Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Safer-networking.org blocked, occasionally redirects clicked links & popups

  1. #1
    Junior Member
    Join Date
    Nov 2010
    Posts
    7

    Exclamation Safer-networking.org blocked, occasionally redirects clicked links & popups

    Blocks safer-networking.org and other malware sites
    Opens pop ups adds occasionally when links are clicked.
    Redirects to adds when links are clicked.
    This effects all browsers IE, Firefox, Opera.

    System reg backed up.
    At loss, any help appreciated.



    DDS (Ver_10-11-08.01) - NTFSx86 NETWORK
    Run by Owner at 14:12:08.18 on Mon 11/08/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.718 [GMT -5:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uPolicies-explorer: DisallowRun = 0 (0x0)
    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-explorer: MaxRecentDocs = 18 (0x12)
    mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    TCP: NameServer = 93.188.164.123,93.188.160.203
    TCP: {E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} = 93.188.164.123,93.188.160.203
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8wnlslie.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
    FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    ============= SERVICES / DRIVERS ===============

    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-29 16168]
    S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
    S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-7-20 5010288]
    S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

    =============== Created Last 30 ================

    2010-11-08 16:07:32 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-11-08 16:07:15 -------- d-----w- c:\windows\LastGood.Tmp
    2010-11-08 16:06:52 -------- d-----w- c:\program files\Panda Security
    2010-11-08 16:02:22 -------- d-----w- c:\docume~1\owner\applic~1\QuickScan
    2010-11-08 15:32:24 -------- d-----w- C:\spoolerlogs
    2010-10-26 03:48:03 94208 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
    2010-10-26 03:48:03 140864 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
    2010-10-26 03:47:59 -------- d-----w- c:\program files\Real Alternative
    2010-10-26 03:43:41 -------- d-----w- c:\program files\o8o9.com
    2010-10-21 00:51:20 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Apple
    2010-10-14 14:46:17 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2010-10-14 05:45:20 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-10-14 00:34:02 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
    2010-10-14 00:34:00 43520 ------w- c:\windows\system32\dllcache\licmgr10.dll
    2010-10-14 00:33:58 66560 ------w- c:\windows\system32\dllcache\mshtmled.dll
    2010-10-14 00:28:04 -------- d-----w- c:\program files\Canon
    2010-10-13 21:23:38 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
    2010-10-13 21:23:37 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
    2010-10-13 21:22:13 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-13 21:22:12 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-13 21:22:12 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-13 21:13:11 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

    ==================== Find3M ====================

    2010-11-07 02:50:12 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2010-11-07 02:50:12 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2010-11-07 02:50:08 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
    2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160021A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8671EAEA
    user & kernel MBR OK
    sectors 312581806 (+217): user != kernel

    Registry trace:
    called modules: ntoskrnl.exe hal.dll

    ============= FINISH: 14:14:23.87 ===============

  2. #2
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello blackjaw ,

    Sorry for the delay.

    If you still need help, please delete the DDS file that you have and download a fresh copy from one of the links below. Please post new DDS logs.

    Link 1
    Link 2
    Link 3

    Otherwise, this topic will be closed after 3 days.

  3. #3
    Junior Member
    Join Date
    Nov 2010
    Posts
    7

    Default

    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Owner at 18:39:15.98 on Thu 11/18/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.618 [GMT -5:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    svchost.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    "C:\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe" i
    C:\DOCUME~1\Owner\LOCALS~1\Temp\dwm.exe
    C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    uWinlogon: Shell=explorer.exe,c:\documents and settings\owner\application data\microsoft\windows\shell.exe
    uWindows: Load=c:\docume~1\owner\locals~1\temp\dwm.exe
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [svchost] c:\documents and settings\owner\application data\microsoft\svchost.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uPolicies-explorer: DisallowRun = 0 (0x0)
    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-explorer: MaxRecentDocs = 18 (0x12)
    mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    TCP: NameServer = 93.188.164.123,93.188.160.203
    TCP: {E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} = 93.188.164.123,93.188.160.203
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8wnlslie.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 50370
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
    FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
    FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
    R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-7-20 5010288]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-29 16168]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
    S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

