Page 1 of 2 12 LastLast
Results 1 to 10 of 37

Thread: Malware - PC Crashes / Browser redirects

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Member sanjupan's Avatar
    Join Date
    Sep 2010
    Posts
    45

    Default Malware - PC Crashes / Browser redirects

    I think a Malware was introduced on my machine. MY PC crashes everytime I open Firefox now. Chrome gets hung. Only IE runs. The IE browser redirects to sites randomly even when genuine sites are clicked.
    Appreciate your help.
    Thanks.

    DDS log
    ----------------------

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Sanjana at 7:04:49.15 on Sun 01/30/2011
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3539.2239 [GMT -5:00]

    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\Fingerprint Sensor\AtService.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\STacSV.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
    c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
    c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\Windows\system32\java.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\wbem\unsecapp.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
    C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Windows\System32\jureg.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\real\realplayer\Update\realsched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    C:\Windows\system32\schtasks.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Data\MalwareRemoval\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mif5ba~1\office14\GROOVEEX.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
    mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
    mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
    mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
    mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
    mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    StartupFolder: c:\users\sanjana\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://connect.barcap.com/workplace/webifiers/wficat.cab
    DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://mcpuk1.jpmorgan.com/llclient/myonedesk-amer/winnt/AXNTEE.dll
    DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webvpn-rd02.jpmorganchase.com/dana-cached/sc/JuniperSetupClient.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mif5ba~1\office14\GROOVEEX.DLL
    LSA: Authentication Packages = msv1_0 wvauth

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\sanjana\appdata\roaming\mozilla\firefox\profiles\lps6crmv.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\progra~1\mif5ba~1\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\sanjana\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\users\sanjana\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\sanjana\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
    FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============

    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2009-5-15 1803512]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-4-27 293968]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 382752]
    R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-10-5 76288]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2010-1-31 260648]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-31 122368]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-31 6114816]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1caaec57f5ab489;Google Update Service (gupdate1caaec57f5ab489);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 133104]
    S3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-1-31 29472]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-1-31 47104]
    S3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-1-31 49152]
    S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-1-31 38400]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-26 1343400]
    S3 WPFFontCache_v0400;WPFFontCache_v0400;c:\windows\microsoft.net\framework\v4.0.30128\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30128\wpf\WPFFontCache_v0400.exe [?]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

    =============== Created Last 30 ================

    2011-01-27 16:28:33 -------- d-----w- c:\users\sanjana\hob
    2011-01-27 16:28:18 -------- d-----w- c:\users\sanjana\hob_jportal
    2011-01-23 05:51:37 0 ----a-w- c:\users\sanjana\appdata\local\Vpumebirit.bin
    2011-01-23 05:51:35 -------- d-----w- c:\users\sanjana\appdata\local\{53DB150E-4600-44D5-9952-E9C8A98CD7FE}
    2011-01-23 05:49:45 -------- d-----w- c:\progra~2\eAeLb06504

    ==================== Find3M ====================

    2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
    2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.1.7600 Disk: SAMSUNG_ rev.2AC1 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87470555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x874767b0]; MOV EAX, [0x8747682c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x82C7E458] -> \Device\Harddisk0\DR0[0x8744B030]
    3 CLASSPNP[0x8C99D59E] -> ntkrnlpa!IofCallDriver[0x82C7E458] -> [0x8771DE60]
    \Driver\iaStor[0x87451AF0] -> IRP_MJ_CREATE -> 0x87470555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HM250HI_________________________2AC101C4#4&80d3227&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 7:05:31.01 ===============

  2. #2
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi sanjupan


    My name is Blottedisk, I'll be happy to assist you with all your malware problems you have on your computer. Solving any malware-related problem may or may not solve other issues you have with your machine. Before we start fixing your computer, there are a few points you need to know:


    • Malware Logs can sometimes take a lot of time to research and interpret.
    • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
    • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.



    Please follow these steps:


    Step 1 | Please download GMER from one of the following locations and save it to your desktop:

    Main Mirror - This version will download a randomly named file (Recommended)
    Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

    --------------------------------------------------------------------

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


    Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.



    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Make sure all options are checked except:
      • IAT/EAT
      • Drives/Partition other than Systemdrive, which is typically C:\
      • Show All (This is important, so do not miss it.)



    Click the image to enlarge it

    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.

    -- If you encounter any problems, try running GMER in Safe Mode.


    Step 2 | Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A window will open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    • Please post the contents of that file.



    Please post back including:

    gmer.log
    MBRCheck logfile

  3. #3
    Member sanjupan's Avatar
    Join Date
    Sep 2010
    Posts
    45

    Default GMER Log

    Thanks for your response.
    GMER Log
    ----------
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-31 20:39:41
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\iaStor0 SAMSUNG_ rev.2AC1
    Running: mcd8ewmc.exe; Driver: C:\Users\Sanjana\AppData\Local\Temp\pwldypow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C5F599 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C83F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 77B65360 5 Bytes JMP 0029000A
    .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtWriteVirtualMemory 77B65EE0 5 Bytes JMP 002A000A
    .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!KiUserExceptionDispatcher 77B66448 5 Bytes JMP 0028000A
    .text C:\Windows\system32\svchost.exe[1088] ole32.dll!CoCreateInstance 77A1590C 5 Bytes JMP 00C5000A
    .text C:\Windows\system32\svchost.exe[1088] USER32.dll!GetCursorPos 774EC198 5 Bytes JMP 013A000A
    .text C:\Program Files\real\realplayer\Update\realsched.exe[3412] kernel32.dll!SetUnhandledExceptionFilter 76603162 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text C:\Windows\Explorer.EXE[3424] ntdll.dll!NtProtectVirtualMemory 77B65360 5 Bytes JMP 0224000A
    .text C:\Windows\Explorer.EXE[3424] ntdll.dll!NtWriteVirtualMemory 77B65EE0 5 Bytes JMP 0245000A
    .text C:\Windows\Explorer.EXE[3424] ntdll.dll!KiUserExceptionDispatcher 77B66448 5 Bytes JMP 0223000A

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\0000006a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HM250HI_________________________2AC101C4#4&80d3227&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\701a049d7f05
    Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ???l?????k???????????b??????s???mrxsmb??????MSDMine??_???l?l????????????????????????@%systemroot%\system32\drivers\RdpRefMp.sys,-101?G???k?k?k?k0l?l?k???k?k?k?k?k?k?l???????l??????????????????? ???????5???l??volume_snapshot_install??????????k???????????????a???????e???????????????????k??????BD???l?????????????????s?????k???k???k???????????D???????????????????l?l.i???k???????????l???l???e??@%SystemRoot%\system32\vmstorfltres.dll,-1000????????????????????5??????????????????????????????? "??k???????????????????????????????l?l?????????%???????????????????l???k?k?k?k?l?l?l??? ???????k?????k?????k?~??????????"??????????R???e?k?k?k?k???k???l??? ???????k???????????k?~????????b????????????????k??????????????????????????FH?????k?&???????l???I??s???TCP/IP Registry Compatibility??????????????????s&????l???????????????????\??Microsoft????l???l????N??l????????D??????????l??? ??????????????????????????{8ECC055D-047F-11D1-A537-0000F8753ED1}??? ???l??????????????BD???l??? ???????k?????k?????k?~??????????%? ???????B?????N??l?
    Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ????2B??????????? ?????????????????????1????????????????????? ?????????????????????1??????????????????????N???????????D?????????????????????????? ?????????????????????1????????????????????? ?????????????????????1????????B???????????{36fc9e60-c465-11cf-8056-444553540000}??ic??????????????????????????????????? ?????????????????????1????????????????????????????????????????????????????????????????????? ?????????????????????1????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1????????????????????????????????????????????????????????????? ???????n?????????????~??????????????????????1?????? ?????????????????????~??"???&?????????????????????????????????????????? ???????????????? ????~??"???&?????q?????????????????????????????????????????????????????????]??????????????l??????wpdmtp.inf:Generic.NTx86:MTP:6.1.7600.16385:usb\class_06&subclass_01&prot_01?????????????????????????????%??ic???????????????????????????4??4E??6.1.7600.16385?95C??????????????????????????????????MTP USB
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\701a049d7f05 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???s?e???????e???????????????????v???????????!???e??????????????t?????????????????????????????????????????R??s????????h??????????s??????p???????????????? ???????s???????????s????????&????? ??????????????????????????????e????? ???????o?????s?? ??s????????$?????????c????????s?????????e????@%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8193??????????????????????????????s????????h?????"%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"???????????????t??????s?????s?????? ????????????????s?????????n????@%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8192??????????s???+??????? ???s??????????????LocalSystem?????????????????????????????????????t????s???????s??????????????????SeTcbPrivilege?SeAssignPrimaryTokenPrivilege?SeTakeOwnershipPrivilege?SeBackupPrivilege?SeRestorePrivilege?SeImpersonatePrivilege?????????,??s???????????????????????????????????????s?s?s?s?s?s?s?s?s?
    Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ???s?????????????????????u?u?u??? ???????o?????s????????????????T????????????????????.??????????????????????System32\Drivers\ksecdd.sys??????????????????????????????0??e2??Root\*6TO4MP\0005???oem3.inf?????????????????????:???:????(??s?????????e??????????????8??s????????h?????????????????t???t???????t????????????B???v???????s???s???????????????????s???????e??????????????????????????????? ???????s???????????p????????0????? ?????????????????????????????s?????????????????????????????????????????????????? ???????o?????s?????s??????????R????????V??\SystemRoot\system32\DRIVERS\iaStorV.sys?l??SCSI Miniport?????R??s???????????d??iastorv.inf_x86_neutral_18cccb83b34e1453?????s?s?s?s?s?s?s?????????????g???????s?e???????e???????????????????v???????????!???e??????????????t?????????????????????????????????????????R??s????????h??????????s??????p???????????????? ???????s???????????s????????&????? ??????????????????????????????e????? ???????o?????s?? ??s????????$?????????c????????s?????????e????@%systemroot%\Microsoft.NET\Fra

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----

  4. #4
    Member sanjupan's Avatar
    Join Date
    Sep 2010
    Posts
    45

    Default MBRCheck log

    MBRCheck log
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Professional
    Windows Information: (build 7600), 32-bit
    Base Board Manufacturer: Dell Inc.
    BIOS Manufacturer: Dell Inc.
    System Manufacturer: Dell Inc.
    System Product Name: Latitude E5500
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 197):
    0x82C1C000 \SystemRoot\system32\ntkrnlpa.exe
    0x8302C000 \SystemRoot\system32\halmacpi.dll
    0x8761A000 \SystemRoot\system32\kdcom.dll
    0x83215000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8328D000 \SystemRoot\system32\PSHED.dll
    0x8329E000 \SystemRoot\system32\BOOTVID.dll
    0x832A6000 \SystemRoot\system32\CLFS.SYS
    0x832E8000 \SystemRoot\system32\CI.dll
    0x83403000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x83474000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x83482000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x834CA000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
    0x834D3000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x834DB000 \SystemRoot\system32\DRIVERS\pci.sys
    0x83505000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x83510000 \SystemRoot\System32\drivers\partmgr.sys
    0x83521000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x83529000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x83534000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x83544000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8358F000 \SystemRoot\system32\DRIVERS\pcmcia.sys
    0x835BD000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8360D000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x836E7000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x836F0000 \SystemRoot\system32\drivers\fltmgr.sys
    0x83724000 \SystemRoot\system32\drivers\fileinfo.sys
    0x83735000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x8C43D000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8C56C000 \SystemRoot\System32\Drivers\msrpc.sys
    0x8C597000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8373F000 \SystemRoot\System32\Drivers\cng.sys
    0x8C5AA000 \SystemRoot\System32\drivers\pcw.sys
    0x8C5B8000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x8C619000 \SystemRoot\system32\drivers\ndis.sys
    0x8C6D0000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8C70E000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x8C825000 \SystemRoot\System32\drivers\tcpip.sys
    0x8C96E000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8C99F000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
    0x8C9A8000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x8C9E7000 \SystemRoot\System32\Drivers\spldr.sys
    0x8C733000 \SystemRoot\System32\drivers\rdyboost.sys
    0x8C9EF000 \SystemRoot\system32\DRIVERS\PBADRV.sys
    0x8C800000 \SystemRoot\System32\Drivers\mup.sys
    0x8C810000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x8C760000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x8C792000 \SystemRoot\system32\DRIVERS\disk.sys
    0x8C7A3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x91EEF000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x91F0E000 \SystemRoot\System32\Drivers\Null.SYS
    0x91F15000 \SystemRoot\System32\Drivers\Beep.SYS
    0x91F1C000 \SystemRoot\System32\drivers\vga.sys
    0x91F28000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x91F49000 \SystemRoot\System32\drivers\watchdog.sys
    0x91F56000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x91F5E000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x91F66000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x91F6E000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x91F79000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x91F87000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x91F9E000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8379C000 \SystemRoot\system32\drivers\afd.sys
    0x91FA9000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x91FDB000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x8C7C8000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x91FE2000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x8C7E7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8C5C1000 \SystemRoot\system32\DRIVERS\serial.sys
    0x8C600000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8C5DB000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x83393000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x91FF3000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8C7F5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8C9FA000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
    0x8C5EB000 \SystemRoot\System32\drivers\discache.sys
    0x9042F000 \SystemRoot\system32\drivers\csc.sys
    0x90493000 \SystemRoot\System32\Drivers\dfsc.sys
    0x904AB000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x904B9000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x92835000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x92E57000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x92F0E000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x92F47000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x92F52000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x92F9D000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x92FAC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x93603000 \SystemRoot\system32\DRIVERS\NETw5s32.sys
    0x93BE2000 \SystemRoot\system32\DRIVERS\vwifibus.sys
    0x904DA000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
    0x92FCB000 \SystemRoot\system32\DRIVERS\1394ohci.sys
    0x92800000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0x93BEC000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
    0x92819000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x9051B000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
    0x90554000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x90561000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x9056E000 \SystemRoot\system32\DRIVERS\serenum.sys
    0x92FF7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x92831000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x90578000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x90581000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x90593000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x905A0000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x905B2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x905CA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x905D5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x90400000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x90418000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8C400000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8C417000 \SystemRoot\system32\DRIVERS\rdpbus.sys
    0x8C421000 \SystemRoot\system32\DRIVERS\VClone.sys
    0x835D3000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    0x93BFD000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x9301F000 \SystemRoot\system32\DRIVERS\ks.sys
    0x93053000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x93061000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x930A5000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x930B6000 \SystemRoot\system32\DRIVERS\stwrt.sys
    0x9311E000 \SystemRoot\system32\DRIVERS\portcls.sys
    0x9314D000 \SystemRoot\system32\DRIVERS\drmk.sys
    0x93166000 \SystemRoot\system32\drivers\IntcHdmi.sys
    0x97730000 \SystemRoot\System32\win32k.sys
    0x93189000 \SystemRoot\System32\drivers\Dxapi.sys
    0x93193000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x91E00000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x931A0000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x931B1000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x97990000 \SystemRoot\System32\TSDDD.dll
    0x931BC000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x931C7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x931DA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x931E1000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x931E3000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x931EF000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x979C0000 \SystemRoot\System32\cdd.dll
    0x93000000 \SystemRoot\system32\drivers\luafv.sys
    0x8DC3C000 \SystemRoot\system32\DRIVERS\WavxDMgr.sys
    0x8DC73000 \SystemRoot\system32\drivers\WudfPf.sys
    0x8DC8D000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x8DC9D000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x8DCE3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x8DCF3000 \SystemRoot\system32\DRIVERS\pnarp.sys
    0x8DCFD000 \SystemRoot\system32\DRIVERS\purendis.sys
    0x8DD07000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x8DD23000 \SystemRoot\system32\drivers\HTTP.sys
    0x8DDA8000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x8DDC1000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x8DDD3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x8DC00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x833D4000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xB243D000 \SystemRoot\system32\drivers\peauth.sys
    0xB24D4000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xB24DE000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xB24FF000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xB250C000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xB255B000 \SystemRoot\System32\DRIVERS\srv.sys
    0xB25AC000 \SystemRoot\System32\Drivers\fastfat.SYS
    0xB25D6000 \??\C:\Users\Sanjana\AppData\Local\Temp\pwldypow.sys
    0x77B20000 \Windows\System32\ntdll.dll
    0x48260000 \Windows\System32\smss.exe
    0x77D60000 \Windows\System32\apisetschema.dll
    0x00620000 \Windows\System32\autochk.exe
    0x77CD0000 \Windows\System32\comdlg32.dll
    0x77CC0000 \Windows\System32\nsi.dll
    0x779C0000 \Windows\System32\ole32.dll
    0x77920000 \Windows\System32\usp10.dll
    0x77870000 \Windows\System32\rpcrt4.dll
    0x77C60000 \Windows\System32\difxapi.dll
    0x77730000 \Windows\System32\urlmon.dll
    0x776F0000 \Windows\System32\ws2_32.dll
    0x77620000 \Windows\System32\msctf.dll
    0x77600000 \Windows\System32\imm32.dll
    0x775B0000 \Windows\System32\Wldap32.dll
    0x774E0000 \Windows\System32\user32.dll
    0x774D0000 \Windows\System32\normaliz.dll
    0x774C0000 \Windows\System32\psapi.dll
    0x77460000 \Windows\System32\shlwapi.dll
    0x76810000 \Windows\System32\shell32.dll
    0x767E0000 \Windows\System32\imagehlp.dll
    0x76750000 \Windows\System32\clbcatq.dll
    0x76740000 \Windows\System32\lpk.dll
    0x76690000 \Windows\System32\msvcrt.dll
    0x765B0000 \Windows\System32\kernel32.dll
    0x763B0000 \Windows\System32\iertutil.dll
    0x76310000 \Windows\System32\advapi32.dll
    0x762C0000 \Windows\System32\gdi32.dll
    0x76120000 \Windows\System32\setupapi.dll
    0x76020000 \Windows\System32\wininet.dll
    0x75F90000 \Windows\System32\oleaut32.dll
    0x75F70000 \Windows\System32\sechost.dll
    0x75E50000 \Windows\System32\crypt32.dll
    0x75E00000 \Windows\System32\KernelBase.dll
    0x75DE0000 \Windows\System32\devobj.dll
    0x75DB0000 \Windows\System32\wintrust.dll
    0x75D20000 \Windows\System32\comctl32.dll
    0x75CF0000 \Windows\System32\cfgmgr32.dll
    0x75CE0000 \Windows\System32\msasn1.dll

    Processes (total 90):
    0 System Idle Process
    4 System
    300 C:\Windows\System32\smss.exe
    472 csrss.exe
    524 C:\Windows\System32\wininit.exe
    532 csrss.exe
    580 C:\Windows\System32\services.exe
    596 C:\Windows\System32\lsass.exe
    604 C:\Windows\System32\lsm.exe
    628 C:\Windows\System32\winlogon.exe
    772 C:\Windows\System32\svchost.exe
    836 C:\Program Files\Fingerprint Sensor\AtService.exe
    872 C:\Windows\System32\svchost.exe
    964 C:\Windows\System32\svchost.exe
    1016 C:\Windows\System32\svchost.exe
    1088 C:\Windows\System32\svchost.exe
    1140 C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\stacsv.exe
    1324 C:\Windows\System32\svchost.exe
    1516 C:\Windows\System32\svchost.exe
    1664 C:\Windows\System32\spoolsv.exe
    1724 C:\Windows\System32\svchost.exe
    1860 C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
    1912 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1964 C:\Program Files\Bonjour\mDNSResponder.exe
    1992 C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    2020 C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
    340 C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    392 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    1504 WmiPrvSE.exe
    1892 C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
    2056 C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    2068 C:\Windows\System32\java.exe
    2100 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    2296 unsecapp.exe
    2304 C:\Windows\System32\conhost.exe
    2596 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    2696 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    2748 C:\Windows\System32\svchost.exe
    2788 C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    3016 WmiPrvSE.exe
    3272 C:\Windows\System32\taskhost.exe
    3348 C:\Windows\System32\dwm.exe
    3424 C:\Windows\explorer.exe
    3888 C:\Windows\System32\svchost.exe
    3980 C:\Windows\System32\svchost.exe
    4032 C:\Program Files\DellTPad\Apoint.exe
    4040 C:\Program Files\IDT\WDM\sttray.exe
    4056 C:\Windows\System32\hkcmd.exe
    4064 C:\Windows\System32\igfxpers.exe
    4072 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    4080 C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
    4092 C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
    1408 C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
    1380 C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
    1388 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    2684 C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    2892 C:\Windows\System32\jureg.exe
    636 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    3164 C:\Windows\System32\schtasks.exe
    3512 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    2836 C:\Windows\System32\conhost.exe
    3656 C:\Windows\System32\igfxsrvc.exe
    3412 C:\Program Files\real\realplayer\Update\realsched.exe
    4228 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    4408 C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    4432 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    4448 C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
    4700 C:\Windows\System32\igfxext.exe
    4836 C:\Windows\System32\SearchIndexer.exe
    5060 C:\Program Files\DellTPad\ApMsgFwd.exe
    5080 C:\Program Files\DellTPad\hidfind.exe
    5268 C:\Program Files\DellTPad\ApntEx.exe
    5352 C:\Program Files\Windows Media Player\wmpnetwk.exe
    5488 C:\Windows\System32\conhost.exe
    3960 C:\Windows\System32\svchost.exe
    3816 C:\Windows\System32\svchost.exe
    700 C:\Windows\System32\svchost.exe
    3620 C:\Windows\System32\audiodg.exe
    2948 C:\Windows\System32\taskeng.exe
    5932 C:\Windows\System32\SearchFilterHost.exe
    944 C:\Program Files\Internet Explorer\iexplore.exe
    5244 C:\Program Files\Internet Explorer\iexplore.exe
    5252 C:\Program Files\Internet Explorer\iexplore.exe
    1944 C:\Windows\System32\dllhost.exe
    3920 C:\Windows\System32\SearchProtocolHost.exe
    2832 dllhost.exe
    5644 dllhost.exe
    5040 C:\Data\MalwareRemoval\MBRCheck.exe
    2540 C:\Windows\System32\conhost.exe
    4532 C:\Program Files\real\realplayer\realplay.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`ac000000 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGHM250HI, Rev: 2AC101C4

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


    Done!

  5. #5
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi,


    Please download Combofix from either of the links below but rename it to gentleman.exe before saving it to your desktop.

    Link 1
    Link 2


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------
    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    --------------------------------------------------------------------

    • Right-click and choose "Run as administrator" on the renamed Combofix.exe & follow the prompts. When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix

  6. #6
    Member sanjupan's Avatar
    Join Date
    Sep 2010
    Posts
    45

    Default Bsod

    I am getting the Blue Screen when I download and run Gentleman.exe (Combofix.exe).
    Do you want me to run this in Safe Mode or something. Not sure if that will resolve it.


    Thanks

  7. #7
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi sanjupan,


    Please follow these steps:


    Step 1 | Please download mbr.exe from one of the following mirrors and save it to your desktop:


    This is THE Mirror

    --------------------------------------------------------------------


    • Double click on mbr.exe to run it (Vista/Windows 7 users double click the file and choose "Run as administrator").
    • Please open the file mbr.log and post it's contents in your next reply. You will find this file in the same location as mbr.exe (probably in your desktop)



    Step 2 | Please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1
    Download Mirror #2


    --------------------------------------------------------------------
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:

      Code:
      :dir
      c:\users\Sanjana\hob /s
      c:\programdata\eAeLb06504 /s
      
      :contents
      c:\users\Sanjana\AppData\Local\WavXMapDrive.bat
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

    Note: The log can also be found on your Desktop entitled SystemLook.txt


    Step 3 | ComboFix - CFScript

    WARNING !
    This script is for THIS user and computer ONLY!
    Using this tool incorrectly could damage your Operating System... preventing it from starting again!


    You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

    Please open Notepad and copy/paste all the text below... into the window:

    Code:
    DDS::
    uInternet Settings,ProxyOverride = *.local
    1. Save it to your desktop as CFScript.txt
    2. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    3. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:



      This will cause ComboFix to run again.
      Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
      Do Not touch your computer when ComboFix is running!

      When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
    4. Please copy/paste the contents of log.txt... in your next reply.


    ** Enable your Antivirus and Firewall, before connecting to the Internet again! **

  8. #8
    Member sanjupan's Avatar
    Join Date
    Sep 2010
    Posts
    45

    Default MBR Log

    MBR Log

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.1.7600 Disk: SAMSUNG_ rev.2AC1 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK

  9. #9
    Member sanjupan's Avatar
    Join Date
    Sep 2010
    Posts
    45

    Default SystemLook look

    SystemLook 04.09.10 by jpshortstuff
    Log created at 17:30 on 06/02/2011 by Sanjana
    Administrator - Elevation successful

    ========== dir ==========

    c:\users\Sanjana\hob - Parameters: "/s"

    ---Files---
    None found.

    c:\users\Sanjana\hob\jwt d------ [16:28 27/01/2011]

    c:\users\Sanjana\hob\jwt\.jwscache d------ [16:28 27/01/2011]

    c:\users\Sanjana\hob\jwt\.jwscache\lib d------ [16:28 27/01/2011]
    rel91.gif --a---- 144 bytes [16:28 27/01/2011] [16:28 27/01/2011]

    c:\programdata\eAeLb06504 - Parameters: "/s"

    ---Files---
    eAeLb06504 --a---- 94 bytes [05:49 23/01/2011] [05:58 23/01/2011]

    No folders found.

    ========== contents ==========

    c:\users\Sanjana\AppData\Local\WavXMapDrive.bat - Opened succesfully.



    -= EOF =-

  10. #10
    Member sanjupan's Avatar
    Join Date
    Sep 2010
    Posts
    45

    Default Combofix log

    Combofix log

    ComboFix 11-02-05.01 - Sanjana 02/06/2011 17:54:24.4.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3539.2467 [GMT -5:00]
    Running from: c:\users\Sanjana\Desktop\Gentleman.exe
    Command switches used :: c:\users\Sanjana\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
    .

    2011-02-06 23:00 . 2011-02-06 23:00 -------- d-----w- c:\users\TEMP\AppData\Local\temp
    2011-02-06 23:00 . 2011-02-06 23:00 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-02-06 23:00 . 2011-02-06 23:00 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-06 08:00 . 2010-03-04 04:04 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
    2011-02-06 08:00 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
    2011-02-04 12:19 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ADC27CD4-2D32-4C2E-A9B0-49785918A33D}\mpengine.dll
    2011-02-04 12:19 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2011-02-04 12:19 . 2010-10-20 04:54 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-02-04 12:19 . 2010-10-20 02:58 294400 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-04 04:10 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2011-02-04 03:54 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2011-01-27 16:28 . 2011-01-27 16:28 -------- d-----w- c:\users\Sanjana\hob
    2011-01-23 07:23 . 2011-01-23 07:23 -------- d-----w- c:\windows\Sun
    2011-01-23 05:51 . 2011-01-30 11:09 0 ----a-w- c:\users\Sanjana\AppData\Local\Vpumebirit.bin
    2011-01-23 05:49 . 2011-01-30 11:47 -------- d-----w- c:\programdata\eAeLb06504

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-06 22:23 . 2010-02-05 01:18 0 ----a-w- c:\users\Sanjana\AppData\Local\WavXMapDrive.bat
    2011-02-02 22:11 . 2010-02-05 02:35 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-06-12 00:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-06-12 00:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
    "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-28 2633976]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-08-01 458844]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-03 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-03 174104]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-03 151064]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-10-06 1826816]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-06-03 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2009-07-27 134656]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-08-14 15872]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
    "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2010-01-31 55072]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2010-12-29 274608]

    c:\users\Sanjana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-11 795936]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1245472]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    "Google Update"="c:\users\Sanjana\AppData\Local\Google\Update\GoogleUpdate.exe" /c

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" start

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate1caaec57f5ab489;Google Update Service (gupdate1caaec57f5ab489);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 133104]
    R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-01-31 29472]
    R3 EraserUtilDrv11010;EraserUtilDrv11010;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
    R3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-07-02 47104]
    R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-07-01 49152]
    R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-07-05 38400]
    R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [2009-12-09 48128]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-26 1343400]
    R3 WPFFontCache_v0400;WPFFontCache_v0400;c:\windows\Microsoft.NET\Framework\v4.0.30128\WPF\WPFFontCache_v0400.exe [x]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
    R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
    R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-05-15 1803512]
    S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-04-27 293968]
    S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-07-16 382752]
    S2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [2009-10-06 76288]
    S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-26 122368]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 05:04]

    2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 05:04]

    2011-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1208262141-4149667152-2894938055-1000Core.job
    - c:\users\Sanjana\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-28 01:25]

    2011-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1208262141-4149667152-2894938055-1000UA.job
    - c:\users\Sanjana\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-28 01:25]

    2011-02-06 c:\windows\Tasks\Norton Security Scan for Sanjana.job
    - c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-05-28 14:06]

    2011-02-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1208262141-4149667152-2894938055-1000.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://mcpuk1.jpmorgan.com/llclient/myonedesk-amer/winnt/AXNTEE.dll
    FF - ProfilePath - c:\users\Sanjana\AppData\Roaming\Mozilla\Firefox\Profiles\lps6crmv.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
    FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1208262141-4149667152-2894938055-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "scansk"=hex(0):7f,af,35,60,0d,ba,19,77,58,09,13,4d,26,61,d8,9a,e5,f8,6d,09,79,
    c0,32,d9,a3,ec,dd,34,40,6d,92,49,27,d7,b2,7f,00,8d,82,32,00,00,00,00,00,00,\

    [HKEY_USERS\S-1-5-21-1208262141-4149667152-2894938055-1000_Classes\CLSID\{7a41ce08-36ed-4270-8a34-880f76d8acda}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:0000012e
    "Therad"=dword:0000001e
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,8a,df,a8,03,3f,97,a3,12,d7,99,f3,3a,88,2b,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(4180)
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
    .
    Completion time: 2011-02-06 18:01:34
    ComboFix-quarantined-files.txt 2011-02-06 23:01
    ComboFix2.txt 2011-02-04 04:10
    ComboFix3.txt 2010-09-25 05:31

    Pre-Run: 138,927,542,272 bytes free
    Post-Run: 138,919,854,080 bytes free

    - - End Of File - - 25AB5F66568FB2EB50F4C27022988B68

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •