Jump to content

TDL3 rootkit infection


SnowBum
 Share

Recommended Posts

Hi my PC is infected with a root kit.

I can't get it to boot to normal Windows properly and have to boot to Safe Mode with networking.

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK

Run by Administrator at 15:50:26.37 on 20/02/2011

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.720 [GMT 0:00]

AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60475

mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60475

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\kwfrmpym\sdwewsfd.exe,

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [PCDrProfiler]

mRun: [PS2] c:\windows\system32\ps2.exe

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2011-2-7 310320]

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2011-2-7 259632]

S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2011-2-7 482432]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20110218.003\IDSXpx86.sys [2011-2-19 341944]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

S2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2011-2-7 117640]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-6 102448]

S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110219.002\NAVENG.SYS [2011-2-19 86008]

S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110219.002\NAVEX15.SYS [2011-2-19 1360760]

=============== Created Last 30 ================

2011-02-20 01:26:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Unleashed Online

2011-02-20 01:12:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop

2011-02-20 01:12:29 -------- d-----w- c:\program files\PCPitstop

2011-02-19 21:01:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-02-19 21:01:12 -------- d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com

2011-02-19 21:00:58 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-19 19:50:54 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2011-02-19 19:50:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-19 19:50:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-19 19:50:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-19 19:50:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-19 19:47:12 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Temp

2011-02-19 18:24:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-19 18:24:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2011-02-19 18:19:12 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla

2011-02-19 17:47:42 28672 ----a-w- c:\windows\system32\vidcap.ax

2011-02-19 17:47:41 90624 ----a-w- c:\windows\system32\kswdmcap.ax

2011-02-19 17:47:38 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-02-19 17:47:36 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-02-19 17:47:36 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2011-02-19 17:47:30 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-02-18 15:57:18 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2011-02-07 22:41:32 48688 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symndisv.sys

2011-02-07 22:41:32 217136 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symtdi.sys

2011-02-07 22:41:31 89904 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symfw.sys

2011-02-07 22:41:31 36400 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symndis.sys

2011-02-07 22:41:31 33072 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symids.sys

2011-02-07 22:41:30 310320 ----a-w- c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys

2011-02-07 22:41:28 43696 ----a-w- c:\windows\system32\drivers\n360\0308000.029\srtspx.sys

2011-02-07 22:41:27 308272 ----a-w- c:\windows\system32\drivers\n360\0308000.029\srtsp.sys

2011-02-07 22:41:24 482432 ----a-w- c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys

2011-02-07 22:41:23 259632 ----a-w- c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys

2011-02-07 22:23:17 -------- d-----w- c:\windows\system32\drivers\n360\0308000.029

2011-02-07 12:06:33 -------- d-----w- c:\program files\common files\AOL

2011-02-06 22:12:22 -------- d-----w- c:\windows\system32\N360_BACKUP

2011-02-06 17:34:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2011-02-06 17:33:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-02-06 17:33:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-02-06 17:33:51 -------- d-----w- c:\program files\Symantec

2011-02-06 17:33:06 -------- d-----w- c:\windows\system32\drivers\N360

2011-02-06 17:33:02 -------- d-----w- c:\program files\Norton 360

2011-02-06 17:33:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec

2011-02-06 17:27:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCSettings

2011-02-06 17:27:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton

2011-02-06 17:24:49 -------- d-----w- c:\program files\NortonInstaller

2011-02-06 17:16:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller

2011-02-01 00:02:37 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-02-01 00:02:37 -------- d-----w- c:\windows\system32\wbem\Repository

2011-01-31 13:32:48 135168 --sha-r- c:\windows\system32\syncuix.dll

2011-01-29 19:17:42 -------- d-----w- C:\Adobe

2011-01-25 18:10:18 -------- d-----w- c:\program files\kwfrmpym

==================== Find3M ====================

2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: SAMSUNG_SP0802N/R rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-16

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x856C7735]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x856cd990]; MOV EAX, [0x856cda0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x85773AB8]

3 CLASSPNP[0xF75CF05B] -> nt!IofCallDriver[0x804E3D45] -> \Device\0000006b[0x857ACE48]

5 ACPI[0xF7525620] -> nt!IofCallDriver[0x804E3D45] -> [0x8576E3C0]

\Driver\atapi[0x857593E8] -> IRP_MJ_CREATE -> 0x856C7735

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }

detected disk devices:

\Device\Ide\IdeDeviceP4T0L0-16 -> \??\IDE#DiskSAMSUNG_SP0802N#R_______________________TK200-04#30534a44314a4c48303331383936202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x856C757B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 15:51:25.76 ===============

Attach.zip

ark.zip

Link to post
Share on other sites

Hello SnowBum! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, choose it.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

In your next reply, please post these log(s):

  1. TDSSKiller log
  2. a new fresh DDS log only

Link to post
Share on other sites

I've carried out those steps. Fresh logs:-

2011/02/20 23:59:20.0687 1064 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20

2011/02/20 23:59:20.0984 1064 ================================================================================

2011/02/20 23:59:20.0984 1064 SystemInfo:

2011/02/20 23:59:20.0984 1064

2011/02/20 23:59:20.0984 1064 OS Version: 5.1.2600 ServicePack: 2.0

2011/02/20 23:59:20.0984 1064 Product type: Workstation

2011/02/20 23:59:20.0984 1064 ComputerName: YOUR-447023AE6B

2011/02/20 23:59:20.0984 1064 UserName: Administrator

2011/02/20 23:59:20.0984 1064 Windows directory: C:\WINDOWS

2011/02/20 23:59:20.0984 1064 System windows directory: C:\WINDOWS

2011/02/20 23:59:20.0984 1064 Processor architecture: Intel x86

2011/02/20 23:59:20.0984 1064 Number of processors: 1

2011/02/20 23:59:20.0984 1064 Page size: 0x1000

2011/02/20 23:59:20.0984 1064 Boot type: Safe boot with network

2011/02/20 23:59:20.0984 1064 ================================================================================

2011/02/20 23:59:21.0359 1064 Initialize success

2011/02/20 23:59:25.0968 1104 ================================================================================

2011/02/20 23:59:25.0968 1104 Scan started

2011/02/20 23:59:25.0968 1104 Mode: Manual;

2011/02/20 23:59:25.0968 1104 ================================================================================

2011/02/20 23:59:28.0390 1104 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/02/20 23:59:28.0625 1104 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/02/20 23:59:29.0093 1104 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2011/02/20 23:59:29.0312 1104 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys

2011/02/20 23:59:30.0046 1104 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/02/20 23:59:30.0609 1104 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/02/20 23:59:30.0812 1104 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/02/20 23:59:31.0156 1104 ati2mtag (7a6cf9f411a9c5bd5c442a1cd46af401) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/02/20 23:59:31.0437 1104 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/02/20 23:59:31.0671 1104 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/02/20 23:59:31.0906 1104 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/02/20 23:59:32.0171 1104 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys

2011/02/20 23:59:32.0421 1104 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/02/20 23:59:32.0781 1104 ccHP (8973ff34b83572d867b5b928905ad5ac) C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys

2011/02/20 23:59:33.0109 1104 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/02/20 23:59:33.0312 1104 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/02/20 23:59:33.0531 1104 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/02/20 23:59:34.0265 1104 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/02/20 23:59:34.0515 1104 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/02/20 23:59:34.0750 1104 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/02/20 23:59:34.0968 1104 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/02/20 23:59:35.0187 1104 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/02/20 23:59:35.0437 1104 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/02/20 23:59:35.0703 1104 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/02/20 23:59:35.0968 1104 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/02/20 23:59:36.0218 1104 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/02/20 23:59:36.0484 1104 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/02/20 23:59:36.0718 1104 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/02/20 23:59:36.0921 1104 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/02/20 23:59:37.0125 1104 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/02/20 23:59:37.0328 1104 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/02/20 23:59:37.0531 1104 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/02/20 23:59:37.0796 1104 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/02/20 23:59:37.0968 1104 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/02/20 23:59:38.0109 1104 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/02/20 23:59:38.0390 1104 HTTP (bfb7b73c942e816c4fb4a5a7bae87136) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/02/20 23:59:38.0843 1104 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/02/20 23:59:39.0031 1104 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20110218.003\IDSxpx86.sys

2011/02/20 23:59:39.0281 1104 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/02/20 23:59:39.0796 1104 IntcAzAudAddService (27b220620a480e54bf57e4750ca9b65f) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/02/20 23:59:40.0125 1104 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/02/20 23:59:40.0328 1104 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/02/20 23:59:40.0531 1104 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/02/20 23:59:40.0750 1104 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/02/20 23:59:40.0953 1104 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/02/20 23:59:41.0156 1104 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/02/20 23:59:41.0375 1104 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/02/20 23:59:41.0578 1104 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/02/20 23:59:41.0812 1104 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/02/20 23:59:42.0015 1104 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/02/20 23:59:42.0218 1104 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/02/20 23:59:42.0453 1104 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

2011/02/20 23:59:42.0671 1104 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/02/20 23:59:43.0046 1104 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/02/20 23:59:43.0265 1104 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/02/20 23:59:43.0468 1104 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/02/20 23:59:43.0656 1104 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/02/20 23:59:43.0890 1104 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/02/20 23:59:44.0187 1104 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/02/20 23:59:44.0421 1104 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/02/20 23:59:44.0671 1104 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/02/20 23:59:44.0875 1104 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/02/20 23:59:45.0062 1104 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/02/20 23:59:45.0250 1104 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/02/20 23:59:45.0453 1104 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/02/20 23:59:45.0671 1104 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/02/20 23:59:45.0937 1104 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20110219.002\NAVENG.SYS

2011/02/20 23:59:46.0156 1104 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20110219.002\NAVEX15.SYS

2011/02/20 23:59:46.0390 1104 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/02/20 23:59:46.0609 1104 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/02/20 23:59:46.0859 1104 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/02/20 23:59:47.0062 1104 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/20 23:59:47.0281 1104 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/02/20 23:59:47.0468 1104 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/02/20 23:59:47.0687 1104 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/02/20 23:59:47.0953 1104 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/02/20 23:59:48.0187 1104 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/02/20 23:59:48.0406 1104 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/02/20 23:59:48.0656 1104 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/02/20 23:59:48.0890 1104 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/02/20 23:59:49.0078 1104 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/02/20 23:59:49.0281 1104 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/02/20 23:59:49.0484 1104 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/02/20 23:59:49.0703 1104 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/02/20 23:59:49.0921 1104 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/02/20 23:59:50.0109 1104 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/02/20 23:59:50.0515 1104 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/02/20 23:59:50.0718 1104 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/02/20 23:59:51.0421 1104 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/02/20 23:59:51.0656 1104 Ps2 (0e2eb30605ca6ed2509d59af6a7362b4) C:\WINDOWS\system32\DRIVERS\PS2.sys

2011/02/20 23:59:51.0890 1104 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/02/20 23:59:52.0093 1104 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/02/20 23:59:52.0312 1104 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/02/20 23:59:53.0000 1104 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/02/20 23:59:53.0218 1104 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/02/20 23:59:53.0437 1104 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/02/20 23:59:53.0656 1104 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/02/20 23:59:53.0890 1104 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/02/20 23:59:54.0109 1104 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/02/20 23:59:54.0343 1104 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/02/20 23:59:54.0546 1104 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/02/20 23:59:54.0812 1104 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2011/02/20 23:59:55.0015 1104 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/02/20 23:59:55.0203 1104 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2011/02/20 23:59:55.0328 1104 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2011/02/20 23:59:55.0546 1104 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/02/20 23:59:55.0781 1104 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/02/20 23:59:55.0984 1104 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/02/20 23:59:56.0187 1104 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/02/20 23:59:56.0656 1104 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

2011/02/20 23:59:56.0875 1104 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/02/20 23:59:57.0218 1104 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS

2011/02/20 23:59:57.0578 1104 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS

2011/02/20 23:59:57.0796 1104 Srv (553007ecce7f6565bbe645beb66d3b69) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/02/20 23:59:58.0093 1104 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/02/20 23:59:58.0312 1104 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/02/20 23:59:58.0843 1104 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS

2011/02/20 23:59:59.0078 1104 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2011/02/20 23:59:59.0343 1104 SYMFW (1e825026436c4eac3e1a11d1e9c33f2c) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS

2011/02/20 23:59:59.0562 1104 SYMIDS (7a20b7d774ef0f16cf81b898bfeca772) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS

2011/02/20 23:59:59.0796 1104 SymIM (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys

2011/02/20 23:59:59.0843 1104 SymIMMP (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys

2011/02/21 00:00:00.0109 1104 SYMNDIS (5ab7d00ea6b7a6fcd5067c632ec6f039) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS

2011/02/21 00:00:00.0390 1104 SYMTDI (e4fa8bbb96e314e9508865de1a767538) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS

2011/02/21 00:00:00.0843 1104 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/02/21 00:00:01.0125 1104 Tcpip (0e66b538096a6529d1ac66e78eb0d5c8) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/02/21 00:00:01.0343 1104 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/02/21 00:00:01.0515 1104 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/02/21 00:00:01.0703 1104 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/02/21 00:00:02.0156 1104 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/02/21 00:00:02.0468 1104 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/21 00:00:02.0750 1104 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/02/21 00:00:02.0953 1104 usbehci (7481d843e672b51039b7e8a161b746b8) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/02/21 00:00:03.0203 1104 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/02/21 00:00:03.0421 1104 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/02/21 00:00:03.0625 1104 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/02/21 00:00:03.0859 1104 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/02/21 00:00:04.0078 1104 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/02/21 00:00:04.0281 1104 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/02/21 00:00:04.0484 1104 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/02/21 00:00:04.0718 1104 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/02/21 00:00:05.0015 1104 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/02/21 00:00:05.0296 1104 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/02/21 00:00:05.0312 1104 ================================================================================

2011/02/21 00:00:05.0312 1104 Scan finished

2011/02/21 00:00:05.0312 1104 ================================================================================

2011/02/21 00:00:05.0359 1076 Detected object count: 1

2011/02/21 00:00:17.0921 1076 \HardDisk0 - will be cured after reboot

2011/02/21 00:00:17.0921 1076 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/02/21 00:00:20.0593 1060 Deinitialize success

DDS (Ver_10-12-12.02) - NTFSx86

Run by Compaq_Owner at 0:11:38.60 on 21/02/2011

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.489 [GMT 0:00]

AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.crawler.com/homepage.aspx?tbid=60475

uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60475

mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60475

mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60475

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\kwfrmpym\sdwewsfd.exe,

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [PCDrProfiler]

mRun: [PS2] c:\windows\system32\ps2.exe

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2011-02-21 00:07:02 -------- d-----w- c:\windows\system32\SoftwareDistribution

2011-02-20 10:56:48 -------- d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com

2011-02-20 01:27:00 -------- d-----w- c:\docume~1\compaq~1\applic~1\PC Unleashed Online

2011-02-20 01:27:00 -------- d-----w- c:\docume~1\compaq~1\applic~1\DriverCure

2011-02-20 01:26:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Unleashed Online

2011-02-20 01:12:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop

2011-02-20 01:12:29 -------- d-----w- c:\program files\PCPitstop

2011-02-20 00:42:29 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes

2011-02-19 21:01:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-02-19 21:00:58 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-19 19:50:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-19 19:50:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-19 19:50:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-19 19:50:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-19 18:24:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-19 18:24:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2011-02-19 17:47:42 28672 ----a-w- c:\windows\system32\vidcap.ax

2011-02-19 17:47:41 90624 ----a-w- c:\windows\system32\kswdmcap.ax

2011-02-19 17:47:38 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-02-19 17:47:36 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-02-19 17:47:36 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2011-02-19 17:47:30 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-02-18 15:57:18 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2011-02-07 22:41:32 48688 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symndisv.sys

2011-02-07 22:41:32 217136 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symtdi.sys

2011-02-07 22:41:31 89904 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symfw.sys

2011-02-07 22:41:31 36400 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symndis.sys

2011-02-07 22:41:31 33072 ----a-w- c:\windows\system32\drivers\n360\0308000.029\symids.sys

2011-02-07 22:41:30 310320 ----a-w- c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys

2011-02-07 22:41:28 43696 ----a-w- c:\windows\system32\drivers\n360\0308000.029\srtspx.sys

2011-02-07 22:41:27 308272 ----a-w- c:\windows\system32\drivers\n360\0308000.029\srtsp.sys

2011-02-07 22:41:24 482432 ----a-w- c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys

2011-02-07 22:41:23 259632 ----a-w- c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys

2011-02-07 22:23:17 -------- d-----w- c:\windows\system32\drivers\n360\0308000.029

2011-02-07 12:06:33 -------- d-----w- c:\program files\common files\AOL

2011-02-06 22:12:22 -------- d-----w- c:\windows\system32\N360_BACKUP

2011-02-06 17:34:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2011-02-06 17:33:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-02-06 17:33:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-02-06 17:33:51 -------- d-----w- c:\program files\Symantec

2011-02-06 17:33:06 -------- d-----w- c:\windows\system32\drivers\N360

2011-02-06 17:33:02 -------- d-----w- c:\program files\Norton 360

2011-02-06 17:33:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec

2011-02-06 17:27:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCSettings

2011-02-06 17:27:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton

2011-02-06 17:24:49 -------- d-----w- c:\program files\NortonInstaller

2011-02-06 17:16:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller

2011-02-01 00:02:37 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-02-01 00:02:37 -------- d-----w- c:\windows\system32\wbem\Repository

2011-01-31 13:32:48 135168 --sha-r- c:\windows\system32\syncuix.dll

2011-01-29 19:17:42 -------- d-----w- C:\Adobe

2011-01-25 18:10:18 -------- d-----w- c:\program files\kwfrmpym

==================== Find3M ====================

2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 0:13:01.28 ===============

Link to post
Share on other sites

  1. Please download the Suspicious File Packer (by Safer Networking Limited) and unzip to your desktop.
  2. Run sfp.exe
  3. Copy the following part of code box into the SFP window:
    c:\program files\kwfrmpym\sdwewsfd.exe
    c:\windows\system32\syncuix.dll


  4. Allow SFP to pack the file and then will be generate a CAB archive on your desktop.

Next, upload it here:

http://forums.malwarebytes.org/index.php?showforum=51

But first read the rules:

http://forums.malwarebytes.org/index.php?showtopic=31067

Let me know.

