Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: My PC is surfing the web without me :D

  1. #1
    Member
    Join Date
    May 2009
    Posts
    40

    Default My PC is surfing the web without me :D

    Last week, after scanning and removal of malware acquired a few days earlier (with MBAM and Spybot S&D), and neither program was identifying any more threats, I performed a "final" scan using MBAM (just to be sure). During that scan, I noticed that MBAM was scanning a large number of files in the sub-folders of "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\...". I had never noticed this location before and thought it strange that so many trash files would be there (esp. after using CCleaner). So, I opened "My Computer" and watched as new files appeared in the sub-folders of "C:\Documents and Settings\NetworkService\...", the types of files one would expect to see if one was surfing the web. Yet, I did not have a browser open.

    Despite what Microsoft Support told me (that this was normal and not to be worried about)...
    ... I still feel that my PC is too young to surf the web on his own.

    Thanks for your help.

    Below is the DDS:
    -------------------------------------------------------------

    DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
    Run by Dana at 4:57:57.14 on Sat 02/19/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.93 [GMT -7:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\downloads\TCPView\Tcpview.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dana\Local Settings\Temporary Internet Files\Content.IE5\YAJTCQ7Y\dds[1].scr

    ============== Pseudo HJT Report ===============

    uSearch Page =
    uSearch Bar =
    uStart Page = hxxp://google.com/
    BHO: AutorunsDisabled - No File
    BHO: Yahoo! IE Suggest - No File
    BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    StartupFolder: c:\docume~1\dana\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
    IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
    IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
    IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
    DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
    DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.napster.com/client/setup.exe
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
    DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241209576118
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.4351041667
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
    TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\dana\applic~1\mozilla\firefox\profiles\e9buyb2s.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: XULRunner: {09574FAB-BD34-49B5-A2C4-6F9CB51FAA80} - c:\documents and settings\administrator.dbarker2\local settings\application data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}

    ============= SERVICES / DRIVERS ===============

    S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-23 10384]
    S3 CallerIP;Visualware CallerIP;c:\program files\callerip\cip-nt.exe --> c:\program files\callerip\cip-nt.exe [?]
    S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2004-1-27 1025288]
    S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-4-8 820133]
    S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys --> c:\windows\system32\drivers\idcphid.sys [?]

    =============== Created Last 30 ================

    2011-02-17 17:19:33 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-15 23:45:59 -------- d-----w- c:\program files\Microsoft Easy Assist

    ==================== Find3M ====================

    2006-07-03 11:11:44 774144 ----a-w- c:\program files\RngInterstitial.dll
    2003-08-27 21:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST340810A rev.3.39 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F1685C]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f1ca38]; MOV EAX, [0x82f1cab4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F98AB8]
    3 CLASSPNP[0xF8636FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000059[0x82FAC968]
    5 ACPI[0xF85AD620] -> nt!IofCallDriver[0x804E37D5] -> [0x82FACD98]
    \Driver\atapi[0x82F670D8] -> IRP_MJ_CREATE -> 0x82F1685C
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST340810A_______________________________3.39____#463532423356504c202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x82F166A2
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 5:01:50.20 ===============

  2. #2
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello and welcome to Safer Networking.

    I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

    Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

    Please be patient with me during this time.

    Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

  3. #3
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    OK.

    Btw, I was unable to post to this forum using the infected PC.

  4. #4
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

    Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
    • Please observe and follow these Forum Rules.
    • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
    • Please read the instructions carefully and follow them closely, in the order they are presented to you.
    • If you have any doubts or problems during the fix, please stop and ask.
    • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
    • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
    • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
    • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
    • If you do not reply within 3 days, this topic will be closed.

    If you are agreeable to the above, then everything should go smoothly . We may begin.

    --------------------

    Btw, I was unable to post to this forum using the infected PC.
    Maybe you will need to transfer some files between computers using USB drive in case you still cannot post, so lets protect the good one first. From the good machine, please do the following.

    Check USB storage devices / removable drives
    • Please download USBNoRisk© by bobby and save to your desktop. Click here.
    • Double click on usbnorisk.exe and wait a couple of seconds for the initial scan to finish.
    • Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
    • If there are more than one USB storage devices, please take note of the order they are connected.
    • When all the devices are plugged in and the scanning done, right click on any location in the white box where the results are shown and select Save log.
    • Click OK when prompted and a log will open. It is saved to C:\USBNoRisk\UsbNoRisk.txt.
    • Post the contents of that log in your reply and close the program.


    --------------------

    Please post back:
    1. the USBNoRisk log

  5. #5
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    OK, USBNoRisk installed on good machine.
    Only connected 1 USB device (4GB)

    ---------------------------------------------------------------
    USBNoRisk 2.7 (28 December 2010) by bobby

    Started at 2/20/2011 3:28:09 AM

    Searching for connected USB Mass storage...
    ----------------------------------------
    ========================================

    Searching for other storage...
    ----------------------------------------
    C: {70b2502c-d63c-11df-8327-806e6f6e6963}
    D: {70b2502d-d63c-11df-8327-806e6f6e6963}
    ========================================


    Scanning fixed storage...
    ----------------------------------------

    No blocked files found on C:
    No Autorun.inf files found on C:
    No mountpoint found for C:
    No mountpoint found for 70b2502c-d63c-11df-8327-806e6f6e6963
    No Desktop.ini files found on C:
    ----------------------------------------

    No blocked files found on D:
    No Autorun.inf files found on D:
    No mountpoint found for D:
    No mountpoint found for 70b2502d-d63c-11df-8327-806e6f6e6963
    ----------------------------------------
    Desktop.ini found at D:\boot\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\hp\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\PRELOAD\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\RECOVERY\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\SOURCES\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\Windows\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------

    ========================================
    Initial scan finished!
    ========================================


    New device connected at 2/20/2011 3:29:24 AM

    Scanning for connected USB mass storage...
    ----------------------------------------
    J: {4377fd62-3bf2-11e0-a90a-001e904a93df}
    Added J:
    ========================================

    Scanning USB mass storage for files...
    ----------------------------------------
    No blocked files found on J:
    ----------------------------------------
    No Autorun.inf files found on J:
    Sanitized mountpoint for 4377fd62-3bf2-11e0-a90a-001e904a93df
    ----------------------------------------

    No Desktop.ini files found on J:
    ----------------------------------------

    No mimics found on drive J:
    ----------------------------------------

    .lnk/.pif/.com/.scr files found on drive J:
    ========================================



    New device connected at 2/20/2011 3:29:37 AM

    Scanning for connected USB mass storage...
    ----------------------------------------

    ========================================

    Scanning USB mass storage for files...
    ----------------------------------------
    No blocked files found on J:
    ----------------------------------------
    No Autorun.inf files found on J:
    No mountpoint found for 4377fd62-3bf2-11e0-a90a-001e904a93df
    ----------------------------------------

    No Desktop.ini files found on J:
    ----------------------------------------

    No mimics found on drive J:
    ----------------------------------------

    .lnk/.pif/.com/.scr files found on drive J:
    ========================================



    New device connected at 2/20/2011 3:29:39 AM

    Scanning for connected USB mass storage...
    ----------------------------------------

    ========================================

    Scanning USB mass storage for files...
    ----------------------------------------
    No blocked files found on J:
    ----------------------------------------
    No Autorun.inf files found on J:
    No mountpoint found for 4377fd62-3bf2-11e0-a90a-001e904a93df
    ----------------------------------------

    No Desktop.ini files found on J:
    ----------------------------------------

    No mimics found on drive J:
    ----------------------------------------

    .lnk/.pif/.com/.scr files found on drive J:
    ========================================

  6. #6
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    Do this on the good computer.

