jecski
2011-04-25, 17:38
Spybot picked up and "removed" CLICK.GIFTLOAD. But of course it keeps coming back. PLEASE HELP
Symptoms: svchost.exe process running in the background at 75-100% CPU usage, locks up browser, windows updates won't work (automatic or from update site), browser redirects, Trend Micro security is not fully functioning
Steps taken: Spybot; Superantispyware just found cookies, nothing else; Malwarebytes full scan found nothing; Trend Micro scan nothing; Microsoft safety scanner found nothing; TDSSKiller found nothing; Combofix didn't help, log posted below; DDS log posted below:
SPYBOT LOG:
--- Search result list ---
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
COMBOFIX log:
ComboFix 11-04-24.02 - Harris 04/24/2011 15:22:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1545 [GMT -6:00]
Running from: c:\documents and settings\Harris\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Harris\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-24 21:16 . 2011-04-24 21:18 -------- d-----w- C:\32788R22FWJFW
2011-04-24 20:38 . 2011-04-24 20:38 -------- d-----w- c:\documents and settings\Harris\log
2011-04-24 19:47 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-04-24 19:47 . 2001-08-18 04:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-04-24 19:47 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-04-24 19:47 . 2001-08-18 04:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-04-24 19:47 . 2001-08-18 04:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-04-24 19:45 . 2004-08-04 04:29 11775 ----a-w- c:\windows\system32\dllcache\wadv05nt.sys
2011-04-24 19:44 . 2001-08-17 19:28 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2011-04-24 19:43 . 2001-08-17 20:56 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2011-04-24 19:42 . 2001-08-17 18:50 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2011-04-24 19:41 . 2001-08-17 19:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2011-04-24 19:40 . 2004-08-10 10:00 29184 ----a-w- c:\windows\system32\dllcache\sm8cw.dll
2011-04-24 19:39 . 2001-08-18 04:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-04-24 19:38 . 2001-08-17 18:50 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2011-04-24 19:37 . 2001-08-17 19:28 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2011-04-24 19:36 . 2001-08-17 18:11 29769 ----a-w- c:\windows\system32\dllcache\pcntn5m.sys
2011-04-24 19:35 . 2001-08-17 18:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2011-04-24 19:34 . 2001-08-17 20:56 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2011-04-24 19:33 . 2001-08-17 18:50 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-04-24 19:32 . 2001-08-17 18:12 19016 ----a-w- c:\windows\system32\dllcache\ktc111.sys
2011-04-24 19:31 . 2001-08-18 04:36 61952 ----a-w- c:\windows\system32\dllcache\icam4ext.dll
2011-04-24 19:30 . 2001-08-17 19:28 150239 ----a-w- c:\windows\system32\dllcache\hsf_amos.sys
2011-04-24 19:29 . 2001-08-17 20:56 470144 ----a-w- c:\windows\system32\dllcache\g200d.dll
2011-04-24 19:28 . 2001-08-17 18:19 40704 ----a-w- c:\windows\system32\dllcache\es1371mp.sys
2011-04-24 19:27 . 2001-08-18 04:36 38985 ----a-w- c:\windows\system32\dllcache\disrvsu.dll
2011-04-24 19:26 . 2001-08-17 18:11 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys
2011-04-24 19:25 . 2001-08-17 18:49 10240 ----a-w- c:\windows\system32\dllcache\atipcxxx.sys
2011-04-24 19:23 . 2004-08-10 10:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2011-04-24 19:23 . 2001-08-17 20:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-04-24 19:22 . 2004-08-10 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-04-24 19:22 . 2004-08-10 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-04-24 19:22 . 2004-08-10 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-04-24 19:22 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-04-24 19:22 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-04-24 19:22 . 2004-08-10 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-04-24 19:21 . 2011-04-24 21:18 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-24 18:02 . 2011-04-24 18:02 -------- d-----w- c:\documents and settings\Harris\Local Settings\Application Data\Mozilla
2011-04-23 20:39 . 2011-04-24 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-23 19:54 . 2011-04-23 19:54 -------- d-----w- c:\documents and settings\Harris\Local Settings\Application Data\Trusteer
2011-04-23 15:18 . 2011-04-23 15:18 -------- d-----w- c:\documents and settings\Harris\Application Data\SUPERAntiSpyware.com
2011-04-23 15:18 . 2011-04-23 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-23 14:54 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-04-23 14:54 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-23 03:18 . 2011-04-23 03:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-23 03:10 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv(2)(2).dll
2011-04-20 16:24 . 2011-04-24 02:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-16 23:34 . 2011-04-16 23:34 1409 ----a-w- c:\windows\QTFont.for
2011-04-16 02:08 . 2011-04-16 02:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-24 20:38 . 2011-02-28 19:23 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-28 19:19 . 2011-02-28 19:19 656648 ----a-w- c:\windows\system32\UfWSC.cpl
2011-02-28 19:18 . 2011-02-28 19:18 66320 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-02-22 11:41 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec
2011-02-05 00:48 . 2005-08-16 09:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 00:48 . 2005-08-16 09:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 09:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-18 17:53 . 2011-04-24 18:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2011-02-28 1398024]