Link to post
Share on other sites

Thanks S!Ri!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    ----------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix 11-02-20.03 - Compaq_Owner 21/02/2011 18:01:53.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.463 [GMT 0:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe

AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NetworkService\Application Data\Adobe\plugs

c:\documents and settings\NetworkService\Application Data\B975FD89BF44FF835101F2E57427F92E

c:\documents and settings\NetworkService\Application Data\B975FD89BF44FF835101F2E57427F92E\enemies-names.txt

c:\documents and settings\NetworkService\Application Data\B975FD89BF44FF835101F2E57427F92E\local.ini

c:\documents and settings\NetworkService\Application Data\B975FD89BF44FF835101F2E57427F92E\lsrslt.ini

c:\program files\Internet Explorer\dmlconf.dat

c:\windows\system\hpsysdrv .DAT

c:\windows\system\hpsysdrv .exe

.

((((((((((((((((((((((((( Files Created from 2011-01-21 to 2011-02-21 )))))))))))))))))))))))))))))))

.

2011-02-21 17:40 . 2011-02-21 17:53 -------- d-----w- c:\windows\LastGood

2011-02-21 15:52 . 2011-02-21 17:46 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-02-20 10:56 . 2011-02-20 10:56 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com

2011-02-20 01:27 . 2011-02-20 01:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\PC Unleashed Online

2011-02-20 01:27 . 2011-02-20 01:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\DriverCure

2011-02-20 01:26 . 2011-02-20 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Unleashed Online

2011-02-20 01:12 . 2011-02-20 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2011-02-20 01:12 . 2011-02-20 01:23 -------- d-----w- c:\program files\PCPitstop

2011-02-20 00:42 . 2011-02-20 00:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2011-02-19 21:01 . 2011-02-19 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-02-19 21:00 . 2011-02-19 21:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-19 19:50 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-19 19:50 . 2011-02-19 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-19 19:50 . 2011-02-19 19:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-19 19:50 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-19 18:24 . 2011-02-19 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-02-19 18:24 . 2011-02-19 18:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-19 18:17 . 2011-02-19 18:18 -------- d-----w- c:\documents and settings\Administrator

2011-02-19 17:47 . 2004-08-04 00:56 28672 ----a-w- c:\windows\system32\vidcap.ax

2011-02-19 17:47 . 2004-08-04 00:56 90624 ----a-w- c:\windows\system32\kswdmcap.ax

2011-02-19 17:47 . 2004-08-04 00:56 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-02-19 17:47 . 2004-08-04 00:56 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-02-19 17:47 . 2004-08-04 00:56 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2011-02-19 17:47 . 2004-08-04 00:56 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-02-18 15:57 . 2010-01-20 22:02 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2011-02-07 22:42 . 2011-02-07 22:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Downloaded Installations

2011-02-07 12:06 . 2011-02-07 12:06 -------- d-----w- c:\program files\Common Files\AOL

2011-02-06 22:12 . 2011-02-06 22:12 -------- d-----w- c:\windows\system32\N360_BACKUP

2011-02-06 17:34 . 2011-02-07 22:43 -------- dc----w- c:\windows\system32\DRVSTORE

2011-02-06 17:34 . 2011-02-07 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2011-02-06 17:33 . 2011-02-07 22:42 -------- d-----w- c:\program files\Symantec

2011-02-06 17:33 . 2011-02-07 22:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-02-06 17:33 . 2011-02-07 22:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-02-06 17:33 . 2011-02-19 17:32 -------- d-----w- c:\windows\system32\drivers\N360

2011-02-06 17:33 . 2011-02-07 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2011-02-06 17:33 . 2011-02-06 17:33 -------- d-----w- c:\program files\Norton 360

2011-02-06 17:33 . 2011-02-06 17:33 -------- d-----w- c:\program files\Windows Sidebar

2011-02-06 17:27 . 2011-02-06 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2011-02-06 17:27 . 2011-02-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2011-02-06 17:24 . 2011-02-06 17:24 -------- d-----w- c:\program files\NortonInstaller

2011-02-01 00:02 . 2011-02-01 00:02 -------- d-----w- c:\windows\system32\wbem\Repository

2011-01-31 23:29 . 2011-02-02 19:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-01-31 13:32 . 2011-01-31 13:32 135168 --sha-r- c:\windows\system32\syncuix.dll

2011-01-29 19:17 . 2011-01-29 19:17 -------- d-----w- C:\Adobe

2011-01-29 19:17 . 2011-01-29 19:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-01-26 15:16 . 2011-01-26 15:16 -------- d-s---w- c:\documents and settings\LocalService\UserData

2011-01-25 18:10 . 2011-02-20 00:18 -------- d-----w- c:\program files\kwfrmpym

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

<pre>
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
c:\program files\Java\jre1.5.0_05\bin\jusched .exe
c:\program files\Messenger\msmsgs .exe
c:\windows\SMINST\RECGUARD .exe
</pre>

------- Sigcheck -------

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys

[-] 2005-03-14 . 6129E70F3D2F1E60860C930EBEAF92C2 . 359936 . . [5.1.2600.2631] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2005-03-14 . 0E66B538096A6529D1AC66E78EB0D5C8 . 359808 . . [5.1.2600.2631] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2005-03-14 . 0E66B538096A6529D1AC66E78EB0D5C8 . 359808 . . [5.1.2600.2631] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys

[-] 2005-03-14 . 0E66B538096A6529D1AC66E78EB0D5C8 . 359808 . . [5.1.2600.2631] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2005-03-14 . 0E66B538096A6529D1AC66E78EB0D5C8 . 359808 . . [5.1.2600.2631] . . c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 14864384]

"PCDrProfiler"="" [N/A]

"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [07/02/2011 22:41 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [07/02/2011 22:41 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [07/02/2011 22:41 482432]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [07/02/2011 22:39 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [21/02/2011 00:15 102448]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20110218.003\IDSXpx86.sys [19/02/2011 21:52 341944]

--- Other Services/Drivers In Memory ---

*Deregistered* - SymEvent

.