    Run USBNoRisk script
    • Please start USBNoRisk by double clicking on the program.
    • Choose the Script tab.
    • Copy and paste the following text into it:
      Code:
      {4377fd62-3bf2-11e0-a90a-001e904a93df}
      protect:
    • Now, connect the USB storage device to the computer. If already connected, please click on the Run Script button at the bottom.
    • Close the program when done.


    --------------------

    Do all the following steps on the infected machine. If you cannot download at or post from the infected machine, then transfer the files through the other computer using the USB drive.

    When you ran DDS the first time, did you save Attach.txt? If yes, please post the contents of the log. Otherwise, run DDS again to get me the result.

    You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

    --------------------

    Please close all programs and do not run any others before and during the Rootkit Unhooker scan. Do not use the computer for anything else until after the scan is completed.

    Please download Rootkit Unhooker and save it to your desktop. Click here.
    • Double click RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Ensure the following are checked (ticked):
      • Drivers
      • Stealth Code
      • Files
      • Code Hooks
    • Uncheck the rest, then click OK. An initial scan will be performed.
    • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
    • Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
    • Save the report somewhere you can find it. Click Close to exit.
    • Copy the entire contents of the report and paste it in your next reply.


    You may get a warning about parasite detection. Please click OK to continue.

    --------------------

    Please post back:
    1. Attach.txt
    2. the last MBAM
    3. Rootkit Unhooker log

  7. #7
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    - Ran Script on good machine
    - Attach.txt is below
    - Last MBAM log of a Full Scan of Drive C: is below

    - Will close all programs and start on Rootkit Unhooker and post that soon

    (Am posting this reply using infected PC, it works now)


    Attach.txt
    --------------------------------------------

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/23/2004 6:19:28 PM
    System Uptime: 2/19/2011 6:43:11 AM (1 hours ago)

    Motherboard: | |
    Processor: AMD Athlon(tm) Processor | Slot-A | 663/66mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 17.287 GiB free.
    D: is FIXED (FAT32) - 75 GiB total, 52.767 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMSONY_CD-RW__CRX230E_____________________QYS1____\5&C21666E&0&0.0.0
    Manufacturer: (Standard CD-ROM drives)
    Name: SONY CD-RW CRX230E
    PNP Device ID: IDE\CDROMSONY_CD-RW__CRX230E_____________________QYS1____\5&C21666E&0&0.0.0
    Service: cdrom

    ==== System Restore Points ===================

    RP1656: 1/16/2011 11:44:28 PM - System Checkpoint
    RP1657: 1/18/2011 2:48:39 AM - System Checkpoint
    RP1658: 1/19/2011 3:10:03 AM - System Checkpoint
    RP1659: 1/20/2011 3:39:38 AM - System Checkpoint
    RP1660: 1/21/2011 6:01:44 AM - System Checkpoint
    RP1661: 1/22/2011 6:39:41 AM - System Checkpoint
    RP1662: 1/22/2011 11:00:42 PM - Software Distribution Service 3.0
    RP1663: 1/23/2011 11:39:44 PM - System Checkpoint
    RP1664: 1/25/2011 12:39:46 AM - System Checkpoint
    RP1665: 1/26/2011 1:39:40 AM - System Checkpoint
    RP1666: 1/27/2011 8:41:01 AM - System Checkpoint
    RP1667: 1/27/2011 5:45:47 PM - Software Distribution Service 3.0
    RP1668: 1/30/2011 6:47:14 PM - Revo Uninstaller's restore point - Adobe Atmosphere Player for Acrobat and Adobe Reader
    RP1669: 1/30/2011 6:53:57 PM - Revo Uninstaller's restore point - Adobe Flash Player 10 ActiveX
    RP1670: 1/30/2011 6:55:52 PM - Revo Uninstaller's restore point - Adobe Flash Player 10 Plugin
    RP1671: 1/30/2011 6:56:52 PM - Revo Uninstaller's restore point - Adobe Shockwave Player 11
    RP1672: 1/30/2011 6:58:05 PM - Revo Uninstaller's restore point - Adobe Reader 8.1.2
    RP1673: 1/30/2011 7:00:51 PM - Revo Uninstaller's restore point - Java(TM) 6 Update 23
    RP1674: 1/30/2011 7:03:12 PM - Revo Uninstaller's restore point - Spelling Dictionaries Support For Adobe Reader 8
    RP1675: 1/30/2011 7:05:03 PM - Revo Uninstaller's restore point - Winamp
    RP1676: 1/30/2011 7:18:38 PM - Revo Uninstaller's restore point - XnView 1.93.6
    RP1677: 1/30/2011 7:20:22 PM - Revo Uninstaller's restore point - IrfanView (remove only)
    RP1678: 1/30/2011 7:22:12 PM - Revo Uninstaller's restore point - 7-Zip 4.57
    RP1679: 1/30/2011 7:23:38 PM - Revo Uninstaller's restore point - AnalogX TagMaster
    RP1680: 1/30/2011 7:24:52 PM - Revo Uninstaller's restore point - SUPERAntiSpyware
    RP1681: 1/30/2011 7:26:39 PM - Revo Uninstaller's restore point - Yahoo! Messenger
    RP1682: 1/30/2011 7:29:22 PM - Revo Uninstaller's restore point - Yahoo! Browser Services
    RP1683: 1/30/2011 7:31:18 PM - Revo Uninstaller's restore point - Full Tilt Poker
    RP1684: 1/30/2011 7:31:48 PM - Removed Full Tilt Poker
    RP1685: 1/30/2011 7:35:08 PM - Revo Uninstaller's restore point - The KMPlayer (remove only)
    RP1686: 2/2/2011 3:32:01 AM - System Checkpoint
    RP1687: 2/2/2011 7:17:20 AM - Software Distribution Service 3.0
    RP1688: 2/14/2011 1:57:46 AM - Software Distribution Service 3.0
    RP1689: 2/15/2011 8:14:28 AM - System Checkpoint
    RP1690: 2/15/2011 4:45:24 PM - Removed Microsoft Easy Assist v2
    RP1691: 2/15/2011 4:45:55 PM - Installed Microsoft Easy Assist v2

    ==== Installed Programs ======================

    A.F.5 Rename your files 1.1
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Apple Software Update
    ArcSoft Software for HP
    Audacity 1.2.3
    Avernum 4
    Avernum Demo
    Bonjour
    Catan (remove only)
    CCleaner
    CDDRV_Installer
    CDex extraction audio
    Crystal Reports for .NET Framework 2.0 (x86)
    Cypress USB Mass Storage Driver Installation
    ERUNT 1.1j
    Google Chrome
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB954550-v5)
    HP Product Detection
    Inspector F
    Inspector F 1.2
    iTunes
    Java Auto Updater
    KhalInstallWrapper
    Locomotion
    Logitech SetPoint
    Lucent Technologies Soft Modem AMR
    Malwarebytes' Anti-Malware
    MediaMonkey 3.2
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Data Access Components KB870669
    Microsoft Easy Assist v2
    Microsoft Excel 2000 Macro Function Help File
    Microsoft IntelliPoint 4.1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office 2000 SR-1 Disc 2
    Microsoft Office 2000 SR-1 Professional
    Microsoft Office 2000 Web Archive Add-On
    Microsoft Office HTML Filter 2.0
    Microsoft Office Spreadsheet Updated Function Reference
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Windows Journal Viewer
    Mozilla Firefox (3.5.13)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    Napster
    Napster Burn Engine
    Napster Label Creator
    Nero Suite
    PokerStars.net
    Railroad Tycoon 3 Demo
    RegScrubXP 5.1
    Revo Uninstaller 1.91
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    SiS 900 PCI Fast Ethernet Adapter Driver
    SiS Audio Driver
    Spybot - Search & Destroy
    Tweak UI
    UltimateBet
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows Internet Explorer 8 (KB982664)
    URGE
    USB Storage Adapter FX (SM1)
    User Profile Hive Cleanup Service
    Wal-Mart Music Downloads Store
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! Internet Mail

    ==== Event Viewer Messages From Past Week ========

    2/18/2011 6:49:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/18/2011 6:49:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM Cdrom Fips
    2/18/2011 11:47:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    2/15/2011 4:41:14 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
    2/15/2011 3:50:35 PM, error: NetDDE [206] - Listen failed: 15:
    2/15/2011 12:43:16 PM, error: NetDDE [206] - Listen failed: 23: The ncb_lana_num member did not specify a valid network number.
    2/15/2011 12:27:55 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The system cannot find the file specified.
    2/15/2011 12:27:46 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
    2/15/2011 10:43:48 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    2/14/2011 1:57:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB2418241).
    2/14/2011 1:57:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB983583).
    2/14/2011 1:57:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168).
    2/14/2011 1:57:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524).
    2/14/2011 1:57:51 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909).

    ==== End Of File ===========================



    MBAM log
    -------------------------------------------------------------------
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5767

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2/16/2011 11:27:28 AM
    mbam-log-2011-02-16 (11-27-28).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 251365
    Time elapsed: 1 hour(s), 19 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  8. #8
    Member
    Join Date
    May 2009
    Posts
    40

    Default Rootkit Unhooker log

    Here is the Rootkit Unhooker log Report
    ---------------------------------------------------
    RkU Version: 3.8.388.590, Type LE (SR2)
    ==============================================
    OS Name: Windows XP
    Version 5.1.2600 (Service Pack 3)
    Number of processors #1
    ==============================================
    >Drivers
    ==============================================
    0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
    0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
    0x804D7000 PnpManager 2189952 bytes
    0x804D7000 RAW 2189952 bytes
    0x804D7000 WMIxWDM 2189952 bytes
    0xF7716000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
    0xBF800000 Win32k 1855488 bytes
    0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0xF74F9000 C:\WINDOWS\system32\drivers\sis7012.sys 823296 bytes (Silicon Integrated Systems Corporation, SiS 7012 Audio Device WDM Driver)
    0xF75C2000 C:\WINDOWS\System32\DRIVERS\LTSM.sys 790528 bytes (Lucent Technologies, SoftModem Device Driver)
    0xF8489000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
    0xF00B1000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0xF6F5F000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
    0xF0196000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
    0xEBB3A000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
    0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
    0xEBBE5000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xF85A7000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
    0xEBCCA000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0xF845C000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
    0xEC4B3000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
    0xF0121000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0xF016E000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
    0xF008B000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
    0xEB918000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
    0xF76CA000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0xF7683000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0xF76A7000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
    0xF014C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0xF853F000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0xF8577000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
    0xF8442000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0xF855F000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
    0xEB900000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
    0xF8516000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0xF74E2000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0xEBC49000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
    0xF76EE000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
    0xF7702000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
    0x806EE000 ACPI_HAL 81152 bytes
    0x806EE000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0xF01EF000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
    0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
    0xF852D000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
    0xF8596000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0xF74D1000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
    0xF083A000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0xF8736000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
    0xF8746000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0xF0305000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
    0xF7936000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0xF8706000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
    0xF8636000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xF8716000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
    0xF8756000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xF8616000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xF8776000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0xF07EA000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
    0xF8606000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
    0xF8766000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0xF85F6000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
    0xF7926000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
    0xF8656000 sisagp.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
    0xF7946000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
    0xF8626000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
    0xF07CA000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
    0xF8786000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
    0xF082A000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
    0xEC74A000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
    0xF8646000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0xF07DA000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xF898E000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
    0xF0C6D000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
    0xF8996000 C:\WINDOWS\system32\DRIVERS\sisnicxp.sys 32768 bytes (SiS Corporation, SiS PCI Fast Ethernet Adapter Driver)
    0xF899E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0xF897E000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
    0xF0C85000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0xF8876000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0xF8976000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
    0xF8896000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
    0xF0C7D000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xF3827000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
    0xF0C75000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
    0xF887E000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
    0xF89F6000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
    0xF89FE000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
    0xF89A6000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
    0xF8986000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
    0xF0458000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
    0xF8A9E000 C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys 16384 bytes (Logitech, Inc., Logitech PS2 Keyboard Filter Driver.)
    0xF8AC6000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xF6F5B000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
    0xF8AA2000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
    0xF8A0A000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
    0xF0BD2000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
    0xF8AA6000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
    0xF0CD1000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0xF0CC9000 C:\WINDOWS\system32\DRIVERS\IPFilter.sys 12288 bytes (Microsoft Corporation, Microsoft IntelliPoint)
    0x82ED5000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0xF0CCD000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0xF8AAA000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0xF0EA6000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0xEBAA2000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 12288 bytes
    0xF8B04000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
    0xF8BA4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
    0xF8B02000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xF8B06000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
    0xF8B8C000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
    0xF8B08000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
    0xF8B6A000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0xF8B6C000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0xF8AF6000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0xF8C78000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
    0xF04EE000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 4096 bytes (Sonic Solutions, CDR4 CD and DVD Place Holder Driver (see PxHelp))
    0xF04ED000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 4096 bytes (Sonic Solutions, CDRAL Place Holder Driver (see PxHelp))
    0xF8CF7000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
    0xF0C96000 C:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)
    0xF8C6F000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
    0xF04EC000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
    0xF8BBE000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    !!!!!!!!!!!Hidden driver: 0x82F0A6A2 ?_empty_? 2398 bytes
    ==============================================
    >Stealth
    ==============================================
    0xF855F000 WARNING: suspicious driver modification [atapi.sys::0x82F0A6A2]
    ==============================================
    >Files
    ==============================================
    !-->[Hidden] C:\00
    !-->[Hidden] C:\000
    !-->[Hidden] C:\000 cddb
    !-->[Hidden] C:\cdex_150b10_enu
    !-->[Hidden] C:\Config.Msi
    !-->[Hidden] C:\Documents and Settings
    !-->[Hidden] C:\downloads
    !-->[Hidden] C:\eac095pb5
    !-->[Hidden] C:\Games
    !-->[Hidden] C:\lame-3.95.1
    !-->[Hidden] C:\My Music
    !-->[Hidden] C:\Neato Mediaface
    !-->[Hidden] C:\Program Files
    !-->[Hidden] C:\RECYCLER
    !-->[Hidden] C:\Start Menu
    !-->[Hidden] C:\System Volume Information
    !-->[Hidden] C:\temp
    !-->[Hidden] C:\WINDOWS
    !-->[Hidden] C:\WUTemp
    ==============================================
    >Hooks
    ==============================================
    ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
    ntoskrnl.exe+0x0000BAD4, Type: Inline - RelativeJump 0x804E2AD4-->804E2B40 [ntoskrnl.exe]
    [1092]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
    [1092]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
    [1092]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
    [1092]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
    [1092]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
    [1092]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
    [1092]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
    [1092]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
    [1092]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
    [1092]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
    [1092]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
    [936]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
    [936]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
    [936]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
    [936]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
    [936]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
    [936]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
    [936]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]
    [936]svchost.exe-->user32.dll-->GetForegroundWindow, Type: Inline - RelativeJump 0x7E429823-->00000000 [unknown_code_page]
    [936]svchost.exe-->user32.dll-->WindowFromPoint, Type: Inline - RelativeJump 0x7E429766-->00000000 [unknown_code_page]

  9. #9
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    I see that you have some programs that are not recommended or not safe on board your computer. You may uninstall them through Add/Remove Programs at the Control Panel.

    Registry Cleaner(s)

    RegScrubXP 5.1

    Personally, I do not recommend any such programs. Here is an excerpt from a discussion on Registry Cleaners:
    Most Registry Cleaners aren't bad as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.
    See here and here for additional information.

    --------------------

    Poker programs

    A lot of poker programs are infected / can infect you with malware. You should be careful when using them.

    Here is a list of known bad Poker games or sites that you should stay away from.

    You may want to uninstall UltimateBet to as it does not have the best of reputations.

    --------------------

    Please download ComboFix from one of the links below and save it to your desktop.

    Link 1
    Link 2

    Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

    Install Recovery Console and run ComboFix
    • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
    • If you need help to disable your protection programs see here and here.
    • Double click on ComboFix.exe and follow the prompts.
    • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
    • When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
    • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
    • Enable back your security softwares as soon as you completed the ComboFix steps.


    A detailed step by step tutorial to run ComboFix can be found here if you need help.

    --------------------

    Please post back:
    1. the answer to my question about your computer
    2. the ComboFix log

  10. #10
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    1) I'm sorry, I do not know what your question is about my computer. (Unless it was the question from your earlier post about the Attach.txt file from the DDS scan. Since the answer was "Yes", I just posted the log)

    2) Ran ComboFix and log is posted below:
    -------------------------------------------------------
    ComboFix 11-02-20.01 - Dana 02/20/2011 11:52:38.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.303 [GMT -7:00]
    Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}
    c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}\chrome.manifest
    c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}\chrome\content\_cfg.js
    c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}\chrome\content\overlay.xul
    c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}\install.rdf

    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4
    -------\Legacy_NPF
    -------\Service_6to4


    ((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
    .

    2011-02-19 11:50 . 2011-02-19 11:51 -------- d-----w- c:\program files\ERUNT
    2011-02-17 17:19 . 2011-02-17 17:19 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-15 23:45 . 2011-02-15 23:45 -------- d-----w- c:\program files\Microsoft Easy Assist
    2011-02-15 17:56 . 2011-02-15 17:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-27 08:25 . 2011-01-27 08:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-01-27 03:26 . 2011-01-28 04:47 -------- d-----w- c:\documents and settings\Administrator.DBARKER2

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-21 01:09 . 2008-10-31 12:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 01:08 . 2008-10-31 12:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2006-07-03 11:11 . 2006-07-03 11:12 774144 ----a-w- c:\program files\RngInterstitial.dll
    2003-08-27 21:19 . 2004-01-31 23:08 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

    c:\documents and settings\Dana\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-23 813584]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "JavaQuickStarterService"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "NapsterShell"=c:\program files\Napster\napster.exe /systray

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2009 6:56 PM 10384]
    R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [1/27/2004 9:49 AM 1025288]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/8/2003 9:56 AM 820133]
    S3 CallerIP;Visualware CallerIP;c:\program files\CallerIP\cip-nt.exe --> c:\program files\CallerIP\cip-nt.exe [?]
    S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\DRIVERS\idcphid.sys --> c:\windows\system32\DRIVERS\idcphid.sys [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:42]

    2011-02-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-05-04 21:31]

    2011-02-20 c:\windows\Tasks\User_Feed_Synchronization-{7255A037-42F1-4F10-A6F1-8A5588174281}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
    FF - ProfilePath - c:\documents and settings\Dana\Application Data\Mozilla\Firefox\Profiles\e9buyb2s.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    AddRemove-SiS7012 - c:\program files\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-20 12:21
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1417001333-1935655697-1202660629-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(552)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll

    - - - - - - - > 'explorer.exe'(3360)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\netdde.exe
    c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    c:\program files\UPHClean\uphclean.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-02-20 12:30:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-20 19:30

    Pre-Run: 18,515,230,720 bytes free
    Post-Run: 19,281,817,600 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - C0DBB365C1879BA5CAFED782C348F5CA

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •