colo303
2011-09-07, 13:24
There seems to be so much wrong, I will include all the info I know in case it has any bearing.
I am running Windows XP Home Edition version 2002 (SP3)
and Internet Explorer 8.0.6001.18702
Computer first started running slow (off and on) around the first of the year. Around that time, my router failed and was replaced with a new one. Also, the anti-virus I was using (AVG) did an up-date that I discovered after reading forums slowed down things considerably. Lived with that for a while, but things gradually got slower and slower. Switched to MS Security Essentials and for a while, things seemed better but gradually became slower and slower and things would just freeze up. Task Master would say that the program/file was not responding. Sometimes if I waited a few minutes, it would straighten itself out but other times I would have to try to end the programs and several times reboot to clear things out. Neither MS Sec.Essentials nor Spybot found any problems.
But then on Monday (9/5) MSSE reported a threat and successfully removed: TrojanDownloader:Win32/Karagany.E About 2/3 hours later after a reboot, I noticed a new shortcut icon on the desktop Called "Security Protection" that I have no idea where it came from. Clicking on its properties revealed that it started at C:\Documents & Settings\All Users\Application Data\defender.exe
Then within a couple minutes all sorts of new cookies started loading (I was not even on line) and continued for the next couple hours - all total, it was over 400, some with curious names and some that seemed legitimate like toshiba, ebay, facebook.
MSSE detected another security threat that was then removed:
Trojan - Win32/Wimpixo.E "C:\Windows\Temp\v30901.exe"
I ran Spybot S&D which had several new items (8) in the start up menu - two of which just kept coming back over and over after disabling:
Aviqafaripe rundll32.exe "C:\Windows\hikbuidy.dll" Startup
Ksihunuzehobi " " " " \iteteroyowuy.dll" Startup
A Spybot Scan also found 11 problems - the major issues below:
Trojan - Virtumonde.pix w/ 2 entries relating to the two items above
Trojan - Win32.Sasfis
Malware - Win32.Agent.chk
Spyware - Ad Rotator
Fixed these problems, but kept getting various pop-up messages; eg
"Found new Hardware": HP Officejet that I've had for years
Rundll error loading the specified module cannot be found.
Winlogon.exe encountered a problem and needs to close hpqtra08.exe - Application error "The memory could not be read
Task Master was now showing a process that was new:
441006001:1321776869.exe and there were no less the nine (9) listings for svchost.exe Is this normal?
Something else that keeps popping up is a "Windows Security Alert" saying that Windows Firewall has blocked some features of xxxxx program and asking if I want to keep it blocked or unblock it.
Then a red icon in the system tray for MSSE saying that it isn't monitoring the computer because the program's service stopped. Couldn't start it again - popup saying that "Access is denied "
Error code: 0x80070005
About that time Spybot shut down and wouldn't reopen saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
I did some other maintenance type thing hoping something would help. The only thing was when I did a System Restore to Sun 9/4, I could see some improvement. The desktop icon "Security Portection" was gone along with its defender.exe file. Also those two startup files mentioned above (rundll32.exe) were gone.
Also, in trying to search for some of these items, when I clicked on a google search result I was redirected somewhere else. This was true also for the spybot site. To actually get here, I had to type the name in the address bar.
I uninstalled MSSE and reinstalled it thinking that might at least let me do a scan but the same problems exist. And with Spybot, there are two versions installed (1.4 and 1.6.2). I thought when there were updates that they just installed over the older version. Does this present problems having the two versions?
Trying Spybot via its .scr files brought success at first but after checking on a few things inside the program, it froze up and wouldn't restart. Also downloaded and ran ERUNT.
I've probably forgotten a lot of things, but I hope this can get us started along with the DSS.txt below.
