Hello, my computer is infected with this virus. Os is windows xp, currently have spybot search and destroy on my system. it can find and locate but not remove the virus. any help would be greatly appreciated.
Thanks again.
Hello, my computer is infected with this virus. Os is windows xp, currently have spybot search and destroy on my system. it can find and locate but not remove the virus. any help would be greatly appreciated.
Thanks again.
Hi yellowhawk,
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
- Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
- Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
Please follow these steps in order:
Step 1 | Download DDS from any of the links below:
Link 1
Link 2
Link 2
--------------------------------------------------------------------
- Save it to your desktop.
- Please disable any anti-malware program that will block scripts from running before running DDS.
- Double-Click on dds and a command window will appear. This is normal.
- Shortly after two logs will appear:
- DDS.txt
- Attach.txt
- A window will open instructing you save & post the logs.
- Save the logs to a convenient place such as your desktop.
- Post the contents of the DDS.txt report in your next reply.
- Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Step 2 | Please download GMER from one of the following locations and save it to your desktop:
Main Mirror - This version will download a randomly named file (Recommended)
Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
--------------------------------------------------------------------
- Disconnect from the Internet and close all running programs.
- Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
- Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
- GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
- If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
- Make sure all options are checked except:
- IAT/EAT
- Drives/Partition other than Systemdrive, which is typically C:\
- Show All (This is important, so do not miss it.)
Click the image to enlarge it
- Now click the Scan button. If you see a rootkit warning window, click OK.
- When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
- Click the Copy button and paste the results into your next reply.
- Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Step 3 | Please download aswMBR to your desktop.
- Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".- Click the Scan button to start scan.
- When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
Click the image to enlarge it
Step 4 | Please download MBRCheck.exe to your desktop.
- Be sure to disable your security programs
- Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
- A window will open on your desktop
- if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
- If nothing unusual is found just press Enter
- A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
- Please post the contents of that file.
-- WTT Classroom Graduate --
-- ASAP Member --
-- UNITE Trained Eliminator --
Thanks so much for taking the time to help. I downloaded the dds and ran it but only one file appeared. I'm posting that now.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Albert at 12:46:39 on 2011-06-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.205 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Outdated* {B5510F6F-87E1-47F7-A411-360BC453007C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWelcome.exe
C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: adfabqibpr Object: {1dab052a-0631-4a71-91e2-33d7f4001e32} - c:\windows\$xntuninstall643$\uolrq.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: brumabqibgrm Object: {caeb7882-f486-4ff6-8f2b-d14219b4f129} - c:\windows\$xntuninstall643$\mkvxl.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ASH24SXZ9S] c:\documents and settings\albert\local settings\temp\Fbz.exe
uRun: [765705838] c:\documents and settings\networkservice\local settings\application data\kuo.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; WinNT-PAI 01.08.2009; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8)" -"http://www.candystand.com/play-random-game?utm_source=adon_113124_40014&utm_medium=cpc&utm_campaign=adon2010"
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe
mRun: [GhostStartTrayApp] c:\program files\norton systemworks\norton ghost\GhostStartTrayApp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bipro] rundll32 "c:\windows\$xntuninstall643$\uolrq.dll",,Run
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [3702553843] c:\documents and settings\networkservice\local settings\application data\yom.exe
dRun: [765705838] c:\documents and settings\networkservice\local settings\application data\kuo.exe
StartupFolder: c:\docume~1\albert\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\albert\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{83DA6355-3187-4157-B0F6-B56770CA6A41} : DhcpNameServer = 192.168.1.254
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 184.95.59.211 www.google.com
Hosts: 184.95.59.212 search.yahoo.com
Hosts: 184.95.59.212 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-11-20 4064]
R1 GhPciScan;GhostPciScanner;c:\program files\norton systemworks\norton ghost\GhPciScan.sys [2002-8-14 5632]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
R2 MrHealthyService;MrHealthy;c:\program files\norton pc checkup\executables\mrhealthy\mrhealthy.exe -service --> c:\program files\norton pc checkup\executables\mrhealthy\MrHealthy.exe -service [?]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2002-8-19 116336]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2009-2-15 135168]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
R2 SDFirewallService;Spybot-S&D 2 Firewall Service;c:\program files\spybot - search & destroy 2\SDFWSvc.exe [2011-6-21 3585696]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110105.003\NAVENG.Sys [2004-10-11 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110105.003\NavEx15.Sys [2004-10-11 1360760]
R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-14 54408]
S2 SDMonitorService;Spybot-S&D 2 Monitoring Service;c:\program files\spybot - search & destroy 2\SDMonSvc.exe [2011-6-21 3834456]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-6-21 3515656]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-6-21 3769048]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2011-6-21 167040]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]
.
=============== Created Last 30 ================
.
2012-04-28 19:26:45 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-04-28 19:26:45 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-06-22 01:33:11 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-06-22 01:32:53 770384 ----a-w- c:\windows\system32\msvcr100.dll
2011-06-22 01:32:53 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-06-22 01:32:52 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-06-21 17:30:59 1134 ----a-w- C:\FixNCR.reg
2011-06-21 06:38:46 7866472 ----a-w- C:\mseinstall.exe
2011-06-20 19:00:03 -------- d-----w- c:\windows\$XNTUninstall643$
2011-06-20 18:59:30 -------- d-----w- c:\documents and settings\all users\application data\WSTB
2011-06-15 20:47:17 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-04 20:50:18 -------- d-----w- c:\documents and settings\all users\application data\WorldWinner
.
==================== Find3M ====================
.
2011-06-16 14:57:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 12:48:50.76 ===============
what should i do next?
sorry found the other file.
Here is the gmer.log
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-27 16:55:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Maxtor_6 rev.YAR5
Running: gmer.exe; Driver: C:\DOCUME~1\Albert\LOCALS~1\Temp\fwkcipog.sys
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\explorer.exe[508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E8000A
.text C:\WINDOWS\explorer.exe[508] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E9000A
.text C:\WINDOWS\explorer.exe[508] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E3000C
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AD000A
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AE000A
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AC000C
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02BE000A
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 02BF000A
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 02C0000A
.text C:\WINDOWS\System32\svchost.exe[1168] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 02BD000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009F000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2836] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device ECAD3D20
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Threads - GMER 1.0.15 ----
Thread System [4:568] EDBCF630
Thread System [4:572] EDBC1140
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet002\Control@CurrentUser USERNAME
Reg HKLM\SYSTEM\ControlSet002\Control@WaitToKillServiceTimeout 20000
Reg HKLM\SYSTEM\ControlSet002\Control@SystemStartOptions NOEXECUTE=OPTIN FASTDETECT
Reg HKLM\SYSTEM\ControlSet002\Control@SystemBootDevice multi(0)disk(0)rdisk(0)partition(1)
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@DependOnGroup
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@DependOnService Netman?WinMgmt?
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@Description Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@DisplayName Windows Firewall/Internet Connection Sharing (ICS)
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@Start 4
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@EnableFirewall 0
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@DisableNotifications 1
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Files - GMER 1.0.15 ----
File C:\RECYCLER\NPROTECT 0 bytes
File C:\RECYCLER\NPROTECT\NPROTECT.LOG 646528 bytes
---- EOF - GMER 1.0.15 ----
here is the aswMBR log
aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-27 16:59:17
-----------------------------
16:59:17.531 OS Version: Windows 5.1.2600 Service Pack 3
16:59:17.531 Number of processors: 1 586 0x304
16:59:17.546 ComputerName: FAMILY_COMPUTER UserName: Albert
16:59:19.359 Initialize success
17:00:06.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:00:06.125 Disk 0 Vendor: Maxtor_6 YAR5 Size: 76293MB BusType: 3
17:00:06.125 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
17:00:06.140 Disk 1 Vendor: WDC_WD25 08.0 Size: 238418MB BusType: 3
17:00:06.156 Disk 0 MBR read successfully
17:00:06.171 Disk 0 MBR scan
17:00:06.187 Disk 0 TDL4@MBR code has been found
17:00:06.203 Disk 0 Windows XP default MBR code found via API
17:00:06.218 Disk 0 MBR hidden
17:00:06.234 Disk 0 MBR [TDL4] **ROOTKIT**
17:00:06.250 Disk 0 trace - called modules:
17:00:06.265 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x868504d0]<<
17:00:06.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b8bab8]
17:00:06.312 3 CLASSPNP.SYS[f74e4fd7] -> nt!IofCallDriver -> [0x867a2788]
17:00:08.546 \Driver\iastor[0x86b786c0] -> IRP_MJ_CREATE -> 0x868504d0
17:00:08.656 Scan finished successfully
17:00:25.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Albert\Desktop\MBR.dat"
17:00:25.843 The log file has been saved successfully to "C:\Documents and Settings\Albert\Desktop\aswMBR.log"
Since this issue appears to be resolved, this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please read the guidelines to request assistance and begin a New Topic.
-- WTT Classroom Graduate --
-- ASAP Member --
-- UNITE Trained Eliminator --