12-30 00:17 . 2004-08-04 10:00 13753 ----a-r- c:\windows\SET58.tmp

2010-12-30 00:17 . 2004-08-04 10:00 1086058 ----a-r- c:\windows\SET4C.tmp

2010-12-30 00:17 . 2004-08-04 10:00 1042903 ----a-r- c:\windows\SET49.tmp

2010-12-29 22:45 . 2004-08-04 12:00 13753 ----a-r- c:\windows\SET51.tmp

2010-12-29 22:45 . 2004-08-04 12:00 1086058 ----a-r- c:\windows\SET45.tmp

2010-12-29 22:45 . 2004-08-04 12:00 1042903 ----a-r- c:\windows\SET42.tmp

2010-12-29 21:53 . 2010-12-29 21:53 0 ----a-w- c:\windows\SET4A.tmp

2010-12-29 21:19 . 2006-02-28 12:00 14573 ----a-r- c:\windows\SET141.tmp

2010-12-29 21:19 . 2006-02-28 12:00 13753 ----a-r- c:\windows\SET106.tmp

2010-12-29 21:19 . 2006-02-28 12:00 1086058 ----a-r- c:\windows\SETFA.tmp

2010-12-29 21:19 . 2006-02-28 12:00 1042903 ----a-r- c:\windows\SETF7.tmp

2010-12-12 12:25 . 2011-01-04 15:59 0 ----a-w- c:\windows\Lsunu.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 00:09 . 2010-10-26 01:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2010-10-26 01:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2007-09-30 16:56 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-04 10:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-04 10:00 1853312 ----a-w- c:\windows\system32\win32k.sys

1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

<pre>
c:\program files\Brother\Brmfl03a\BrStDvPt .exe
c:\program files\Common Files\scansoft shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\ESET\nod32kui .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Scansoft\PaperPort\IndexSearch .exe
c:\program files\Scansoft\PaperPort\pptd40nt .exe
c:\program files\Scansoft\PaperPort\Ereg\Ereg .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-1 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt\0sprestrt\0sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Brother\\Brmfl08b\\FAXRX.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

R1 Fortigen;Fortigen;c:\windows\system32\drivers\fortigen.sys [6/27/2006 4:52 PM 13088]

R2 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [6/27/2006 4:52 PM 95776]

R2 JWC;Jeppesen Weather Controller Service;c:\jeppesen\JWC\JWC.exe -service --> c:\jeppesen\JWC\JWC.exe -service [?]

R3 Fortidrv2;FortiNet Fortidrv Service;c:\windows\system32\drivers\fortidrv.sys [6/27/2006 4:52 PM 21152]

R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [6/27/2006 4:52 PM 14368]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [10/3/2007 12:40 PM 2944]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [3/13/2003 6:04 PM 61952]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [10/3/2007 12:40 PM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [10/3/2007 12:36 PM 10368]

S3 DellBIOS;DellBIOS;c:\windows\DellBIOS.Sys [10/1/2007 6:58 PM 5120]

S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [9/6/2008 6:53 AM 29824]

S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [9/6/2008 6:53 AM 41344]

S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [9/6/2008 6:53 AM 39936]

S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [9/6/2008 6:53 AM 59776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-09-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-01-20 21:31]

2011-01-05 c:\windows\Tasks\User_Feed_Synchronization-{50CA14D7-064B-4DCA-8969-C1C93ED1A914}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-05 17:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Good job and I'm glad your PC is running better!!

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Now we have to run Combofix again to get rid of your infection remnants:

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

KillAll::

File::
c:\windows\003190_.tmp
c:\windows\Lsunu.bin

DirLook::
c:\windows\system32\%APPDATA%

DDS::
uInternet Settings,ProxyOverride = <local>

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into randomDude.exe

This will cause ComboFix to run again.

If the run does not finish or You have problems, please launch Combofix in safe mode following the same directions as above.

If ComboFix prompts you to:

  • Update to a newer version, make sure you allow it to update.
  • Upload infected files for analysis, please allow it to do so.

Please copy/paste the log (C:\Combofix.txt) that opens when it finishes (Do NOT attach it).

Please run an updated MBAM scan and post the log.

Link to post
Share on other sites
  • 1 month later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.