Thanks ~~ colo303
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 19:41:28 on 2011-09-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.169 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\441006001:1321776869.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SecureBackupShare\ComcastSecureBackupSharestat.exe
C:\PROGRA~1\Webshots\Webshots.scr
svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\SecureBackupShare\ComcastSecureBackupSharebackup.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch = hxxp://www.google.com/
uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CookieWall] c:\program files\analogx\cookiewall\cookie.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secure~1.lnk - c:\program files\securebackupshare\ComcastSecureBackupSharestat.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186501509171
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39301.3823148148
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2ED207EF-DFA5-4274-92D1-33BD791CF63D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{EE0B692C-CF35-4B18-8471-31C8DBBCFDEB} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\8x94uw5h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-dlink-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://profiles.google.com/u/0/?edit=sa&hl=en&tab=wr|https://www.google.com/dashboard/?hl=en&pli=1|http://www.google.com/ig?authuser=0
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-dlink-ab-en-us&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-9-2 21656]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-9-2 13696]
R1 ComcastSecureBackupShareFilter;ComcastSecureBackupShareFilter;c:\windows\system32\drivers\ComcastSecureBackupShare.sys [2011-1-18 54776]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl21c2e329;MpKsl21c2e329;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\MpKsl21c2e329.sys [2011-9-6 28752]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 ComcastSecureBackupSharebackup;Comcast Secure Backup & Share Backup Service;c:\program files\securebackupshare\ComcastSecureBackupSharebackup.exe [2010-12-14 15592]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2007-7-11 714240]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-1-11 1050112]
S1 MpKsl11864cbb;MpKsl11864cbb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\mpksl11864cbb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\MpKsl11864cbb.sys [?]
S1 MpKsl1d6c627e;MpKsl1d6c627e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6556d04-11be-4768-a28f-72e47f004680}\mpksl1d6c627e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6556d04-11be-4768-a28f-72e47f004680}\MpKsl1d6c627e.sys [?]
S1 MpKsl23051344;MpKsl23051344;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpksl23051344.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKsl23051344.sys [?]
S1 MpKsl3dd3dcf0;MpKsl3dd3dcf0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e388d761-40d1-42fa-b923-c8a00d2d9472}\mpksl3dd3dcf0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e388d761-40d1-42fa-b923-c8a00d2d9472}\MpKsl3dd3dcf0.sys [?]
S1 MpKsl5ae31908;MpKsl5ae31908;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9bdddd78-0208-4ff6-a73c-c74a094a5d5b}\mpksl5ae31908.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9bdddd78-0208-4ff6-a73c-c74a094a5d5b}\MpKsl5ae31908.sys [?]
S1 MpKsl5bd0c5a0;MpKsl5bd0c5a0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17f05a4-4814-4b08-abb5-0236791128f3}\mpksl5bd0c5a0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17f05a4-4814-4b08-abb5-0236791128f3}\MpKsl5bd0c5a0.sys [?]
S1 MpKsl60f4d3ff;MpKsl60f4d3ff;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\mpksl60f4d3ff.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\MpKsl60f4d3ff.sys [?]
S1 MpKsl69ab5d8c;MpKsl69ab5d8c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{74334783-5d37-4044-94e1-635e8ff246a9}\mpksl69ab5d8c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{74334783-5d37-4044-94e1-635e8ff246a9}\MpKsl69ab5d8c.sys [?]
S1 MpKsl752e1b5a;MpKsl752e1b5a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{47a1f8a2-afb7-4a91-9d97-45b526d3ce3b}\mpksl752e1b5a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{47a1f8a2-afb7-4a91-9d97-45b526d3ce3b}\MpKsl752e1b5a.sys [?]
S1 MpKsl9bd914b0;MpKsl9bd914b0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpksl9bd914b0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKsl9bd914b0.sys [?]
S1 MpKsla1024e33;MpKsla1024e33;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ca4395c-f219-43eb-b69f-a6ad24aca8b8}\mpksla1024e33.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ca4395c-f219-43eb-b69f-a6ad24aca8b8}\MpKsla1024e33.sys [?]
S1 MpKsla58db966;MpKsla58db966;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acad5eae-1ffb-48d1-b8fa-5aecaa30e897}\mpksla58db966.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acad5eae-1ffb-48d1-b8fa-5aecaa30e897}\MpKsla58db966.sys [?]