Contents of the 'Scheduled Tasks' folder

2009-12-08 c:\windows\Tasks\Driver Robot.job

- c:\program files\Driver Robot\1.1.0.5\DriverRobot.exe [2009-10-12 06:05]

2011-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 13:39]

2011-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 13:39]

2011-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3347702695-348387814-2806270855-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-19 19:47]

2009-12-08 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-12-08 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.crawler.com/homepage.aspx?tbid=60475

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-21 18:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-02-21 18:21:00

ComboFix-quarantined-files.txt 2011-02-21 18:20

Pre-Run: 45,024,149,504 bytes free

Post-Run: 45,065,142,272 bytes free

- - End Of File - - BE5949FF1B7F66CB44C9B75C5AD7C317

Link to post
Share on other sites

Ran the Combofix script and at the end it tried to connect to Bleeping Computer to submit some malware for analysis. It couldn't connect so it asked me to manually submit the malware afterwards via a submit form it saved to my PC.

This i have done as a guest. I've attached the zipped folder it asked me to upload.

Also pasted the Virustotal results, i've only pasted the summary as it was clean.

ComboFix 11-02-21.02 - Compaq_Owner 22/02/2011 16:20:15.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.463 [GMT 0:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt

AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

file zipped: c:\windows\system32\syncuix.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\syncuix.dll

.

((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))

.

2011-02-22 16:11 . 2011-02-22 16:11 -------- d-----w- c:\windows\LastGood

2011-02-21 18:26 . 2011-02-21 18:26 -------- d-s---w- c:\windows\Cookies

2011-02-21 17:58 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2011-02-21 15:52 . 2011-02-21 17:46 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-02-20 10:56 . 2011-02-20 10:56 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com

2011-02-20 01:27 . 2011-02-20 01:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\PC Unleashed Online

2011-02-20 01:27 . 2011-02-20 01:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\DriverCure

2011-02-20 01:26 . 2011-02-20 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Unleashed Online

2011-02-20 01:12 . 2011-02-20 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2011-02-20 01:12 . 2011-02-20 01:23 -------- d-----w- c:\program files\PCPitstop

2011-02-20 00:42 . 2011-02-20 00:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2011-02-19 21:01 . 2011-02-19 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-02-19 21:00 . 2011-02-19 21:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-19 19:50 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-19 19:50 . 2011-02-19 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-19 19:50 . 2011-02-19 19:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-19 19:50 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-19 18:24 . 2011-02-19 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-02-19 18:24 . 2011-02-19 18:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-19 18:17 . 2011-02-19 18:18 -------- d-----w- c:\documents and settings\Administrator

2011-02-19 17:47 . 2004-08-04 00:56 28672 ----a-w- c:\windows\system32\vidcap.ax

2011-02-19 17:47 . 2004-08-04 00:56 90624 ----a-w- c:\windows\system32\kswdmcap.ax

2011-02-19 17:47 . 2004-08-04 00:56 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-02-19 17:47 . 2004-08-04 00:56 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-02-19 17:47 . 2004-08-04 00:56 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2011-02-19 17:47 . 2004-08-04 00:56 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-02-18 15:57 . 2010-01-20 22:02 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2011-02-07 22:42 . 2011-02-07 22:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Downloaded Installations

2011-02-07 12:06 . 2011-02-07 12:06 -------- d-----w- c:\program files\Common Files\AOL

2011-02-06 22:12 . 2011-02-06 22:12 -------- d-----w- c:\windows\system32\N360_BACKUP

2011-02-06 17:34 . 2011-02-07 22:43 -------- dc----w- c:\windows\system32\DRVSTORE

2011-02-06 17:34 . 2011-02-07 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2011-02-06 17:33 . 2011-02-07 22:42 -------- d-----w- c:\program files\Symantec

2011-02-06 17:33 . 2011-02-07 22:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-02-06 17:33 . 2011-02-07 22:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-02-06 17:33 . 2011-02-19 17:32 -------- d-----w- c:\windows\system32\drivers\N360

2011-02-06 17:33 . 2011-02-07 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2011-02-06 17:33 . 2011-02-06 17:33 -------- d-----w- c:\program files\Norton 360

2011-02-06 17:33 . 2011-02-06 17:33 -------- d-----w- c:\program files\Windows Sidebar

2011-02-06 17:27 . 2011-02-06 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2011-02-06 17:27 . 2011-02-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2011-02-06 17:24 . 2011-02-06 17:24 -------- d-----w- c:\program files\NortonInstaller

2011-02-01 00:02 . 2011-02-01 00:02 -------- d-----w- c:\windows\system32\wbem\Repository

2011-01-31 23:29 . 2011-02-02 19:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-01-29 19:17 . 2011-01-29 19:17 -------- d-----w- C:\Adobe

2011-01-29 19:17 . 2011-01-29 19:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-01-26 15:16 . 2011-01-26 15:16 -------- d-s---w- c:\documents and settings\LocalService\UserData

2011-01-25 18:10 . 2011-02-20 00:18 -------- d-----w- c:\program files\kwfrmpym

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

((((((((((((((((((((((((((((( SnapShot@2011-02-21_18.13.34 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-28 23:42 . 2009-06-28 23:42 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll

+ 2011-02-22 16:09 . 2011-02-22 16:09 16384 c:\windows\Temp\Perflib_Perfdata_790.dat

+ 2004-08-04 12:00 . 2009-06-25 08:44 59392 c:\windows\system32\wdigest.dll

+ 2006-01-09 23:18 . 2007-07-27 10:41 26488 c:\windows\system32\spupdsvc.exe

+ 2006-01-09 23:17 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll

+ 2004-08-04 12:00 . 2009-06-25 08:44 56320 c:\windows\system32\secur32.dll

+ 2009-11-05 22:17 . 2009-11-05 22:17 11600 c:\windows\system32\mui\0409\mscorees.dll

+ 2004-08-04 11:00 . 2008-06-10 09:17 96768 c:\windows\system32\logagent.exe

- 2004-08-04 11:00 . 2004-08-11 08:45 96768 c:\windows\system32\logagent.exe

+ 2004-08-04 18:00 . 2009-06-22 11:34 92544 c:\windows\system32\drivers\ksecdd.sys