"tisspwiz.exe"="c:\program files\Trend Micro\Internet Security\tisspwiz.exe" [2011-02-28 1152264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-04 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 14:55 61440 ----a-w- c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-12-12 16:46 19456 ----a-w- c:\windows\system32\CtHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 09:00 18944 ----a-w- c:\windows\system32\Ctxfihlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 09:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 19:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-07-09 04:57 7110656 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PALogView]
2005-06-01 22:22 172032 ------w- c:\program files\TrippLite\PowerAlert\console\logview.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAStatus]
2005-06-01 22:21 299008 ------w- c:\program files\TrippLite\PowerAlert\console\pastatus.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-05-04 11:22 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-21 21:32 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2005-10-14 16:01 122880 ------w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [10/3/2010 11:43 PM 59240]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [4/23/2011 1:09 PM 57144]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [10/3/2010 11:43 PM 169320]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/28/2011 1:18 PM 36432]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/28/2011 1:18 PM 335376]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Harris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Harris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Harris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Harris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 4:20 AM 135664]
S2 PowerAlert Agent;PowerAlert Agent;c:\program files\TrippLite\PowerAlert\engine/pa.exe -service --> c:\program files\TrippLite\PowerAlert\engine/pa.exe -service [?]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [10/3/2010 11:43 PM 767208]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/28/2011 1:23 PM 51792]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2/28/2011 1:23 PM 488768]
S2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2/28/2011 1:23 PM 648456]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 10:20]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 10:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = sas.r4.attbi.com:8000
uInternet Settings,ProxyOverride = *.r4.attbi.com;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Harris\Application Data\Mozilla\Firefox\Profiles\jgfo7y6u.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: network.proxy.ftp - sas.r4.attbi.com
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.http - sas.r4.attbi.com
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - sas.r4.attbi.com
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - sas.r4.attbi.com
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-24 15:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD160JJ/P rev.ZM100-34 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A9EE6E7]<<
c:\docume~1\Harris\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9f49d0]; MOV EAX, [0x8a9f4a4c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AAC0AB8]
3 CLASSPNP[0xBA0C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AA92400]
\Driver\nvatabus[0x8AA4E9E0] -> IRP_MJ_CREATE -> 0x8A9EE6E7
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000068 -> \??\IDE#DiskSAMSUNG_HD160JJ#P_______________________ZM100-34#20202020202030534644324A4C48303436323334#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PowerAlert Agent]
"ImagePath"="c:\program files\TrippLite\PowerAlert\engine/pa.exe -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2516)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-24 15:34:18
ComboFix-quarantined-files.txt 2011-04-24 21:34
.
Pre-Run: 123,566,313,472 bytes free
Post-Run: 123,922,747,392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 4C983F5E226D502AC53E83564AC69759
DDS log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Harris at 9:00:57.42 on Mon 04/25/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1352 [GMT -6:00]
.
AV: Trend Micro Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\taskmgr.exe
J:\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = sas.r4.attbi.com:8000
uInternet Settings,ProxyOverride = *.r4.attbi.com;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [tisspwiz.exe] "c:\program files\trend micro\internet security\tisspwiz.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://www.windowsvistatestdrive.com/mm/ActiveX/VMRCActiveXClient1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219767124405
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\harris\applic~1\mozilla\firefox\profiles\jgfo7y6u.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: network.proxy.ftp - sas.r4.attbi.com
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.http - sas.r4.attbi.com
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - sas.r4.attbi.com
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - sas.r4.attbi.com
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\25973\RapportCerberus_25973.sys [2011-4-23 57144]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R2 PowerAlert Agent;PowerAlert Agent;c:\program files\tripplite\poweralert\engine/pa.exe -service --> c:\program files\tripplite\poweralert\engine/pa.exe -service [?]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-2-28 51792]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2011-2-28 488768]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2011-2-28 36432]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2011-2-28 648456]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2011-2-28 335376]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\harris\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\harris\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\harris\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\harris\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== Created Last 30 ================
.
2011-04-24 22:00:22 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-24 21:20:59 -------- d-sha-r- C:\cmdcons
2011-04-24 21:18:32 98816 ----a-w- c:\windows\sed.exe
2011-04-24 21:18:32 89088 ----a-w- c:\windows\MBR.exe
2011-04-24 21:18:32 256512 ----a-w- c:\windows\PEV.exe
2011-04-24 21:18:32 161792 ----a-w- c:\windows\SWREG.exe
2011-04-24 20:38:02 -------- d-----w- c:\documents and settings\harris\log
2011-04-24 19:47:20 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-04-24 19:47:16 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-04-24 19:47:15 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-04-24 19:47:11 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-04-24 19:47:07 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-04-24 19:45:59 11775 ----a-w- c:\windows\system32\dllcache\wadv05nt.sys
2011-04-24 19:44:56 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2011-04-24 19:43:57 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2011-04-24 19:42:57 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2011-04-24 19:41:59 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2011-04-24 19:40:58 29184 ----a-w- c:\windows\system32\dllcache\sm8cw.dll
2011-04-24 19:39:57 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-04-24 19:38:58 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2011-04-24 19:37:57 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2011-04-24 19:36:57 29769 ----a-w- c:\windows\system32\dllcache\pcntn5m.sys
2011-04-24 19:35:56 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2011-04-24 19:34:57 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2011-04-24 19:33:57 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-04-24 19:32:58 19016 ----a-w- c:\windows\system32\dllcache\ktc111.sys
2011-04-24 19:31:58 61952 ----a-w- c:\windows\system32\dllcache\icam4ext.dll
2011-04-24 19:30:58 150239 ----a-w- c:\windows\system32\dllcache\hsf_amos.sys
2011-04-24 19:29:59 470144 ----a-w- c:\windows\system32\dllcache\g200d.dll
2011-04-24 19:28:59 40704 ----a-w- c:\windows\system32\dllcache\es1371mp.sys
2011-04-24 19:27:59 38985 ----a-w- c:\windows\system32\dllcache\disrvsu.dll
2011-04-24 19:26:59 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys
2011-04-24 19:25:59 281600 ----a-w- c:\windows\system32\dllcache\atimtai.sys
2011-04-24 19:23:07 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2011-04-24 19:23:00 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-04-24 19:22:53 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-04-24 19:22:53 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-04-24 19:22:53 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-04-24 19:22:52 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-04-24 19:22:52 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-04-24 19:22:52 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-04-24 19:21:07 -------- d-----w- c:\windows\system32\CatRoot2.old1
2011-04-23 20:39:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-23 19:54:32 -------- d-----w- c:\docume~1\harris\locals~1\applic~1\Trusteer
2011-04-23 15:18:08 -------- d-----w- c:\docume~1\harris\applic~1\SUPERAntiSpyware.com
2011-04-23 15:18:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-23 14:54:33 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-04-23 14:54:33 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-23 03:18:24 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-23 03:18:24 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-23 03:10:18 21504 ----a-w- c:\windows\system32\hidserv(2)(2).dll
2011-04-16 23:34:23 1409 ----a-w- c:\windows\QTFont.for
.
==================== Find3M ====================
.