S1 MpKsla5f531c4;MpKsla5f531c4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0aa11008-cf62-44c0-9aab-3a26f0826033}\mpksla5f531c4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0aa11008-cf62-44c0-9aab-3a26f0826033}\MpKsla5f531c4.sys [?]
S1 MpKslbace8e13;MpKslbace8e13;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c925dc2-edca-432b-a014-e68df9506ef6}\mpkslbace8e13.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c925dc2-edca-432b-a014-e68df9506ef6}\MpKslbace8e13.sys [?]
S1 MpKslc570dc5e;MpKslc570dc5e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpkslc570dc5e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKslc570dc5e.sys [?]
S1 MpKsldc592609;MpKsldc592609;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\mpksldc592609.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\MpKsldc592609.sys [?]
S1 MpKsled00760e;MpKsled00760e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{63504e19-850a-498a-bef4-d9cf40c4715f}\mpksled00760e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{63504e19-850a-498a-bef4-d9cf40c4715f}\MpKsled00760e.sys [?]
S1 MpKslf437815f;MpKslf437815f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\mpkslf437815f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\MpKslf437815f.sys [?]
S1 MpKslfe45f4f9;MpKslfe45f4f9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc8b157a-4e65-4448-a615-4d34cb12f402}\mpkslfe45f4f9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc8b157a-4e65-4448-a615-4d34cb12f402}\MpKslfe45f4f9.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-2-3 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 UXDCMN;UXDCMN;\??\c:\documents and settings\owner\desktop\winstress_test\uxdcmn.sys --> c:\documents and settings\owner\desktop\winstress_test\UXDCMN.SYS [?]
.
=============== Created Last 30 ================
.
2011-09-07 01:04:53 -------- d-----w- c:\program files\KRtech
2011-09-06 22:58:25 7152464 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-09-06 22:56:00 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\MpKsl21c2e329.sys
2011-09-06 22:55:18 7152464 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\mpengine.dll
2011-09-06 22:52:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-06 22:40:05 -------- d-----w- c:\documents and settings\all users\application data\White Sky, Inc
2011-09-06 20:20:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-06 20:20:23 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-06 07:34:10 -------- d-----w- C:\Webshots Data
2011-09-06 04:45:18 -------- d-----w- c:\documents and settings\owner\application data\Remote
2011-09-06 00:31:27 0 ----a-w- c:\windows\Tdowodulipo.bin
2011-09-06 00:31:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\{88DE7012-FF0A-4561-8B59-9DA83E06DD92}
2011-09-06 00:29:31 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-09-02 03:35:18 6144 ------w- c:\windows\CRLSCSI.SYS
2011-09-02 03:35:03 151552 ------w- c:\windows\CRLLYRNT.DLL
2011-09-02 03:35:03 150016 ------w- c:\windows\CRLASP95.DLL
2011-09-02 03:34:59 -------- d-----w- C:\Font Navigator
2011-09-02 03:34:49 -------- d-----w- c:\program files\Sounds
2011-09-02 03:34:23 68096 ------w- c:\windows\system32\QPAUTO8.DLL
2011-09-02 03:33:58 117760 ------w- c:\windows\system32\NCSPI8EN.DLL
2011-09-02 03:33:57 274432 ------w- c:\windows\system32\NCSPI832.DLL
2011-09-02 03:33:49 90112 ------w- c:\windows\system32\Evysh7en.dll
2011-09-02 03:33:45 960512 ------w- c:\windows\system32\EVYSH7.DLL
2011-09-02 03:33:38 22480 ------w- c:\windows\system32\PFMAPI16.DLL
2011-09-02 03:33:38 20992 ------w- c:\windows\system32\PFMAPI32.DLL
2011-09-02 03:33:26 64000 ------w- c:\windows\system32\PFAUTO8.DLL
2011-09-02 03:33:21 7680 ------w- c:\windows\system32\SHLWP8EN.DLL
2011-09-02 03:33:21 125952 ------w- c:\windows\system32\SHELLWP.DLL
2011-09-02 03:33:17 -------- d-----w- c:\program files\Samples
2011-09-02 03:33:05 68096 ------w- c:\windows\system32\PRAUTO8.DLL
2011-09-02 03:32:49 -------- d-----w- c:\program files\Graphics
2011-09-02 03:32:48 72192 ------w- c:\windows\system32\WPAUTO8.DLL
2011-09-02 03:32:45 -------- d-----w- C:\Versions
2011-09-02 03:32:45 -------- d-----w- c:\program files\Template
2011-09-02 03:32:45 -------- d-----w- c:\program files\Shared
2011-09-02 03:32:45 -------- d-----w- c:\program files\Programs
2011-09-02 03:32:45 -------- d-----w- c:\program files\PhotoHse
2011-09-02 03:32:45 -------- d-----w- c:\program files\Macros
2011-09-02 03:32:45 -------- d-----w- c:\program files\Envoy
2011-09-02 03:32:44 -------- d-----w- c:\program files\Dad
2011-09-02 03:32:44 -------- d-----w- c:\program files\AppMan
2011-09-01 19:55:15 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2011-09-01 18:51:56 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2011-09-01 10:04:11 -------- d-----w- c:\documents and settings\owner\application data\EurekaLog
2011-09-01 08:32:15 -------- d-----w- c:\documents and settings\owner\application data\Pointstone
2011-09-01 07:34:20 -------- d-----w- c:\program files\Pointstone
2011-09-01 07:34:19 -------- d-----w- c:\program files\common files\Pointstone
2011-08-20 03:23:01 -------- d-----w- c:\windows\system32\Adobe
.
==================== Find3M ====================
.
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-15 00:28:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 06:06:26 1409 ----a-w- c:\windows\QTFont.for
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-29 07:41:46 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-14 04:09:22 65328 ----a-w- c:\windows\apppatch\matsshim.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380817AS rev.3.42 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84DA4790]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x84F7D780]
3 CLASSPNP[0xF778FFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x84E16F08]
\Driver\00000812[0x84EE83C8] -> IRP_MJ_CREATE -> 0x84DA4790
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x84E7D31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:42:33.76 ===============
I am running Windows XP Home Edition version 2002 (SP3)
and Internet Explorer 8.0.6001.18702
Computer first started running slow (off and on) around the first of the year. Around that time, my router failed and was replaced with a new one. Also, the anti-virus I was using (AVG) did an up-date that I discovered after reading forums slowed down things considerably. Lived with that for a while, but things gradually got slower and slower. Switched to MS Security Essentials and for a while, things seemed better but gradually became slower and slower and things would just freeze up. Task Master would say that the program/file was not responding. Sometimes if I waited a few minutes, it would straighten itself out but other times I would have to try to end the programs and several times reboot to clear things out. Neither MS Sec.Essentials nor Spybot found any problems.
But then on Monday (9/5) MSSE reported a threat and successfully removed: TrojanDownloader:Win32/Karagany.E About 2/3 hours later after a reboot, I noticed a new shortcut icon on the desktop Called "Security Protection" that I have no idea where it came from. Clicking on its properties revealed that it started at C:\Documents & Settings\All Users\Application Data\defender.exe
Then within a couple minutes all sorts of new cookies started loading (I was not even on line) and continued for the next couple hours - all total, it was over 400, some with curious names and some that seemed legitimate like toshiba, ebay, facebook.
MSSE detected another security threat that was then removed:
Trojan - Win32/Wimpixo.E "C:\Windows\Temp\v30901.exe"
I ran Spybot S&D which had several new items (8) in the start up menu - two of which just kept coming back over and over after disabling:
Aviqafaripe rundll32.exe "C:\Windows\hikbuidy.dll" Startup
Ksihunuzehobi " " " " \iteteroyowuy.dll" Startup
A Spybot Scan also found 11 problems - the major issues below:
Trojan - Virtumonde.pix w/ 2 entries relating to the two items above
Trojan - Win32.Sasfis
Malware - Win32.Agent.chk
Spyware - Ad Rotator
Fixed these problems, but kept getting various pop-up messages; eg
"Found new Hardware": HP Officejet that I've had for years
Rundll error loading the specified module cannot be found.
