Safer-networking.org blocked, occasionally redirects clicked links & popups

[blackjaw]

Blocks safer-networking.org and other malware sites
Opens pop ups adds occasionally when links are clicked.
Redirects to adds when links are clicked.
This effects all browsers IE, Firefox, Opera.

System reg backed up.
At loss, any help appreciated.



DDS (Ver_10-11-08.01) - NTFSx86 NETWORK
Run by Owner at 14:12:08.18 on Mon 11/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.718 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: NameServer = 93.188.164.123,93.188.160.203
TCP: {E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} = 93.188.164.123,93.188.160.203
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8wnlslie.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-29 16168]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-7-20 5010288]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

=============== Created Last 30 ================

2010-11-08 16:07:32 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-08 16:07:15 -------- d-----w- c:\windows\LastGood.Tmp
2010-11-08 16:06:52 -------- d-----w- c:\program files\Panda Security
2010-11-08 16:02:22 -------- d-----w- c:\docume~1\owner\applic~1\QuickScan
2010-11-08 15:32:24 -------- d-----w- C:\spoolerlogs
2010-10-26 03:48:03 94208 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-10-26 03:48:03 140864 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-10-26 03:47:59 -------- d-----w- c:\program files\Real Alternative
2010-10-26 03:43:41 -------- d-----w- c:\program files\o8o9.com
2010-10-21 00:51:20 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Apple
2010-10-14 14:46:17 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-10-14 05:45:20 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-14 00:34:02 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-14 00:34:00 43520 ------w- c:\windows\system32\dllcache\licmgr10.dll
2010-10-14 00:33:58 66560 ------w- c:\windows\system32\dllcache\mshtmled.dll
2010-10-14 00:28:04 -------- d-----w- c:\program files\Canon
2010-10-13 21:23:38 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-13 21:23:37 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-13 21:22:13 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 21:22:12 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 21:22:12 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 21:13:11 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-11-07 02:50:12 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-11-07 02:50:12 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-11-07 02:50:08 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8671EAEA
user & kernel MBR OK
sectors 312581806 (+217): user != kernel

Registry trace:
called modules: ntoskrnl.exe hal.dll

============= FINISH: 14:14:23.87 ===============

[Jack&Jill]

Hello blackjaw ,

Sorry for the delay.

If you still need help, please delete the DDS file that you have and download a fresh copy from one of the links below. Please post new DDS logs.

Link 1
Link 2
Link 3

Otherwise, this topic will be closed after 3 days.

[blackjaw]

DDS (Ver_10-11-10.01) - NTFSx86
Run by Owner at 18:39:15.98 on Thu 11/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.618 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
svchost.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
"C:\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe" i
C:\DOCUME~1\Owner\LOCALS~1\Temp\dwm.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:50370
mWinlogon: SfcDisable=-99 (0xffffff9d)
uWinlogon: Shell=explorer.exe,c:\documents and settings\owner\application data\microsoft\windows\shell.exe
uWindows: Load=c:\docume~1\owner\locals~1\temp\dwm.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [svchost] c:\documents and settings\owner\application data\microsoft\svchost.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: NameServer = 93.188.164.123,93.188.160.203
TCP: {E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} = 93.188.164.123,93.188.160.203
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8wnlslie.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-7-20 5010288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-29 16168]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

=============== Created Last 30 ================

2010-11-17 18:58:58 142848 ----a-w- c:\docume~1\owner\applic~1\microsoft\windows\shell.exe
2010-11-17 18:58:47 127488 ----a-w- c:\docume~1\owner\applic~1\microsoft\svchost.exe
2010-11-17 18:58:44 124416 ----a-w- c:\program files\mozilla firefox\mstsc.exe
2010-11-16 18:46:47 -------- d-----w- c:\program files\XviD
2010-11-16 18:46:27 -------- d-----w- c:\program files\AviSynth 2.5
2010-11-16 18:46:00 -------- d-----w- c:\program files\AutoGK
2010-11-08 16:07:32 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-08 16:06:52 -------- d-----w- c:\program files\Panda Security
2010-11-08 16:02:22 -------- d-----w- c:\docume~1\owner\applic~1\QuickScan
2010-11-08 15:32:24 -------- d-----w- C:\spoolerlogs
2010-10-26 03:48:03 94208 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-10-26 03:48:03 140864 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-10-26 03:47:59 -------- d-----w- c:\program files\Real Alternative
2010-10-26 03:43:41 -------- d-----w- c:\program files\o8o9.com
2010-10-21 00:51:20 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Apple

==================== Find3M ====================

2010-11-07 02:50:12 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-11-07 02:50:12 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-11-07 02:50:08 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8671BEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85898872; SUB DWORD [EBP-0x4], 0x8589812e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x867CDAB8]
3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005a[0x86785470]
5 ACPI[0xF77E5620] -> nt!IofCallDriver[0x804E37D5] -> [0x86792D98]
[0x866D27C0] -> IRP_MJ_CREATE -> 0x8671BEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8671BAEA
user & kernel MBR OK
sectors 312581806 (+243): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:41:38.72 ===============


Thank you.

[Jack&Jill]

Hello blackjaw ,

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

• Please observe and follow these Forum Rules.
• Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
• Please read the instructions carefully and follow them closely, in the order they are presented to you.
• If you have any doubts or problems during the fix, please stop and ask.
• All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
• Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
• Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
• Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
• If you do not reply within 3 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly . We may begin.

--------------------

Is this a business or corporate machine? I see quite a few programs mostly seen on such computers.

--------------------

Check for additional security risks

• Please download CKScanner© by askey127 and save to your desktop. Click here.
• Double click on CKScanner.exe and click Search For Files.
• After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
• Post the contents of ckfiles.txt in your reply, it is located on your desktop.

--------------------

Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.

Please download GMER and save it to your desktop. Click here.

• Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
• If you need help to disable your protection programs see here and here.
• Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
• In the right panel, you will see several boxes that have been checked (ticked).
  
  • Uncheck IAT/EAT
  • Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
  • Uncheck Show All (don't miss this one)
• Then click the Scan button and wait for it to finish.
• Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
• Enable back your security softwares as soon as you completed the GMER steps.
  Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

If you are having problems running this version of GMER, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.

--------------------

Please post back:
1. the answer to my question about the computer
2. CKScanner log
3. GMER log

[blackjaw]

This would be a personal computer, I do however use it for some work I do from home.

CKScanner:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\owner\favorites\5 real life soldiers who make rambo look like a pussy cracked.com.url
c:\documents and settings\owner\favorites\various\epcgaming - cracked servers database.url
c:\documents and settings\owner\favorites\warze\astalavista - underground crack and serial search.url
c:\documents and settings\owner\favorites\warze\gamecopyworld - game cracks.url
c:\documents and settings\owner\my documents\downloads\admuncher v 4.72.0.30400 inc crack rezman1984.7z
c:\documents and settings\owner\my documents\downloads\corel painter 11 sp1\keygen.exe
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\a gladrag_manhunt presentation.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\replay media catcher 3.rar
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\tracked_by_h33t_com.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\rcatsetup.exe
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\replay media catcher.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\tracked_by_h33t_com.txt
c:\downloads\eskimotube.com - streaming videos of felony vs mark ashley - crack addict #6 - pornstars and centerfolds..flv
c:\downloads\eskimotube.com - streaming videos of gwen summers and nicole sheridan - fast times at deep crack high #2 - pornstars and centerfolds..flv
scanner sequence 3.JD.11
----- EOF -----


Gmer:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-19 13:02:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3160021A rev.3.08
Running: 3uo68yx5.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB00256D0]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xF77CB314]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6A09000, 0x1B85E6, 0xE8000020]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2092] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104505FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
? C:\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe[2248] number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3752] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8671BAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8671BAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8671BAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-18 8671BAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-20 8671BAEA
Device \FileSystem\Cdfs \Cdfs EF4DC400
Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 312581559 (+247): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


Thanks

[Jack&Jill]

Hello blackjaw ,

This would be a personal computer, I do however use it for some work I do from home.

Can you elaborate a bit on this?

--------------------

Cracks / Keygens / Warez / Illegal softwares detected!!!

Your log indicates the presence and usage of one or more of the above. Very likely your computer got infected due to the illegal softwares or the illegitimate websites you visited to get them.

Please read the fourth post of the Forum Rules .

Note:
We do not support the use of illegal Pirated/Warez/Cracked software.

If seeking help in our Malware removal forum please know that users who have programs obtained by such methods will be asked to remove them, since our help could otherwise be seen as aiding copyright violations. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms. There is a high risk of infection involved in downloading and running crack codes.

If you still want help, please remove the illegal items from your computer, and if you still need the softwares, get legal ones from legitimate sources.
If you advised that the illegal softwares have been removed and I find it otherwise (the tools we use can and will detect them), then I will have no choice but to have this topic closed.
If there are more such new findings after this, the topic will also be closed.

Please remove/uninstall the following before we continue:
Corel Painter 11
Corel Painter 11 - ICA
Corel Painter 11 - IPM
Replay Media Catcher 3.02
c:\documents and settings\owner\favorites\various\epcgaming - cracked servers database.url
c:\documents and settings\owner\favorites\warze\astalavista - underground crack and serial search.url
c:\documents and settings\owner\favorites\warze\gamecopyworld - game cracks.url
c:\documents and settings\owner\my documents\downloads\admuncher v 4.72.0.30400 inc crack rezman1984.7z
c:\documents and settings\owner\my documents\downloads\corel painter 11 sp1\keygen.exe
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\a gladrag_manhunt presentation.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\replay media catcher 3.rar
c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\tracked_by_h33t_com.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\rcatsetup.exe
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\replay media catcher.txt
c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\tracked_by_h33t_com.txt

You should also delete these and stay away from such sites because they are usually used by malware authors to spread their wares:
c:\downloads\eskimotube.com - streaming videos of felony vs mark ashley - crack addict #6 - pornstars and centerfolds..flv
c:\downloads\eskimotube.com - streaming videos of gwen summers and nicole sheridan - fast times at deep crack high #2 - pornstars and centerfolds..flv

Please post new CKScanner log and DDS log (Attach.txt only).

--------------------

Please post back:
1. elaboration on your computer usage
2. new CKScanner log
3. new DDS log (Attach.txt only)