    =============== Created Last 30 ================

    2010-11-17 18:58:58 142848 ----a-w- c:\docume~1\owner\applic~1\microsoft\windows\shell.exe
    2010-11-17 18:58:47 127488 ----a-w- c:\docume~1\owner\applic~1\microsoft\svchost.exe
    2010-11-17 18:58:44 124416 ----a-w- c:\program files\mozilla firefox\mstsc.exe
    2010-11-16 18:46:47 -------- d-----w- c:\program files\XviD
    2010-11-16 18:46:27 -------- d-----w- c:\program files\AviSynth 2.5
    2010-11-16 18:46:00 -------- d-----w- c:\program files\AutoGK
    2010-11-08 16:07:32 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-11-08 16:06:52 -------- d-----w- c:\program files\Panda Security
    2010-11-08 16:02:22 -------- d-----w- c:\docume~1\owner\applic~1\QuickScan
    2010-11-08 15:32:24 -------- d-----w- C:\spoolerlogs
    2010-10-26 03:48:03 94208 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
    2010-10-26 03:48:03 140864 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
    2010-10-26 03:47:59 -------- d-----w- c:\program files\Real Alternative
    2010-10-26 03:43:41 -------- d-----w- c:\program files\o8o9.com
    2010-10-21 00:51:20 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Apple

    ==================== Find3M ====================

    2010-11-07 02:50:12 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2010-11-07 02:50:12 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2010-11-07 02:50:08 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
    2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160021A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8671BEC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85898872; SUB DWORD [EBP-0x4], 0x8589812e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x867CDAB8]
    3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005a[0x86785470]
    5 ACPI[0xF77E5620] -> nt!IofCallDriver[0x804E37D5] -> [0x86792D98]
    [0x866D27C0] -> IRP_MJ_CREATE -> 0x8671BEC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8671BAEA
    user & kernel MBR OK
    sectors 312581806 (+243): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 18:41:38.72 ===============


    Thank you.

  4. #4
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello blackjaw ,

    Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

    Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
    • Please observe and follow these Forum Rules.
    • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
    • Please read the instructions carefully and follow them closely, in the order they are presented to you.
    • If you have any doubts or problems during the fix, please stop and ask.
    • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
    • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
    • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
    • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
    • If you do not reply within 3 days, this topic will be closed.

    If you are agreeable to the above, then everything should go smoothly . We may begin.

    --------------------

    Is this a business or corporate machine? I see quite a few programs mostly seen on such computers.

    --------------------

    Check for additional security risks
    • Please download CKScanner© by askey127 and save to your desktop. Click here.
    • Double click on CKScanner.exe and click Search For Files.
    • After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
    • Post the contents of ckfiles.txt in your reply, it is located on your desktop.


    --------------------

    Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.

    Please download GMER and save it to your desktop. Click here.
    • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
    • If you need help to disable your protection programs see here and here.
    • Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
    • In the right panel, you will see several boxes that have been checked (ticked).
      • Uncheck IAT/EAT
      • Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
      • Uncheck Show All (don't miss this one)
    • Then click the Scan button and wait for it to finish.
    • Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
    • Enable back your security softwares as soon as you completed the GMER steps.
      Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.


    If you are having problems running this version of GMER, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.

    --------------------

    Please post back:
    1. the answer to my question about the computer
    2. CKScanner log
    3. GMER log

  5. #5
    Junior Member
    Join Date
    Nov 2010
    Posts
    7

    Default

    This would be a personal computer, I do however use it for some work I do from home.