+ 2004-08-04 12:00 . 2009-06-25 08:44 59392 c:\windows\system32\dllcache\wdigest.dll

+ 2004-08-04 12:00 . 2009-06-25 08:44 56320 c:\windows\system32\dllcache\secur32.dll

+ 2004-08-04 11:00 . 2008-06-10 09:17 96768 c:\windows\system32\dllcache\logagent.exe

- 2004-08-04 11:00 . 2004-08-11 08:45 96768 c:\windows\system32\dllcache\logagent.exe

+ 2004-08-04 18:00 . 2009-06-22 11:34 92544 c:\windows\system32\dllcache\ksecdd.sys

+ 2004-08-04 12:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll

+ 2004-08-04 12:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll

- 2011-02-21 17:58 . 2008-07-08 13:02 26488 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\update\spcustom.dll

- 2011-02-21 17:58 . 2008-07-08 13:02 17272 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\spmsg.dll

+ 2009-06-24 19:56 . 2009-06-24 19:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe

+ 2010-04-01 11:42 . 2010-04-01 11:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll

+ 2010-03-31 14:51 . 2010-03-31 14:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll

- 2003-02-21 02:09 . 2003-02-21 02:09 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll

- 2003-02-21 02:09 . 2003-02-21 02:09 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll

+ 2010-03-31 14:51 . 2010-03-31 14:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll

- 2004-07-15 07:32 . 2004-07-15 07:32 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll

+ 2010-03-31 14:51 . 2010-03-31 14:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll

+ 2010-03-31 15:32 . 2010-03-31 15:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe

- 2004-07-15 08:49 . 2004-07-15 08:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe

- 2003-02-21 02:19 . 2003-02-21 02:19 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll

+ 2010-03-31 15:32 . 2010-03-31 15:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll

- 2010-12-08 22:06 . 2010-12-08 22:06 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe

+ 2010-12-08 22:06 . 2011-02-21 22:02 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe

+ 2008-11-13 09:00 . 2011-02-21 22:02 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe

- 2008-11-13 09:00 . 2010-12-08 22:06 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe

+ 2011-02-21 18:26 . 2011-02-21 17:37 16384 c:\windows\Cookies\index.dat

+ 2011-02-21 22:08 . 2011-02-21 22:08 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll

+ 2011-02-21 22:03 . 2008-07-08 13:02 17272 c:\windows\$NtUninstallKB979309$\spmsg.dll

+ 2011-02-21 22:03 . 2008-07-08 13:02 26488 c:\windows\$NtUninstallKB979309$\spcustom.dll

+ 2011-02-21 22:05 . 2008-07-08 13:02 17272 c:\windows\$NtUninstallKB978601$\spmsg.dll

+ 2011-02-21 22:05 . 2008-07-08 13:02 26488 c:\windows\$NtUninstallKB978601$\spcustom.dll

+ 2011-02-21 22:06 . 2008-07-08 13:02 17272 c:\windows\$NtUninstallKB975561$\spmsg.dll

+ 2011-02-21 22:06 . 2008-07-08 13:02 26488 c:\windows\$NtUninstallKB975561$\spcustom.dll

+ 2011-02-21 22:04 . 2009-05-26 11:40 17272 c:\windows\$NtUninstallKB973904$\spmsg.dll

+ 2011-02-21 22:04 . 2009-05-26 11:40 26488 c:\windows\$NtUninstallKB973904$\spcustom.dll

+ 2011-02-21 22:04 . 2007-03-06 01:22 14048 c:\windows\$NtUninstallKB971961$\spmsg.dll

+ 2011-02-21 22:04 . 2007-03-06 01:22 22752 c:\windows\$NtUninstallKB971961$\spcustom.dll

+ 2011-02-21 22:03 . 2007-03-06 01:22 14048 c:\windows\$NtUninstallKB958470$\spmsg.dll

+ 2011-02-21 22:03 . 2007-03-06 01:22 22752 c:\windows\$NtUninstallKB958470$\spcustom.dll

+ 2011-02-21 22:06 . 2009-05-26 11:40 17272 c:\windows\$NtUninstallKB955759$\spmsg.dll

+ 2011-02-21 22:06 . 2009-05-26 11:40 26488 c:\windows\$NtUninstallKB955759$\spcustom.dll

+ 2011-02-21 17:53 . 2009-04-15 09:24 351744 c:\windows\system32\xpsp3res.dll

+ 2004-08-04 11:00 . 2009-07-13 10:08 286720 c:\windows\system32\wmpdxm.dll

+ 2004-08-04 12:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll

+ 2004-08-04 12:00 . 2009-06-25 08:44 168448 c:\windows\system32\schannel.dll

+ 2004-08-04 12:00 . 2009-04-15 15:11 584192 c:\windows\system32\rpcrt4.dll

+ 2004-08-04 12:00 . 2008-10-15 16:57 332800 c:\windows\system32\netapi32.dll

+ 2004-08-04 12:00 . 2008-06-20 17:41 245248 c:\windows\system32\mswsock.dll

- 2004-08-04 12:00 . 2004-08-04 12:00 245248 c:\windows\system32\mswsock.dll

+ 2004-08-04 12:00 . 2009-09-11 14:33 133632 c:\windows\system32\msv1_0.dll

+ 2004-08-04 12:00 . 2009-06-05 07:42 655872 c:\windows\system32\mstscax.dll

+ 2004-08-04 11:00 . 2009-06-25 08:44 724480 c:\windows\system32\lsasrv.dll

+ 2004-08-04 12:00 . 2009-05-07 15:44 344064 c:\windows\system32\localspl.dll

+ 2004-08-04 12:00 . 2009-06-25 08:44 298496 c:\windows\system32\kerberos.dll

+ 2004-08-04 12:00 . 2009-08-21 09:46 450560 c:\windows\system32\jscript.dll

- 2004-08-04 12:00 . 2004-08-04 12:00 450560 c:\windows\system32\jscript.dll

+ 2004-08-04 12:00 . 2008-06-20 09:52 225920 c:\windows\system32\drivers\tcpip6.sys

+ 2004-08-04 11:00 . 2008-06-20 10:45 360320 c:\windows\system32\drivers\tcpip.sys

+ 2004-08-04 12:00 . 2008-05-08 12:28 202752 c:\windows\system32\drivers\rmcast.sys

+ 2004-08-04 12:00 . 2008-06-20 10:44 138368 c:\windows\system32\drivers\afd.sys

+ 2004-08-04 12:00 . 2008-06-20 17:41 148992 c:\windows\system32\dnsapi.dll

+ 2004-08-04 12:00 . 2008-04-21 10:02 215552 c:\windows\system32\dllcache\wordpad.exe

+ 2004-08-04 11:00 . 2009-07-13 10:08 286720 c:\windows\system32\dllcache\wmpdxm.dll

+ 2004-08-04 12:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll

+ 2004-08-04 12:00 . 2008-06-20 09:52 225920 c:\windows\system32\dllcache\tcpip6.sys

+ 2004-08-04 11:00 . 2008-06-20 10:45 360320 c:\windows\system32\dllcache\tcpip.sys

+ 2004-08-04 12:00 . 2009-06-25 08:44 168448 c:\windows\system32\dllcache\schannel.dll

+ 2004-08-04 12:00 . 2009-04-15 15:11 584192 c:\windows\system32\dllcache\rpcrt4.dll

+ 2004-08-04 12:00 . 2008-05-08 12:28 202752 c:\windows\system32\dllcache\rmcast.sys

+ 2004-08-04 12:00 . 2008-10-15 16:57 332800 c:\windows\system32\dllcache\netapi32.dll

+ 2004-08-04 12:00 . 2008-06-20 17:41 245248 c:\windows\system32\dllcache\mswsock.dll

- 2004-08-04 12:00 . 2004-08-04 12:00 245248 c:\windows\system32\dllcache\mswsock.dll

+ 2004-08-04 12:00 . 2009-09-11 14:33 133632 c:\windows\system32\dllcache\msv1_0.dll

+ 2004-08-04 12:00 . 2009-06-05 07:42 655872 c:\windows\system32\dllcache\mstscax.dll

- 2004-08-04 12:00 . 2004-08-04 12:00 331776 c:\windows\system32\dllcache\msadce.dll

+ 2004-08-04 12:00 . 2008-05-01 14:30 331776 c:\windows\system32\dllcache\msadce.dll

+ 2004-08-04 11:00 . 2009-06-25 08:44 724480 c:\windows\system32\dllcache\lsasrv.dll

+ 2004-08-04 12:00 . 2009-05-07 15:44 344064 c:\windows\system32\dllcache\localspl.dll

+ 2004-08-04 12:00 . 2009-06-25 08:44 298496 c:\windows\system32\dllcache\kerberos.dll

- 2004-08-04 12:00 . 2004-08-04 12:00 450560 c:\windows\system32\dllcache\jscript.dll

+ 2004-08-04 12:00 . 2009-08-21 09:46 450560 c:\windows\system32\dllcache\jscript.dll

+ 2004-08-04 12:00 . 2008-06-20 17:41 148992 c:\windows\system32\dllcache\dnsapi.dll

+ 2004-08-04 12:00 . 2008-06-20 10:44 138368 c:\windows\system32\dllcache\afd.sys

+ 2004-08-04 12:00 . 2009-11-21 16:36 470528 c:\windows\system32\dllcache\aclayers.dll

+ 2004-08-04 12:00 . 2006-08-16 11:58 100352 c:\windows\system32\dllcache\6to4svc.dll

- 2004-08-04 12:00 . 2004-08-04 12:00 100352 c:\windows\system32\dllcache\6to4svc.dll

+ 2004-08-04 12:00 . 2006-08-16 11:58 100352 c:\windows\system32\6to4svc.dll

- 2004-08-04 12:00 . 2004-08-04 12:00 100352 c:\windows\system32\6to4svc.dll

- 2011-02-21 17:58 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\update\updspapi.dll

- 2011-02-21 17:58 . 2008-07-08 13:02 755576 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\update\update.exe

- 2011-02-21 17:58 . 2008-07-08 13:02 231288 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\spuninst.exe

+ 2006-01-09 23:39 . 2005-07-22 22:14 237568 c:\windows\SMINST\RECGUARD.exe

+ 2010-03-31 14:51 . 2010-03-31 14:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll

- 2004-07-15 07:33 . 2004-07-15 07:33 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll

+ 2010-03-31 14:49 . 2010-03-31 14:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll

- 2004-07-15 07:25 . 2004-07-15 07:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll

- 2004-07-15 08:49 . 2004-07-15 08:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll

+ 2010-03-31 15:32 . 2010-03-31 15:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll

+ 2011-02-21 22:02 . 2011-02-21 22:02 432640 c:\windows\Installer\f39d99.msi

+ 2011-02-21 22:02 . 2011-02-21 22:02 429568 c:\windows\Installer\f39d90.msi

+ 2004-08-04 12:00 . 2009-11-21 16:36 470528 c:\windows\AppPatch\aclayers.dll

+ 2011-02-21 22:03 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB979309$\updspapi.dll

+ 2011-02-21 22:03 . 2009-05-26 11:40 755576 c:\windows\$NtUninstallKB979309$\update.exe

+ 2011-02-21 22:03 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB979309$\spuninst.exe

+ 2011-02-21 22:05 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB978601$\updspapi.dll

+ 2011-02-21 22:05 . 2009-05-26 11:40 755576 c:\windows\$NtUninstallKB978601$\update.exe

+ 2011-02-21 22:05 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB978601$\spuninst.exe

+ 2011-02-21 22:06 . 2009-05-26 17:10 382840 c:\windows\$NtUninstallKB975561$\updspapi.dll

+ 2011-02-21 22:06 . 2008-07-08 13:02 755576 c:\windows\$NtUninstallKB975561$\update.exe

+ 2011-02-21 22:06 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB975561$\spuninst.exe

+ 2011-02-21 22:04 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB973904$\updspapi.dll

+ 2011-02-21 22:04 . 2009-05-26 11:40 755576 c:\windows\$NtUninstallKB973904$\update.exe

+ 2011-02-21 22:04 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB973904$\spuninst.exe

+ 2011-02-21 22:04 . 2007-03-06 01:23 371424 c:\windows\$NtUninstallKB971961$\updspapi.dll

+ 2011-02-21 22:04 . 2007-03-06 01:22 716000 c:\windows\$NtUninstallKB971961$\update.exe

+ 2011-02-21 22:04 . 2007-03-06 01:22 213216 c:\windows\$NtUninstallKB971961$\spuninst.exe

+ 2010-12-08 22:08 . 2004-08-04 12:00 450560 c:\windows\$NtUninstallKB971961$\jscript.dll

- 2010-12-08 22:08 . 2007-12-18 14:40 450560 c:\windows\$NtUninstallKB971961$\jscript.dll

+ 2011-02-21 22:03 . 2008-02-15 09:06 351744 c:\windows\$NtUninstallKB970238$\xpsp3res.dll

+ 2011-02-21 22:03 . 2007-03-06 01:23 371424 c:\windows\$NtUninstallKB958470$\updspapi.dll

+ 2011-02-21 22:03 . 2007-03-06 01:22 716000 c:\windows\$NtUninstallKB958470$\update.exe

+ 2011-02-21 22:03 . 2007-03-06 01:22 213216 c:\windows\$NtUninstallKB958470$\spuninst.exe

+ 2011-02-21 22:06 . 2009-05-26 17:10 382840 c:\windows\$NtUninstallKB955759$\updspapi.dll

+ 2011-02-21 22:06 . 2009-05-26 11:40 755576 c:\windows\$NtUninstallKB955759$\update.exe

+ 2011-02-21 22:06 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB955759$\spuninst.exe

+ 2009-07-21 00:03 . 2009-07-21 00:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll

+ 2008-09-30 16:42 . 2008-09-30 16:42 1286152 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll

+ 2004-08-04 11:00 . 2010-04-03 03:33 2365288 c:\windows\system32\WMVCore.dll

+ 2004-08-04 11:00 . 2009-07-13 10:08 5537792 c:\windows\system32\wmp.dll

+ 2004-08-04 11:00 . 2008-06-10 11:37 1026048 c:\windows\system32\WMNetmgr.dll

+ 2009-07-21 00:05 . 2009-07-21 00:05 1348432 c:\windows\system32\msxml4.dll

+ 2004-08-04 12:00 . 2008-09-04 16:42 1106944 c:\windows\system32\msxml3.dll

+ 2004-08-04 11:00 . 2010-04-03 03:33 2365288 c:\windows\system32\dllcache\WMVCore.dll

+ 2004-08-04 11:00 . 2009-07-13 10:08 5537792 c:\windows\system32\dllcache\wmp.dll

+ 2004-08-04 11:00 . 2008-06-10 11:37 1026048 c:\windows\system32\dllcache\WMNetmgr.dll

+ 2004-08-04 12:00 . 2008-09-04 16:42 1106944 c:\windows\system32\dllcache\msxml3.dll

- 2004-08-04 12:00 . 2004-08-04 12:00 3555328 c:\windows\system32\dllcache\moviemk.exe

+ 2004-08-04 12:00 . 2009-10-23 14:27 3555328 c:\windows\system32\dllcache\moviemk.exe

- 2011-02-21 17:58 . 2009-07-31 04:24 1447424 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\SP3QFE\msxml6.dll

- 2011-02-21 17:58 . 2009-07-31 04:24 1172480 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\SP3QFE\msxml3.dll

- 2009-07-31 10:05 . 2009-07-31 10:05 1372672 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\SP3GDR\msxml6.dll

- 2011-02-21 17:58 . 2009-07-31 04:35 1172480 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\SP3GDR\msxml3.dll

- 2011-02-21 17:58 . 2009-07-31 04:36 1172480 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\SP2QFE\msxml3.dll

- 2011-02-21 17:58 . 2009-07-31 04:57 1172480 c:\windows\SoftwareDistribution\Download\75cd10bc79782317976e2a857798ad9f\SP2GDR\msxml3.dll

+ 2010-04-01 11:42 . 2010-04-01 11:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll

+ 2010-04-01 11:42 . 2010-04-01 11:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll

+ 2010-03-31 14:50 . 2010-03-31 14:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll

+ 2010-03-31 14:50 . 2010-03-31 14:50 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll

+ 2010-04-01 11:42 . 2010-04-01 11:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll

+ 2011-02-21 22:08 . 2011-02-21 22:08 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll

+ 2011-02-21 22:08 . 2011-02-21 22:08 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll

+ 2010-04-02 12:30 . 2010-04-02 12:30 17456640 c:\windows\Installer\f39db3.msp

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BrowserChoice"="c:\windows\system32\browserchoice.exe" [2010-02-12 293376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 14864384]

"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [07/02/2011 22:41 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [07/02/2011 22:41 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [07/02/2011 22:41 482432]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [07/02/2011 22:39 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [21/02/2011 00:15 102448]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20110218.003\IDSXpx86.sys [19/02/2011 21:52 341944]

--- Other Services/Drivers In Memory ---

*Deregistered* - SymEvent

.

Contents of the 'Scheduled Tasks' folder

2009-12-08 c:\windows\Tasks\Driver Robot.job

- c:\program files\Driver Robot\1.1.0.5\DriverRobot.exe [2009-10-12 06:05]

2011-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 13:39]

2011-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-08 13:39]

2011-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3347702695-348387814-2806270855-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-19 19:47]

2009-12-08 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-12-08 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

.

.

------- Supplementary Scan -------

.

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-22 16:29

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-02-22 16:33:17

ComboFix-quarantined-files.txt 2011-02-22 16:33

ComboFix2.txt 2011-02-21 18:21

Pre-Run: 44,727,300,096 bytes free

Post-Run: 44,718,837,760 bytes free

- - End Of File - - D011424ED691D66185D6543978624870

File name: tcpip.sys

Submission date: 2011-02-22 16:39:32 (UTC)

Current status: queued queued analysing finished

Result: 0/ 43 (0.0%)

8-Submit_2011-02-22_16.20.06.zip

Link to post
Share on other sites

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Next, please manually delete the following folder:

c:\program files\kwfrmpym

Let me know.

Link to post
Share on other sites

Awesome! :)

Last steps for you:

Step 1

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete DDS, GMER, TDSSKiller and Suspicious File Packer.

Step 3

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.