2011-02-28 19:19:03 656648 ----a-w- c:\windows\system32\UfWSC.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-05 00:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 00:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD160JJ/P rev.ZM100-34 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A9B96E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9bf9d0]; MOV EAX, [0x8a9bfa4c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AAC2AB8]
3 CLASSPNP[0xBA0C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A991A68]
\Driver\nvatabus[0x8AA13F38] -> IRP_MJ_CREATE -> 0x8A9B96E7
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000069 -> \??\IDE#DiskSAMSUNG_HD160JJ#P_______________________ZM100-34#20202020202030534644324A4C48303436323334#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:03:33.22 ===============
Symptoms: svchost.exe process running in the background at 75-100% CPU usage, locks up browser, windows updates won't work (automatic or from update site), browser redirects, Trend Micro security is not fully functioning
Steps taken: Spybot; Superantispyware just found cookies, nothing else; Malwarebytes full scan found nothing; Trend Micro scan nothing; Microsoft safety scanner found nothing; TDSSKiller found nothing; Combofix didn't help, log posted below; DDS log posted below:
SPYBOT LOG:
--- Search result list ---
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
COMBOFIX log:
ComboFix 11-04-24.02 - Harris 04/24/2011 15:22:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1545 [GMT -6:00]
Running from: c:\documents and settings\Harris\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Harris\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-24 21:16 . 2011-04-24 21:18 -------- d-----w- C:\32788R22FWJFW
2011-04-24 20:38 . 2011-04-24 20:38 -------- d-----w- c:\documents and settings\Harris\log
2011-04-24 19:47 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-04-24 19:47 . 2001-08-18 04:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-04-24 19:47 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-04-24 19:47 . 2001-08-18 04:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-04-24 19:47 . 2001-08-18 04:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-04-24 19:45 . 2004-08-04 04:29 11775 ----a-w- c:\windows\system32\dllcache\wadv05nt.sys
2011-04-24 19:44 . 2001-08-17 19:28 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2011-04-24 19:43 . 2001-08-17 20:56 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2011-04-24 19:42 . 2001-08-17 18:50 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2011-04-24 19:41 . 2001-08-17 19:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2011-04-24 19:40 . 2004-08-10 10:00 29184 ----a-w- c:\windows\system32\dllcache\sm8cw.dll
2011-04-24 19:39 . 2001-08-18 04:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-04-24 19:38 . 2001-08-17 18:50 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2011-04-24 19:37 . 2001-08-17 19:28 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2011-04-24 19:36 . 2001-08-17 18:11 29769 ----a-w- c:\windows\system32\dllcache\pcntn5m.sys
2011-04-24 19:35 . 2001-08-17 18:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2011-04-24 19:34 . 2001-08-17 20:56 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2011-04-24 19:33 . 2001-08-17 18:50 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-04-24 19:32 . 2001-08-17 18:12 19016 ----a-w- c:\windows\system32\dllcache\ktc111.sys
2011-04-24 19:31 . 2001-08-18 04:36 61952 ----a-w- c:\windows\system32\dllcache\icam4ext.dll
2011-04-24 19:30 . 2001-08-17 19:28 150239 ----a-w- c:\windows\system32\dllcache\hsf_amos.sys
2011-04-24 19:29 . 2001-08-17 20:56 470144 ----a-w- c:\windows\system32\dllcache\g200d.dll
2011-04-24 19:28 . 2001-08-17 18:19 40704 ----a-w- c:\windows\system32\dllcache\es1371mp.sys
2011-04-24 19:27 . 2001-08-18 04:36 38985 ----a-w- c:\windows\system32\dllcache\disrvsu.dll
2011-04-24 19:26 . 2001-08-17 18:11 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys
2011-04-24 19:25 . 2001-08-17 18:49 10240 ----a-w- c:\windows\system32\dllcache\atipcxxx.sys
2011-04-24 19:23 . 2004-08-10 10:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2011-04-24 19:23 . 2001-08-17 20:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-04-24 19:22 . 2004-08-10 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-04-24 19:22 . 2004-08-10 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-04-24 19:22 . 2004-08-10 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-04-24 19:22 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-04-24 19:22 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-04-24 19:22 . 2004-08-10 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-04-24 19:21 . 2011-04-24 21:18 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-24 18:02 . 2011-04-24 18:02 -------- d-----w- c:\documents and settings\Harris\Local Settings\Application Data\Mozilla
2011-04-23 20:39 . 2011-04-24 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-23 19:54 . 2011-04-23 19:54 -------- d-----w- c:\documents and settings\Harris\Local Settings\Application Data\Trusteer
2011-04-23 15:18 . 2011-04-23 15:18 -------- d-----w- c:\documents and settings\Harris\Application Data\SUPERAntiSpyware.com
2011-04-23 15:18 . 2011-04-23 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-23 14:54 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-04-23 14:54 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-23 03:18 . 2011-04-23 03:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-23 03:10 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv(2)(2).dll
2011-04-20 16:24 . 2011-04-24 02:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-16 23:34 . 2011-04-16 23:34 1409 ----a-w- c:\windows\QTFont.for
2011-04-16 02:08 . 2011-04-16 02:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-24 20:38 . 2011-02-28 19:23 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-28 19:19 . 2011-02-28 19:19 656648 ----a-w- c:\windows\system32\UfWSC.cpl
2011-02-28 19:18 . 2011-02-28 19:18 66320 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-02-22 11:41 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec
2011-02-05 00:48 . 2005-08-16 09:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 00:48 . 2005-08-16 09:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 09:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-18 17:53 . 2011-04-24 18:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2011-02-28 1398024]
"tisspwiz.exe"="c:\program files\Trend Micro\Internet Security\tisspwiz.exe" [2011-02-28 1152264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-04 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 14:55 61440 ----a-w- c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-12-12 16:46 19456 ----a-w- c:\windows\system32\CtHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 09:00 18944 ----a-w- c:\windows\system32\Ctxfihlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 09:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 19:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-07-09 04:57 7110656 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PALogView]
2005-06-01 22:22 172032 ------w- c:\program files\TrippLite\PowerAlert\console\logview.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAStatus]
2005-06-01 22:21 299008 ------w- c:\program files\TrippLite\PowerAlert\console\pastatus.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-05-04 11:22 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-21 21:32 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2005-10-14 16:01 122880 ------w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [10/3/2010 11:43 PM 59240]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [4/23/2011 1:09 PM 57144]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [10/3/2010 11:43 PM 169320]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/28/2011 1:18 PM 36432]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/28/2011 1:18 PM 335376]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Harris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Harris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Harris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Harris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 4:20 AM 135664]
S2 PowerAlert Agent;PowerAlert Agent;c:\program files\TrippLite\PowerAlert\engine/pa.exe -service --> c:\program files\TrippLite\PowerAlert\engine/pa.exe -service [?]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [10/3/2010 11:43 PM 767208]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/28/2011 1:23 PM 51792]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2/28/2011 1:23 PM 488768]
S2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2/28/2011 1:23 PM 648456]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 10:20]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 10:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = sas.r4.attbi.com:8000
uInternet Settings,ProxyOverride = *.r4.attbi.com;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Harris\Application Data\Mozilla\Firefox\Profiles\jgfo7y6u.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: network.proxy.ftp - sas.r4.attbi.com
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.http - sas.r4.attbi.com
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - sas.r4.attbi.com
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - sas.r4.attbi.com
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-24 15:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD160JJ/P rev.ZM100-34 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A9EE6E7]<<
c:\docume~1\Harris\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9f49d0]; MOV EAX, [0x8a9f4a4c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AAC0AB8]
3 CLASSPNP[0xBA0C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AA92400]
\Driver\nvatabus[0x8AA4E9E0] -> IRP_MJ_CREATE -> 0x8A9EE6E7
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000068 -> \??\IDE#DiskSAMSUNG_HD160JJ#P_______________________ZM100-34#20202020202030534644324A4C48303436323334#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PowerAlert Agent]
"ImagePath"="c:\program files\TrippLite\PowerAlert\engine/pa.exe -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2516)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-24 15:34:18
ComboFix-quarantined-files.txt 2011-04-24 21:34
.
Pre-Run: 123,566,313,472 bytes free
Post-Run: 123,922,747,392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 4C983F5E226D502AC53E83564AC69759
DDS log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Harris at 9:00:57.42 on Mon 04/25/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1352 [GMT -6:00]
.
AV: Trend Micro Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\taskmgr.exe
J:\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = sas.r4.attbi.com:8000
uInternet Settings,ProxyOverride = *.r4.attbi.com;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [tisspwiz.exe] "c:\program files\trend micro\internet security\tisspwiz.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://www.windowsvistatestdrive.com/mm/ActiveX/VMRCActiveXClient1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219767124405
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\harris\applic~1\mozilla\firefox\profiles\jgfo7y6u.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: network.proxy.ftp - sas.r4.attbi.com
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.http - sas.r4.attbi.com
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - sas.r4.attbi.com
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - sas.r4.attbi.com
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\25973\RapportCerberus_25973.sys [2011-4-23 57144]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R2 PowerAlert Agent;PowerAlert Agent;c:\program files\tripplite\poweralert\engine/pa.exe -service --> c:\program files\tripplite\poweralert\engine/pa.exe -service [?]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-2-28 51792]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2011-2-28 488768]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2011-2-28 36432]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2011-2-28 648456]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2011-2-28 335376]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\harris\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\harris\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\harris\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\harris\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== Created Last 30 ================
.
2011-04-24 22:00:22 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-24 21:20:59 -------- d-sha-r- C:\cmdcons
2011-04-24 21:18:32 98816 ----a-w- c:\windows\sed.exe
2011-04-24 21:18:32 89088 ----a-w- c:\windows\MBR.exe
2011-04-24 21:18:32 256512 ----a-w- c:\windows\PEV.exe
2011-04-24 21:18:32 161792 ----a-w- c:\windows\SWREG.exe
2011-04-24 20:38:02 -------- d-----w- c:\documents and settings\harris\log
2011-04-24 19:47:20 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-04-24 19:47:16 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-04-24 19:47:15 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-04-24 19:47:11 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-04-24 19:47:07 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-04-24 19:45:59 11775 ----a-w- c:\windows\system32\dllcache\wadv05nt.sys
2011-04-24 19:44:56 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2011-04-24 19:43:57 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2011-04-24 19:42:57 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2011-04-24 19:41:59 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2011-04-24 19:40:58 29184 ----a-w- c:\windows\system32\dllcache\sm8cw.dll
2011-04-24 19:39:57 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-04-24 19:38:58 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2011-04-24 19:37:57 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2011-04-24 19:36:57 29769 ----a-w- c:\windows\system32\dllcache\pcntn5m.sys
2011-04-24 19:35:56 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2011-04-24 19:34:57 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2011-04-24 19:33:57 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2011-04-24 19:32:58 19016 ----a-w- c:\windows\system32\dllcache\ktc111.sys
2011-04-24 19:31:58 61952 ----a-w- c:\windows\system32\dllcache\icam4ext.dll
2011-04-24 19:30:58 150239 ----a-w- c:\windows\system32\dllcache\hsf_amos.sys
2011-04-24 19:29:59 470144 ----a-w- c:\windows\system32\dllcache\g200d.dll
2011-04-24 19:28:59 40704 ----a-w- c:\windows\system32\dllcache\es1371mp.sys
2011-04-24 19:27:59 38985 ----a-w- c:\windows\system32\dllcache\disrvsu.dll
2011-04-24 19:26:59 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys
2011-04-24 19:25:59 281600 ----a-w- c:\windows\system32\dllcache\atimtai.sys
2011-04-24 19:23:07 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2011-04-24 19:23:00 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-04-24 19:22:53 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-04-24 19:22:53 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-04-24 19:22:53 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-04-24 19:22:52 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-04-24 19:22:52 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-04-24 19:22:52 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-04-24 19:21:07 -------- d-----w- c:\windows\system32\CatRoot2.old1
2011-04-23 20:39:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-23 19:54:32 -------- d-----w- c:\docume~1\harris\locals~1\applic~1\Trusteer
2011-04-23 15:18:08 -------- d-----w- c:\docume~1\harris\applic~1\SUPERAntiSpyware.com
2011-04-23 15:18:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-23 14:54:33 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-04-23 14:54:33 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-23 03:18:24 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-23 03:18:24 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-23 03:10:18 21504 ----a-w- c:\windows\system32\hidserv(2)(2).dll
2011-04-16 23:34:23 1409 ----a-w- c:\windows\QTFont.for
.
==================== Find3M ====================
.
2011-02-28 19:19:03 656648 ----a-w- c:\windows\system32\UfWSC.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-05 00:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 00:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD160JJ/P rev.ZM100-34 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A9B96E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9bf9d0]; MOV EAX, [0x8a9bfa4c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AAC2AB8]
3 CLASSPNP[0xBA0C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A991A68]
\Driver\nvatabus[0x8AA13F38] -> IRP_MJ_CREATE -> 0x8A9B96E7
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000069 -> \??\IDE#DiskSAMSUNG_HD160JJ#P_______________________ZM100-34#20202020202030534644324A4C48303436323334#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:03:33.22 ===============