Winlogon.exe encountered a problem and needs to close hpqtra08.exe - Application error "The memory could not be read
Task Master was now showing a process that was new:
441006001:1321776869.exe and there were no less the nine (9) listings for svchost.exe Is this normal?
Something else that keeps popping up is a "Windows Security Alert" saying that Windows Firewall has blocked some features of xxxxx program and asking if I want to keep it blocked or unblock it.
Then a red icon in the system tray for MSSE saying that it isn't monitoring the computer because the program's service stopped. Couldn't start it again - popup saying that "Access is denied "
Error code: 0x80070005
About that time Spybot shut down and wouldn't reopen saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
I did some other maintenance type thing hoping something would help. The only thing was when I did a System Restore to Sun 9/4, I could see some improvement. The desktop icon "Security Portection" was gone along with its defender.exe file. Also those two startup files mentioned above (rundll32.exe) were gone.
Also, in trying to search for some of these items, when I clicked on a google search result I was redirected somewhere else. This was true also for the spybot site. To actually get here, I had to type the name in the address bar.
I uninstalled MSSE and reinstalled it thinking that might at least let me do a scan but the same problems exist. And with Spybot, there are two versions installed (1.4 and 1.6.2). I thought when there were updates that they just installed over the older version. Does this present problems having the two versions?
Trying Spybot via its .scr files brought success at first but after checking on a few things inside the program, it froze up and wouldn't restart. Also downloaded and ran ERUNT.
I've probably forgotten a lot of things, but I hope this can get us started along with the DSS.txt below.
Thanks ~~ colo303
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 19:41:28 on 2011-09-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.169 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\441006001:1321776869.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SecureBackupShare\ComcastSecureBackupSharestat.exe
C:\PROGRA~1\Webshots\Webshots.scr
svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\SecureBackupShare\ComcastSecureBackupSharebackup.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch = hxxp://www.google.com/
uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CookieWall] c:\program files\analogx\cookiewall\cookie.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secure~1.lnk - c:\program files\securebackupshare\ComcastSecureBackupSharestat.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186501509171
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39301.3823148148
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2ED207EF-DFA5-4274-92D1-33BD791CF63D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{EE0B692C-CF35-4B18-8471-31C8DBBCFDEB} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\8x94uw5h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-dlink-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://profiles.google.com/u/0/?edit=sa&hl=en&tab=wr|https://www.google.com/dashboard/?hl=en&pli=1|http://www.google.com/ig?authuser=0
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-dlink-ab-en-us&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-9-2 21656]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-9-2 13696]
R1 ComcastSecureBackupShareFilter;ComcastSecureBackupShareFilter;c:\windows\system32\drivers\ComcastSecureBackupShare.sys [2011-1-18 54776]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl21c2e329;MpKsl21c2e329;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\MpKsl21c2e329.sys [2011-9-6 28752]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 ComcastSecureBackupSharebackup;Comcast Secure Backup & Share Backup Service;c:\program files\securebackupshare\ComcastSecureBackupSharebackup.exe [2010-12-14 15592]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2007-7-11 714240]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-1-11 1050112]
S1 MpKsl11864cbb;MpKsl11864cbb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\mpksl11864cbb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\MpKsl11864cbb.sys [?]
S1 MpKsl1d6c627e;MpKsl1d6c627e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6556d04-11be-4768-a28f-72e47f004680}\mpksl1d6c627e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6556d04-11be-4768-a28f-72e47f004680}\MpKsl1d6c627e.sys [?]
S1 MpKsl23051344;MpKsl23051344;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpksl23051344.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKsl23051344.sys [?]
S1 MpKsl3dd3dcf0;MpKsl3dd3dcf0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e388d761-40d1-42fa-b923-c8a00d2d9472}\mpksl3dd3dcf0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e388d761-40d1-42fa-b923-c8a00d2d9472}\MpKsl3dd3dcf0.sys [?]
S1 MpKsl5ae31908;MpKsl5ae31908;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9bdddd78-0208-4ff6-a73c-c74a094a5d5b}\mpksl5ae31908.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9bdddd78-0208-4ff6-a73c-c74a094a5d5b}\MpKsl5ae31908.sys [?]
S1 MpKsl5bd0c5a0;MpKsl5bd0c5a0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17f05a4-4814-4b08-abb5-0236791128f3}\mpksl5bd0c5a0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17f05a4-4814-4b08-abb5-0236791128f3}\MpKsl5bd0c5a0.sys [?]
S1 MpKsl60f4d3ff;MpKsl60f4d3ff;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\mpksl60f4d3ff.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\MpKsl60f4d3ff.sys [?]
S1 MpKsl69ab5d8c;MpKsl69ab5d8c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{74334783-5d37-4044-94e1-635e8ff246a9}\mpksl69ab5d8c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{74334783-5d37-4044-94e1-635e8ff246a9}\MpKsl69ab5d8c.sys [?]
S1 MpKsl752e1b5a;MpKsl752e1b5a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{47a1f8a2-afb7-4a91-9d97-45b526d3ce3b}\mpksl752e1b5a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{47a1f8a2-afb7-4a91-9d97-45b526d3ce3b}\MpKsl752e1b5a.sys [?]
S1 MpKsl9bd914b0;MpKsl9bd914b0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpksl9bd914b0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKsl9bd914b0.sys [?]
S1 MpKsla1024e33;MpKsla1024e33;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ca4395c-f219-43eb-b69f-a6ad24aca8b8}\mpksla1024e33.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ca4395c-f219-43eb-b69f-a6ad24aca8b8}\MpKsla1024e33.sys [?]
S1 MpKsla58db966;MpKsla58db966;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acad5eae-1ffb-48d1-b8fa-5aecaa30e897}\mpksla58db966.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acad5eae-1ffb-48d1-b8fa-5aecaa30e897}\MpKsla58db966.sys [?]
S1 MpKsla5f531c4;MpKsla5f531c4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0aa11008-cf62-44c0-9aab-3a26f0826033}\mpksla5f531c4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0aa11008-cf62-44c0-9aab-3a26f0826033}\MpKsla5f531c4.sys [?]
S1 MpKslbace8e13;MpKslbace8e13;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c925dc2-edca-432b-a014-e68df9506ef6}\mpkslbace8e13.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c925dc2-edca-432b-a014-e68df9506ef6}\MpKslbace8e13.sys [?]
S1 MpKslc570dc5e;MpKslc570dc5e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\mpkslc570dc5e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{404f2262-edf5-41c6-9e5f-6b03f55ffbd4}\MpKslc570dc5e.sys [?]
S1 MpKsldc592609;MpKsldc592609;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\mpksldc592609.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4779216-f542-43db-a459-aa4528a905b1}\MpKsldc592609.sys [?]
S1 MpKsled00760e;MpKsled00760e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{63504e19-850a-498a-bef4-d9cf40c4715f}\mpksled00760e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{63504e19-850a-498a-bef4-d9cf40c4715f}\MpKsled00760e.sys [?]
S1 MpKslf437815f;MpKslf437815f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\mpkslf437815f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b832f80-3f49-430e-9f15-691ab2722590}\MpKslf437815f.sys [?]
S1 MpKslfe45f4f9;MpKslfe45f4f9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc8b157a-4e65-4448-a615-4d34cb12f402}\mpkslfe45f4f9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc8b157a-4e65-4448-a615-4d34cb12f402}\MpKslfe45f4f9.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-2-3 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 UXDCMN;UXDCMN;\??\c:\documents and settings\owner\desktop\winstress_test\uxdcmn.sys --> c:\documents and settings\owner\desktop\winstress_test\UXDCMN.SYS [?]
.
=============== Created Last 30 ================
.
2011-09-07 01:04:53 -------- d-----w- c:\program files\KRtech
2011-09-06 22:58:25 7152464 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-09-06 22:56:00 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\MpKsl21c2e329.sys
2011-09-06 22:55:18 7152464 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{729b386e-35a3-460c-a7ea-842d7ac17069}\mpengine.dll
2011-09-06 22:52:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-06 22:40:05 -------- d-----w- c:\documents and settings\all users\application data\White Sky, Inc
2011-09-06 20:20:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-06 20:20:23 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-06 07:34:10 -------- d-----w- C:\Webshots Data
2011-09-06 04:45:18 -------- d-----w- c:\documents and settings\owner\application data\Remote
2011-09-06 00:31:27 0 ----a-w- c:\windows\Tdowodulipo.bin
2011-09-06 00:31:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\{88DE7012-FF0A-4561-8B59-9DA83E06DD92}
2011-09-06 00:29:31 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-09-02 03:35:18 6144 ------w- c:\windows\CRLSCSI.SYS
2011-09-02 03:35:03 151552 ------w- c:\windows\CRLLYRNT.DLL
2011-09-02 03:35:03 150016 ------w- c:\windows\CRLASP95.DLL
2011-09-02 03:34:59 -------- d-----w- C:\Font Navigator
2011-09-02 03:34:49 -------- d-----w- c:\program files\Sounds
2011-09-02 03:34:23 68096 ------w- c:\windows\system32\QPAUTO8.DLL
2011-09-02 03:33:58 117760 ------w- c:\windows\system32\NCSPI8EN.DLL
2011-09-02 03:33:57 274432 ------w- c:\windows\system32\NCSPI832.DLL
2011-09-02 03:33:49 90112 ------w- c:\windows\system32\Evysh7en.dll
2011-09-02 03:33:45 960512 ------w- c:\windows\system32\EVYSH7.DLL
2011-09-02 03:33:38 22480 ------w- c:\windows\system32\PFMAPI16.DLL
2011-09-02 03:33:38 20992 ------w- c:\windows\system32\PFMAPI32.DLL
2011-09-02 03:33:26 64000 ------w- c:\windows\system32\PFAUTO8.DLL
2011-09-02 03:33:21 7680 ------w- c:\windows\system32\SHLWP8EN.DLL
2011-09-02 03:33:21 125952 ------w- c:\windows\system32\SHELLWP.DLL
2011-09-02 03:33:17 -------- d-----w- c:\program files\Samples
2011-09-02 03:33:05 68096 ------w- c:\windows\system32\PRAUTO8.DLL
2011-09-02 03:32:49 -------- d-----w- c:\program files\Graphics
2011-09-02 03:32:48 72192 ------w- c:\windows\system32\WPAUTO8.DLL
2011-09-02 03:32:45 -------- d-----w- C:\Versions
2011-09-02 03:32:45 -------- d-----w- c:\program files\Template
2011-09-02 03:32:45 -------- d-----w- c:\program files\Shared
2011-09-02 03:32:45 -------- d-----w- c:\program files\Programs
2011-09-02 03:32:45 -------- d-----w- c:\program files\PhotoHse
2011-09-02 03:32:45 -------- d-----w- c:\program files\Macros
2011-09-02 03:32:45 -------- d-----w- c:\program files\Envoy
2011-09-02 03:32:44 -------- d-----w- c:\program files\Dad
2011-09-02 03:32:44 -------- d-----w- c:\program files\AppMan
2011-09-01 19:55:15 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2011-09-01 18:51:56 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2011-09-01 10:04:11 -------- d-----w- c:\documents and settings\owner\application data\EurekaLog
2011-09-01 08:32:15 -------- d-----w- c:\documents and settings\owner\application data\Pointstone
2011-09-01 07:34:20 -------- d-----w- c:\program files\Pointstone
2011-09-01 07:34:19 -------- d-----w- c:\program files\common files\Pointstone
2011-08-20 03:23:01 -------- d-----w- c:\windows\system32\Adobe
.
==================== Find3M ====================
.
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-15 00:28:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 06:06:26 1409 ----a-w- c:\windows\QTFont.for
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-29 07:41:46 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-14 04:09:22 65328 ----a-w- c:\windows\apppatch\matsshim.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380817AS rev.3.42 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84DA4790]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x84F7D780]
3 CLASSPNP[0xF778FFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x84E16F08]
\Driver\00000812[0x84EE83C8] -> IRP_MJ_CREATE -> 0x84DA4790
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x84E7D31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:42:33.76 ===============