    CKScanner:

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\owner\favorites\5 real life soldiers who make rambo look like a pussy cracked.com.url
    c:\documents and settings\owner\favorites\various\epcgaming - cracked servers database.url
    c:\documents and settings\owner\favorites\warze\astalavista - underground crack and serial search.url
    c:\documents and settings\owner\favorites\warze\gamecopyworld - game cracks.url
    c:\documents and settings\owner\my documents\downloads\admuncher v 4.72.0.30400 inc crack rezman1984.7z
    c:\documents and settings\owner\my documents\downloads\corel painter 11 sp1\keygen.exe
    c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\a gladrag_manhunt presentation.txt
    c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\replay media catcher 3.rar
    c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\tracked_by_h33t_com.txt
    c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\rcatsetup.exe
    c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\replay media catcher.txt
    c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\tracked_by_h33t_com.txt
    c:\downloads\eskimotube.com - streaming videos of felony vs mark ashley - crack addict #6 - pornstars and centerfolds..flv
    c:\downloads\eskimotube.com - streaming videos of gwen summers and nicole sheridan - fast times at deep crack high #2 - pornstars and centerfolds..flv
    scanner sequence 3.JD.11
    ----- EOF -----


    Gmer:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-11-19 13:02:31
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3160021A rev.3.08
    Running: 3uo68yx5.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB00256D0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xF77CB314]
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6A09000, 0x1B85E6, 0xE8000020]
    ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2092] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104505FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    ? C:\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe[2248] number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3752] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8671BAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8671BAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8671BAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-18 8671BAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-20 8671BAEA
    Device \FileSystem\Cdfs \Cdfs EF4DC400
    Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 312581559 (+247): rootkit-like behavior;

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification; TDL3 <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----


    Thanks

  6. #6
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello blackjaw ,

    This would be a personal computer, I do however use it for some work I do from home.
    Can you elaborate a bit on this?

    --------------------

    Cracks / Keygens / Warez / Illegal softwares detected!!!

    Your log indicates the presence and usage of one or more of the above. Very likely your computer got infected due to the illegal softwares or the illegitimate websites you visited to get them.

    Please read the fourth post of the Forum Rules .
    Note:
    We do not support the use of illegal Pirated/Warez/Cracked software.

    If seeking help in our Malware removal forum please know that users who have programs obtained by such methods will be asked to remove them, since our help could otherwise be seen as aiding copyright violations. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms. There is a high risk of infection involved in downloading and running crack codes.
    If you still want help, please remove the illegal items from your computer, and if you still need the softwares, get legal ones from legitimate sources.
    If you advised that the illegal softwares have been removed and I find it otherwise (the tools we use can and will detect them), then I will have no choice but to have this topic closed.
    If there are more such new findings after this, the topic will also be closed.

    Please remove/uninstall the following before we continue:
    Corel Painter 11
    Corel Painter 11 - ICA
    Corel Painter 11 - IPM
    Replay Media Catcher 3.02
    c:\documents and settings\owner\favorites\various\epcgaming - cracked servers database.url
    c:\documents and settings\owner\favorites\warze\astalavista - underground crack and serial search.url
    c:\documents and settings\owner\favorites\warze\gamecopyworld - game cracks.url
    c:\documents and settings\owner\my documents\downloads\admuncher v 4.72.0.30400 inc crack rezman1984.7z
    c:\documents and settings\owner\my documents\downloads\corel painter 11 sp1\keygen.exe
    c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\a gladrag_manhunt presentation.txt
    c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\replay media catcher 3.rar
    c:\documents and settings\owner\my documents\downloads\replay media catcher 3 + crack [h33t] [gladrag_manhunt]\tracked_by_h33t_com.txt
    c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\rcatsetup.exe
    c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\replay media catcher.txt
    c:\documents and settings\owner\my documents\downloads\replay media catcher v3.02 + crack [h33] [islandgirl]\tracked_by_h33t_com.txt


    You should also delete these and stay away from such sites because they are usually used by malware authors to spread their wares:
    c:\downloads\eskimotube.com - streaming videos of felony vs mark ashley - crack addict #6 - pornstars and centerfolds..flv
    c:\downloads\eskimotube.com - streaming videos of gwen summers and nicole sheridan - fast times at deep crack high #2 - pornstars and centerfolds..flv


    Please post new CKScanner log and DDS log (Attach.txt only).

    --------------------

    Please post back:
    1. elaboration on your computer usage
    2. new CKScanner log
    3. new DDS log (Attach.txt only)

  7. #7
    Junior Member
    Join Date
    Nov 2010
    Posts
    7

    Angry

    So to elaborate a bit I use the computer for writing, personally I have 2 books in the works and I take a lot of work home with me, e-mail and watching the markets. My son however must be using it for something else entirely. It seems this problem was a good thing in a way.

    Is there anything else on the computer that's illegal? I don't really know what I'm looking for but this has got to stop.

    I'm going to be out of town starting tomorrow night for a week for thanksgiving. I'll still have web access but not to this computer. Will that be a problem to hold off until I'm back in town?

    I really appreciate all the help... But my son's not going to.


    CKScanner

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\owner\favorites\5 real life soldiers who make rambo look like a pussy cracked.com.url
    scanner sequence 3.AP.11
    ----- EOF -----


    DDS

    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Owner at 0:31:00.43 on Sun 11/21/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.570 [GMT -5:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\taskswitch.exe
    "C:\Documents and Settings\Owner\Application Data\Microsoft\svchost.exe"
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    svchost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\DOCUME~1\Owner\LOCALS~1\Temp\dwm.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    uWinlogon: Shell=explorer.exe,c:\documents and settings\owner\application data\microsoft\windows\shell.exe
    uWindows: Load=c:\docume~1\owner\locals~1\temp\dwm.exe
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [svchost] c:\documents and settings\owner\application data\microsoft\svchost.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uPolicies-explorer: DisallowRun = 0 (0x0)
    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-explorer: MaxRecentDocs = 18 (0x12)
    mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    TCP: NameServer = 93.188.164.123,93.188.160.203
    TCP: {E4505B3D-EBBA-48A4-92E8-3FCA78BFCAC7} = 93.188.164.123,93.188.160.203
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8wnlslie.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 50370
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
    FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-8 28552]
    R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-7-20 5010288]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-29 16168]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
    S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

    =============== Created Last 30 ================

    2010-11-17 18:58:58 139264 ----a-w- c:\docume~1\owner\applic~1\microsoft\windows\shell.exe
    2010-11-17 18:58:47 121344 ----a-w- c:\docume~1\owner\applic~1\microsoft\svchost.exe
    2010-11-17 18:58:44 124416 ----a-w- c:\program files\mozilla firefox\mstsc.exe
    2010-11-16 18:46:47 -------- d-----w- c:\program files\XviD
    2010-11-16 18:46:27 -------- d-----w- c:\program files\AviSynth 2.5
    2010-11-16 18:46:00 -------- d-----w- c:\program files\AutoGK
    2010-11-08 16:07:32 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-11-08 16:06:52 -------- d-----w- c:\program files\Panda Security
    2010-11-08 16:02:22 -------- d-----w- c:\docume~1\owner\applic~1\QuickScan
    2010-11-08 15:32:24 -------- d-----w- C:\spoolerlogs
    2010-10-26 03:48:03 94208 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
    2010-10-26 03:48:03 140864 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
    2010-10-26 03:47:59 -------- d-----w- c:\program files\Real Alternative
    2010-10-26 03:43:41 -------- d-----w- c:\program files\o8o9.com

    ==================== Find3M ====================

    2010-11-07 02:50:12 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2010-11-07 02:50:12 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2010-11-07 02:50:08 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
    2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160021A rev.3.08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8671BEC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85898872; SUB DWORD [EBP-0x4], 0x8589812e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x867CDAB8]
    3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005a[0x86785470]
    5 ACPI[0xF77E5620] -> nt!IofCallDriver[0x804E37D5] -> [0x86792D98]
    [0x867CFF38] -> IRP_MJ_CREATE -> 0x8671BEC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.08____#4c33314a44334545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8671BAEA
    user & kernel MBR OK
    sectors 312581806 (+249): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 0:33:14.67 ===============

  8. #8
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello blackjaw ,

    Thank you for the clarification and removal of the illegal stuffs.

    I'm going to be out of town starting tomorrow night for a week for thanksgiving. I'll still have web access but not to this computer. Will that be a problem to hold off until I'm back in town?
    No issue as long as I am informed. Thanks.

    --------------------

    Please download ComboFix© by sUBs from one of the links below and save it to your desktop.

    Link 1
    Link 2

    Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

    Install Recovery Console and run ComboFix
    • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
    • If you need help to disable your protection programs see here and here.
    • Double click on ComboFix.exe and follow the prompts.
    • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
    • When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
    • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
    • Enable back your security softwares as soon as you completed the ComboFix steps.


    A detailed step by step tutorial to run ComboFix can be found here if you need help.

    --------------------

    Please post back:
    1. the ComboFix log

  9. #9
    Junior Member
    Join Date
    Nov 2010
    Posts
    7

    Thumbs up

    Hi
    I'm leaving tonight an will be back on Saturday the 27th. I'll reply the same day I'm back.

    I wasn't able to run combofix.exe at first so I renamed the file and it ran fine. So far I can use my browsers normally again. The computers running better/faster as well. But don't get the wrong idea I'll keep checking the topic once I'm back in town.

    big thanks an happy thanksgiving Jack&Jill you've done me great service.

    ComboFix

    ComboFix 10-11-21.01 - Owner 11/21/2010 20:22:04.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.756 [GMT -5:00]
    Running from: c:\documents and settings\Owner\Desktop\gmbox.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Application Data\Microsoft\stor.cfg
    c:\documents and settings\Owner\Application Data\Microsoft\svchost.exe
    c:\documents and settings\Owner\Application Data\Microsoft\Windows\shell.exe
    C:\readme.txt
    c:\windows\settings.reg
    c:\windows\system32\Data

    Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
    .

    2010-11-17 18:58 . 2010-11-17 18:58 124416 ----a-w- c:\program files\Mozilla Firefox\mstsc.exe
    2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\XviD
    2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\AviSynth 2.5
    2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\Gabest
    2010-11-16 18:46 . 2010-11-16 18:46 -------- d-----w- c:\program files\AutoGK
    2010-11-08 19:08 . 2010-11-08 19:08 -------- d-----w- c:\program files\ERUNT
    2010-11-08 16:07 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-11-08 16:06 . 2010-11-08 16:06 -------- d-----w- c:\program files\Panda Security
    2010-11-08 16:02 . 2010-11-08 16:02 -------- d-----w- c:\documents and settings\Owner\Application Data\QuickScan
    2010-11-08 15:32 . 2010-11-08 15:32 -------- d-----w- C:\spoolerlogs
    2010-10-27 12:02 . 2010-10-27 12:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    2010-10-26 03:48 . 2010-10-26 03:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
    2010-10-26 03:48 . 2010-02-15 18:00 94208 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
    2010-10-26 03:48 . 2010-02-15 18:00 140864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
    2010-10-26 03:47 . 2010-10-26 03:48 -------- d-----w- c:\program files\Real Alternative
    2010-10-26 03:43 . 2010-10-26 03:43 -------- d-----w- c:\program files\o8o9.com

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-07 02:50 . 2010-02-22 06:38 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2010-11-07 02:50 . 2010-02-22 06:38 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2010-11-07 02:50 . 2010-02-19 06:30 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL.vir
    2010-09-18 16:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:57 . 2009-10-19 08:27 919552 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:57 . 2009-10-19 08:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:57 . 2009-10-19 08:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38 . 2009-10-19 08:27 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:01 . 2009-10-19 08:27 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:37 . 2009-10-19 08:27 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-10-19 08:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys

    [-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys

    [-] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

    [-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys

    [-] 2009-10-19 . B5B1080D35974C0E718D64280761BCD5 . 182912 . . [5.1.2600.5588] . . c:\windows\system32\drivers\ndis.sys

    [-] 2009-03-23 . AE8CAD8F28DB13B515A68510A539B0B8 . 576512 . . [5.1.2600.5782] . . c:\windows\system32\drivers\ntfs.sys

    [-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

    [-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

    [-] 2009-10-19 . 7E39A3EDC13B076E70FDB9A6F6D7A4B4 . 78336 . . [5.1.2600.5574] . . c:\windows\system32\browser.dll

    [-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

    [-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll

    [-] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\qmgr.dll
    [-] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\bits\qmgr.dll

    [-] 2009-10-19 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll

    [-] 2009-10-19 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe

    [-] 2009-10-19 . 53A8857723277B1D6D5EE60A9F85B117 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe

    [-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll

    [-] 2009-10-19 08:25 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll

    [-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll

    [-] 2009-10-19 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll

    [-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll

    [-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll

    [-] 2009-10-19 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
    [-] 2009-10-19 . 06B8485FB1DA9A552B10AB978CD1AC85 . 343040 . . [7.0.2600.5701] . . c:\windows\system32\msvcrt.dll
    [-] 2009-10-19 . A4C4A54FD7E31179CB5BDF7896DF3DF7 . 343040 . . [7.0.2600.5701] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5701_x-ww_40d12c25\msvcrt.dll

    [-] 2009-10-19 . 290C1A30DEFC723BBE10910AC2D6F6D0 . 245248 . . [5.1.2600.5649] . . c:\windows\system32\mswsock.dll

    [-] 2009-10-19 . DAB13813B25B3D009B2AC1194CF5D0A2 . 407552 . . [5.1.2600.5755] . . c:\windows\system32\netlogon.dll

    [-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll

    [-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll

    [-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll

    [-] 2009-10-19 . 67E38B4A549833E02D4D1617B5DBC318 . 14848 . . [5.1.2600.5689] . . c:\windows\system32\svchost.exe

    [-] 2009-10-19 . E2B32B10ACC5D97623275AAFB67E5F03 . 249856 . . [5.1.2600.5654] . . c:\windows\system32\tapisrv.dll

    [-] 2009-10-19 . 3DE22354C3609B3C3E5DC2C19C5E0693 . 578560 . . [5.1.2600.5577] . . c:\windows\system32\user32.dll

    [-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll

    [-] 2009-10-19 . 2BB75B7F548D82A099125D0C5971DE7D . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe

    [-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll


    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

    [-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll

    [-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll


    [-] 2009-10-19 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll

    [-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll

    [-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

    [-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll

    [-] 2009-10-19 . 5128852A18AE46C387F87BF27DA4C9DD . 296960 . . [5.1.2600.5815] . . c:\windows\system32\termsrv.dll

    [-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll

    [-] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

    [-] 2008-04-13 20:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

    [-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

    [-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll

    [-] 2009-10-19 08:26 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

    [-] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll

    [-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll

    [-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll

    [-] 2009-10-19 . D2CF91B2C710E9F666E60AFBF87643EE . 1689088 . . [5.03.2600.5601] . . c:\windows\system32\d3d9.dll

    [-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll

    [-] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll

    [-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll

    [-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll

    c:\windows\System32\wscntfy.exe ... is missing !!
    c:\windows\System32\ctfmon.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
    "P17Helper"="P17.dll" [2003-11-17 60416]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-10-19 128512]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 18 (0x12)
    "NoSMConfigurePrograms"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    "MemCheckBoxInRunDlg"= 1 (0x1)

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
    backup=c:\windows\pss\MagicDisc.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2003-01-17 19:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "JavaQuickStarterService"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/8/2010 11:07 AM 28552]
    R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/20/2010 11:24 PM 5010288]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [3/29/2010 9:15 PM 16168]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 3:29 AM 9472]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{41B44F24-BED9-4AE2-93D3-B731A5389B85}.job
    - c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8wnlslie.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 50370
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
    FF - plugin: c:\program files\TabletPlugins\npwacom.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKU-Default-Run-CTFMON.EXE - c:\windows\system32\CTFMON.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-21 20:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(528)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-11-21 20:30:08
    ComboFix-quarantined-files.txt 2010-11-22 01:29

    Pre-Run: 5,315,035,136 bytes free
    Post-Run: 8,487,870,464 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 39DA51E8EBAACDA1DB1025858416D59E

  10. #10
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello blackjaw ,

    Happy Thanksgiving! Enjoy yourself while I check on the long log .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •