Trogan/virus

bluefishbeagle · Jan 12, 2012

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 21:20:41 on 2012-01-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.270 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\All Users\Documents\Norton\{3A7FA539-8005-4603-87D2-SOS1-NSS-v5}\Norton_Download_Manager[1].exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.prisonplanet.com/
uSearch Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Norton Download Manager{3A7FA539-8005-4603-87D2-SOS1-NSS-v5}] c:\documents and settings\all users\documents\norton\{3a7fa539-8005-4603-87d2-sos1-nss-v5}\Norton_Download_Manager[1].exe /m
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Drag'n Drop CD] c:\program files\drag'n drop cd\binfiles\DragDrop.exe /StartUp
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Installer] "c:\program files\checkpoint\install\launcher.exe" "c:\program files\checkpoint\install\install.exe" /r download /c "c:\program files\checkpoint\install\Install.xml" /l /w
mRun: [AGRSMMSG] AGRSMMSG.exe
dRun: [ctfmon.exe] ctfmon.exe
dRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9ADF5A28-6FA4-49BE-A8CA-D43D53EC830C} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, credssp.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-4-12 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-12 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-4-12 486280]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-11 40776]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2012-01-12 02:59:31 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-12 00:54:33 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-01-10 04:10:16 -------- d-----w- c:\windows\Options
2012-01-10 03:07:09 -------- d-----w- c:\program files\CheckPoint
2012-01-10 01:13:58 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-01-10 01:13:33 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-10 01:13:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 01:13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-04 01:05:44 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Apple
2012-01-04 01:05:11 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Apple Computer
2012-01-04 00:05:53 -------- d-----w- c:\program files\VideoLAN
2011-12-14 01:24:05 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2011-12-14 01:24:02 186880 ------w- c:\windows\system32\dllcache\encdec.dll
2011-12-14 01:23:29 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-12-14 01:23:26 2192768 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-12-14 01:23:26 2027008 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
.
==================== Find3M ====================
.
2011-12-28 23:37:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:19:40 919552 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:19:40 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:19:40 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-01 16:05:38 1289216 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-26 00:22:34 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-25 13:34:49 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:01:01 385024 ----a-w- c:\windows\system32\html.iec
2011-10-24 20:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:12:37 186880 ----a-w- c:\windows\system32\encdec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85DB249F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85db9738]; MOV EAX, [0x85db98ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8694CAB8]
3 CLASSPNP[0xF74E7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000076[0x869C0F18]
5 ACPI[0xF7317620] -> nt!IofCallDriver[0x804E37D5] -> [0x8697B940]
\Driver\atapi[0x85EAB768] -> IRP_MJ_CREATE -> 0x85DB249F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85DB22C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:23:27.18 ===============

Heres the other report:

ken545 · Jan 18, 2012

:snwelcome:

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR

Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

bluefishbeagle · Jan 19, 2012

Here is scan. Infected computer started doing crazy things after reboot. It won't let me into C/: except for program files and then only shows zone alarm. It want's to run a scan to fix host of problems: cannot read hard drive, bad sectors, slow HD speed, High HD speed, memory overspeed, Hard drive clusters are partly damaged. Segment olad failure etc. to name a few. It seems to want me to buy a program to fix these problems. Computer does not show any programs i.e. internet explorer. So I copied the scan file and and sending it on another laptop. Here it is;

08:44:53.0930 2624 TDSS rootkit removing tool 2.7.5.0 Jan 18 2012 09:26:24
08:44:55.0402 2624 ============================================================
08:44:55.0402 2624 Current date / time: 2012/01/19 08:44:55.0402
08:44:55.0402 2624 SystemInfo:
08:44:55.0402 2624
08:44:55.0402 2624 OS Version: 5.1.2600 ServicePack: 3.0
08:44:55.0402 2624 Product type: Workstation
08:44:55.0402 2624 ComputerName: HASSELCOMPUTER
08:44:55.0402 2624 UserName: Administrator
08:44:55.0402 2624 Windows directory: C:\WINDOWS
08:44:55.0402 2624 System windows directory: C:\WINDOWS
08:44:55.0402 2624 Processor architecture: Intel x86
08:44:55.0402 2624 Number of processors: 1
08:44:55.0402 2624 Page size: 0x1000
08:44:55.0402 2624 Boot type: Normal boot
08:44:55.0402 2624 ============================================================
08:44:59.0638 2624 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:44:59.0668 2624 Initialize success
08:45:15.0411 3536 ============================================================
08:45:15.0411 3536 Scan started
08:45:15.0411 3536 Mode: Manual;
08:45:15.0411 3536 ============================================================
08:45:16.0863 3536 Abiosdsk - ok
08:45:16.0903 3536 abp480n5 - ok
08:45:16.0963 3536 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:45:16.0973 3536 ACPI - ok
08:45:17.0153 3536 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:45:17.0153 3536 ACPIEC - ok
08:45:17.0364 3536 adpu160m - ok
08:45:17.0494 3536 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:45:17.0504 3536 aec - ok
08:45:17.0694 3536 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) C:\WINDOWS\System32\drivers\afd.sys
08:45:17.0704 3536 AFD - ok
08:45:18.0075 3536 AgereSoftModem (55188b7c84a4c5e73e0680f744c4561d) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
08:45:18.0145 3536 AgereSoftModem - ok
08:45:18.0415 3536 Aha154x - ok
08:45:18.0595 3536 aic78u2 - ok
08:45:18.0685 3536 aic78xx - ok
08:45:18.0886 3536 AliIde - ok
08:45:18.0906 3536 amsint - ok
08:45:18.0996 3536 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:45:18.0996 3536 Arp1394 - ok
08:45:19.0176 3536 asc - ok
08:45:19.0366 3536 asc3350p - ok
08:45:19.0396 3536 asc3550 - ok
08:45:19.0487 3536 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
08:45:19.0487 3536 Aspi32 - ok
08:45:19.0647 3536 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:45:19.0647 3536 AsyncMac - ok
08:45:19.0897 3536 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:45:19.0897 3536 atapi - ok
08:45:20.0108 3536 Atdisk - ok
08:45:20.0448 3536 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:45:20.0458 3536 Atmarpc - ok
08:45:20.0678 3536 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:45:20.0678 3536 audstub - ok
08:45:20.0899 3536 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:45:20.0909 3536 Beep - ok
08:45:21.0169 3536 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:45:21.0179 3536 cbidf2k - ok
08:45:21.0419 3536 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:45:21.0419 3536 CCDECODE - ok
08:45:21.0580 3536 cd20xrnt - ok
08:45:21.0680 3536 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:45:21.0690 3536 Cdaudio - ok
08:45:21.0860 3536 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:45:21.0880 3536 Cdfs - ok
08:45:22.0080 3536 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:45:22.0090 3536 Cdrom - ok
08:45:22.0351 3536 Changer - ok
08:45:22.0441 3536 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:45:22.0441 3536 CmBatt - ok
08:45:22.0581 3536 CmdIde - ok
08:45:22.0711 3536 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:45:22.0711 3536 Compbatt - ok
08:45:22.0791 3536 Cpqarray - ok
08:45:22.0932 3536 dac2w2k - ok
08:45:22.0992 3536 dac960nt - ok
08:45:23.0122 3536 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
08:45:23.0152 3536 Disk - ok
08:45:23.0492 3536 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:45:23.0532 3536 dmboot - ok
08:45:23.0733 3536 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:45:23.0743 3536 dmio - ok
08:45:23.0943 3536 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:45:23.0953 3536 dmload - ok
08:45:24.0173 3536 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:45:24.0203 3536 DMusic - ok
08:45:24.0364 3536 dpti2o - ok
08:45:24.0434 3536 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:45:24.0444 3536 drmkaud - ok
08:45:24.0674 3536 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
08:45:24.0684 3536 exFat - ok
08:45:24.0884 3536 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:45:24.0884 3536 Fastfat - ok
08:45:25.0085 3536 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:45:25.0095 3536 Fdc - ok
08:45:25.0445 3536 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:45:25.0445 3536 Fips - ok
08:45:25.0625 3536 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:45:25.0635 3536 Flpydisk - ok
08:45:25.0856 3536 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:45:25.0866 3536 FltMgr - ok
08:45:26.0076 3536 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:45:26.0076 3536 Fs_Rec - ok
08:45:26.0477 3536 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:45:26.0487 3536 Ftdisk - ok
08:45:26.0777 3536 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:45:26.0777 3536 Gpc - ok
08:45:26.0967 3536 hpn - ok
08:45:27.0118 3536 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
08:45:27.0128 3536 HTTP - ok
08:45:27.0338 3536 i2omgmt - ok
08:45:27.0488 3536 i2omp - ok
08:45:27.0598 3536 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:45:27.0598 3536 i8042prt - ok
08:45:27.0809 3536 ialm (1b49ec451363cbbf8d0549d4fd78072c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
08:45:27.0819 3536 ialm - ok
08:45:28.0039 3536 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:45:28.0039 3536 Imapi - ok
08:45:28.0620 3536 ini910u - ok
08:45:28.0850 3536 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
08:45:28.0850 3536 IntelIde - ok
08:45:29.0040 3536 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:45:29.0050 3536 intelppm - ok
08:45:29.0471 3536 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:45:29.0481 3536 Ip6Fw - ok
08:45:29.0691 3536 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:45:29.0691 3536 IpFilterDriver - ok
08:45:29.0922 3536 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:45:29.0922 3536 IpInIp - ok
08:45:30.0162 3536 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:45:30.0162 3536 IpNat - ok
08:45:30.0763 3536 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:45:30.0763 3536 IPSec - ok
08:45:30.0983 3536 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
08:45:30.0993 3536 irda - ok
08:45:31.0213 3536 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:45:31.0223 3536 IRENUM - ok
08:45:31.0494 3536 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:45:31.0504 3536 isapnp - ok
08:45:31.0794 3536 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:45:31.0794 3536 Kbdclass - ok
08:45:31.0995 3536 kl1 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\kl1.sys
08:45:32.0005 3536 kl1 - ok
08:45:32.0335 3536 KLIF (a11c971434468fa05815eec8228d63fd) C:\WINDOWS\system32\DRIVERS\klif.sys
08:45:32.0345 3536 KLIF - ok
08:45:32.0535 3536 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:45:32.0545 3536 kmixer - ok
08:45:32.0806 3536 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
08:45:32.0816 3536 KSecDD - ok
08:45:32.0996 3536 lbrtfdc - ok
08:45:33.0216 3536 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:45:33.0226 3536 mnmdd - ok
08:45:33.0607 3536 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:45:33.0607 3536 Modem - ok
08:45:33.0877 3536 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:45:33.0887 3536 Mouclass - ok
08:45:34.0118 3536 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
08:45:34.0118 3536 MountMgr - ok
08:45:34.0378 3536 mraid35x - ok
08:45:34.0488 3536 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
08:45:34.0488 3536 MREMP50 - ok
08:45:34.0528 3536 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
08:45:34.0528 3536 MRESP50 - ok
08:45:34.0769 3536 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:45:34.0769 3536 MRxDAV - ok
08:45:34.0999 3536 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:45:35.0019 3536 MRxSmb - ok
08:45:35.0219 3536 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:45:35.0229 3536 Msfs - ok
08:45:35.0420 3536 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:45:35.0420 3536 MSKSSRV - ok
08:45:35.0530 3536 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:45:35.0530 3536 MSPCLOCK - ok
08:45:35.0660 3536 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:45:35.0660 3536 MSPQM - ok
08:45:35.0820 3536 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:45:35.0820 3536 mssmbios - ok
08:45:36.0040 3536 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:45:36.0040 3536 MSTEE - ok
08:45:36.0321 3536 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
08:45:36.0321 3536 Mup - ok
08:45:36.0531 3536 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:45:36.0531 3536 NABTSFEC - ok
08:45:36.0852 3536 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:45:36.0862 3536 NDIS - ok
08:45:37.0062 3536 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:45:37.0062 3536 NdisIP - ok
08:45:37.0412 3536 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:45:37.0412 3536 NdisTapi - ok
08:45:37.0753 3536 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:45:37.0753 3536 Ndisuio - ok
08:45:37.0983 3536 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:45:37.0993 3536 NdisWan - ok
08:45:38.0224 3536 NDProxy (816460bd4b4acd27937d1d0813e2e9e9) C:\WINDOWS\system32\drivers\NDProxy.sys
08:45:38.0244 3536 NDProxy - ok
08:45:38.0584 3536 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:45:38.0584 3536 NetBIOS - ok
08:45:38.0844 3536 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:45:38.0854 3536 NetBT - ok
08:45:39.0105 3536 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:45:39.0115 3536 NIC1394 - ok
08:45:39.0335 3536 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:45:39.0345 3536 Npfs - ok
08:45:39.0606 3536 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
08:45:39.0626 3536 Ntfs - ok
08:45:39.0816 3536 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:45:39.0836 3536 Null - ok
08:45:40.0046 3536 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:45:40.0056 3536 NwlnkFlt - ok
08:45:40.0317 3536 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:45:40.0337 3536 NwlnkFwd - ok
08:45:40.0577 3536 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:45:40.0577 3536 ohci1394 - ok
08:45:40.0857 3536 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:45:40.0877 3536 Parport - ok
08:45:41.0098 3536 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:45:41.0108 3536 PartMgr - ok
08:45:41.0418 3536 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:45:41.0418 3536 ParVdm - ok
08:45:41.0648 3536 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:45:41.0658 3536 PCI - ok
08:45:41.0909 3536 PCIDump - ok
08:45:42.0059 3536 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:45:42.0059 3536 PCIIde - ok
08:45:42.0189 3536 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:45:42.0199 3536 Pcmcia - ok
08:45:42.0430 3536 PDCOMP - ok
08:45:42.0510 3536 PDFRAME - ok
08:45:42.0650 3536 PDRELI - ok
08:45:42.0810 3536 PDRFRAME - ok
08:45:42.0840 3536 perc2 - ok
08:45:42.0860 3536 perc2hib - ok
08:45:43.0161 3536 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:45:43.0161 3536 PptpMiniport - ok
08:45:43.0471 3536 PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys
08:45:43.0481 3536 PSched - ok
08:45:43.0611 3536 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:45:43.0621 3536 Ptilink - ok
08:45:43.0731 3536 PxHelp20 (42d4c34300405d9f377e55f5ddadd720) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
08:45:43.0741 3536 PxHelp20 - ok
08:45:43.0912 3536 ql1080 - ok
08:45:43.0962 3536 Ql10wnt - ok
08:45:43.0992 3536 ql12160 - ok
08:45:44.0022 3536 ql1240 - ok
08:45:44.0052 3536 ql1280 - ok
08:45:44.0102 3536 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:45:44.0102 3536 RasAcd - ok
08:45:44.0523 3536 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
08:45:44.0533 3536 Rasirda - ok
08:45:44.0713 3536 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:45:44.0723 3536 Rasl2tp - ok
08:45:44.0943 3536 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:45:44.0973 3536 RasPppoe - ok
08:45:45.0194 3536 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:45:45.0204 3536 Raspti - ok
08:45:45.0624 3536 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:45:45.0634 3536 Rdbss - ok
08:45:45.0824 3536 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:45:45.0824 3536 RDPCDD - ok
08:45:45.0965 3536 rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:45:45.0985 3536 rdpdr - ok
08:45:46.0105 3536 RDPWD (3348e61a78ba4f79c795aad6565d3b6f) C:\WINDOWS\system32\drivers\RDPWD.sys
08:45:46.0115 3536 RDPWD - ok
08:45:46.0405 3536 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:45:46.0415 3536 redbook - ok
08:45:46.0666 3536 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
08:45:46.0676 3536 RTL8023xp - ok
08:45:46.0936 3536 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:45:46.0936 3536 Secdrv - ok
08:45:47.0186 3536 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:45:47.0186 3536 serenum - ok
08:45:47.0487 3536 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
08:45:47.0487 3536 Serial - ok
08:45:47.0707 3536 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:45:47.0707 3536 Sfloppy - ok
08:45:47.0948 3536 Si3112 (f459dd5ee69d4b68cb6767c9731b5faf) C:\WINDOWS\system32\drivers\Si3112.sys
08:45:47.0958 3536 Si3112 - ok
08:45:48.0148 3536 Simbad - ok
08:45:48.0418 3536 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:45:48.0418 3536 SLIP - ok
08:45:48.0709 3536 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
08:45:48.0719 3536 SMCIRDA - ok
08:45:48.0889 3536 Sparrow - ok
08:45:49.0119 3536 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:45:49.0119 3536 splitter - ok
08:45:49.0560 3536 sptd (ca9a2690a2b53662565654b48f7ae68f) C:\WINDOWS\System32\Drivers\sptd.sys
08:45:49.0560 3536 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: ca9a2690a2b53662565654b48f7ae68f
08:45:49.0570 3536 sptd ( LockedFile.Multi.Generic ) - warning
08:45:49.0570 3536 sptd - detected LockedFile.Multi.Generic (1)
08:45:49.0810 3536 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:45:49.0820 3536 Sr - ok
08:45:50.0101 3536 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
08:45:50.0121 3536 Srv - ok
08:45:50.0401 3536 STAC97 (94958b68384bb931f571cd35bb65028d) C:\WINDOWS\system32\drivers\STAC97.sys
08:45:50.0411 3536 STAC97 - ok
08:45:50.0641 3536 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:45:50.0651 3536 streamip - ok
08:45:50.0862 3536 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:45:50.0872 3536 swenum - ok
08:45:51.0142 3536 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:45:51.0142 3536 swmidi - ok
08:45:51.0453 3536 symc810 - ok
08:45:51.0543 3536 symc8xx - ok
08:45:51.0653 3536 sym_hi - ok
08:45:51.0863 3536 sym_u3 - ok
08:45:52.0003 3536 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:45:52.0003 3536 sysaudio - ok
08:45:52.0364 3536 Tcpip (474d3dccb57defcd917311eec47204b9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:45:52.0384 3536 Tcpip - ok
08:45:52.0564 3536 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:45:52.0564 3536 TDPIPE - ok
08:45:52.0744 3536 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
08:45:52.0744 3536 TDTCP - ok
08:45:52.0995 3536 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:45:53.0005 3536 TermDD - ok
08:45:53.0205 3536 TosIde - ok
08:45:53.0546 3536 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:45:53.0566 3536 Udfs - ok
08:45:53.0716 3536 ultra - ok
08:45:53.0816 3536 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
08:45:53.0816 3536 UnlockerDriver5 - ok
08:45:54.0046 3536 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:45:54.0066 3536 Update - ok
08:45:54.0487 3536 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:45:54.0487 3536 usbccgp - ok
08:45:54.0717 3536 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:45:54.0717 3536 usbehci - ok
08:45:54.0948 3536 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:45:54.0958 3536 usbhub - ok
08:45:55.0168 3536 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:45:55.0168 3536 usbscan - ok
08:45:55.0558 3536 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:45:55.0558 3536 USBSTOR - ok
08:45:55.0799 3536 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:45:55.0809 3536 usbuhci - ok
08:45:56.0039 3536 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
08:45:56.0039 3536 usbvideo - ok
08:45:56.0450 3536 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:45:56.0460 3536 VgaSave - ok
08:45:56.0630 3536 ViaIde - ok
08:45:56.0960 3536 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:45:56.0971 3536 VolSnap - ok
08:45:57.0141 3536 vsdatant (1045d05bbd5170565927d7653346c961) C:\WINDOWS\system32\vsdatant.sys
08:45:57.0161 3536 vsdatant - ok
08:45:57.0712 3536 w70n51 (8e5cf571c00c806ed7c08dbb74356646) C:\WINDOWS\system32\DRIVERS\w70n51.sys
08:45:57.0732 3536 w70n51 - ok
08:45:57.0952 3536 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:45:57.0962 3536 Wanarp - ok
08:45:58.0132 3536 WDICA - ok
08:45:58.0312 3536 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:45:58.0312 3536 wdmaud - ok
08:45:58.0593 3536 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:45:58.0593 3536 WSTCODEC - ok
08:45:58.0793 3536 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:45:58.0803 3536 WudfPf - ok
08:45:59.0023 3536 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:45:59.0033 3536 WudfRd - ok
08:45:59.0364 3536 {6080A529-897E-4629-A488-ABA0C29B635E} (a7ab6e6fcb5d9276160d9998593638e3) C:\WINDOWS\system32\drivers\ialmsbw.sys
08:45:59.0384 3536 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
08:45:59.0614 3536 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d9c1c60a4e414052e30dbb2800f0893a) C:\WINDOWS\system32\drivers\ialmkchw.sys
08:45:59.0634 3536 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
08:45:59.0664 3536 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
08:45:59.0684 3536 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
08:45:59.0684 3536 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
08:45:59.0704 3536 Boot (0x1200) (ca4c82ff5ce81bf5e3b095fdd0b5f4fa) \Device\Harddisk0\DR0\Partition0
08:45:59.0704 3536 \Device\Harddisk0\DR0\Partition0 - ok
08:45:59.0714 3536 ============================================================
08:45:59.0714 3536 Scan finished
08:45:59.0714 3536 ============================================================
08:45:59.0744 3532 Detected object count: 2
08:45:59.0744 3532 Actual detected object count: 2
08:48:01.0650 3532 sptd ( LockedFile.Multi.Generic ) - skipped by user
08:48:01.0650 3532 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
08:48:01.0680 3532 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
08:48:01.0690 3532 \Device\Harddisk0\DR0 - ok
08:48:01.0690 3532 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
08:48:12.0325 2528 Deinitialize success

ken545 · Jan 19, 2012

Looks like your Hard disk is infected , possibly the Master boot Record. What you have is fairly new and appears to cause some damage upon its removal.

See if you can run this program, you can download it via a known clean computer and transfer by disk to the infected one.

Just want to point out also that this is a very serious infection, even when its cleaned it could leave your computer compromised, what that means is it can never be trusted to do any online transactions. I would strongly suggest that you reformat this drive and reinstall windows

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

bluefishbeagle · Jan 19, 2012

Did as instructed, back on infected machine now. Boot was normal, can access files on HD. Here's the combo fix txt log:

ComboFix 12-01-19.01 - Administrator 01/19/2012 12:11:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.640 [GMT -6:00]
Running from: E:\ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator\Desktop\System Check.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check\System Check.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check\Uninstall System Check.lnk
C:\Documents and Settings\All Users\Application Data\~CI7L91pcnJdaiT
C:\Documents and Settings\All Users\Application Data\~CI7L91pcnJdaiTr
C:\Documents and Settings\All Users\Application Data\CI7L91pcnJdaiT
C:\Documents and Settings\All Users\Application Data\CI7L91pcnJdaiT.exe
C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe
C:\Program Files\Toolbar

((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))

2012-01-12 03:19:24 . 2012-01-12 03:19:34 -------- d--h--w- C:\Program Files\ERUNT
2012-01-12 00:54:33 . 2012-01-19 14:30:05 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Norton
2012-01-10 04:10:16 . 2012-01-10 04:10:16 -------- d--h--w- C:\WINDOWS\Options
2012-01-10 03:07:09 . 2012-01-12 00:41:30 -------- d--h--w- C:\Program Files\CheckPoint
2012-01-10 01:13:58 . 2012-01-10 01:13:58 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13:33 . 2012-01-10 01:13:33 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13:23 . 2011-12-10 21:24:06 20464 ---ha-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-01-10 01:13:20 . 2012-01-10 01:13:46 -------- d--h--w- C:\Program Files\Malwarebytes' Anti-Malware
2012-01-07 18:17:40 . 2012-01-07 18:17:40 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2012-01-07 03:00:49 . 2012-01-10 02:27:37 -------- d--h--w- C:\WINDOWS\Sun
2012-01-04 01:11:52 . 2012-01-04 16:52:55 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06:37 . 2012-01-04 01:06:37 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2012-01-04 01:06:04 . 2012-01-04 01:06:04 -------- d--h--w- C:\Program Files\Common Files\Apple
2012-01-04 01:05:44 . 2012-01-04 01:05:44 -------- d--h--w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05:38 . 2012-01-04 01:05:39 -------- d--h--w- C:\Program Files\Apple Software Update
2012-01-04 01:05:38 . 2012-01-04 01:05:38 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Apple
2012-01-04 01:05:11 . 2012-01-04 01:05:11 -------- d--h--w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14:05 . 2012-01-04 00:14:05 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\vlc
2012-01-04 00:05:53 . 2012-01-04 00:22:39 -------- d--h--w- C:\Program Files\VideoLAN
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-28 23:37:14 . 2011-06-02 15:24:06 414368 ---ha-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 . 2010-12-31 12:14:45 1868544 ---ha-w- C:\WINDOWS\system32\win32k.sys
2011-11-04 19:19:40 . 2011-04-10 17:19:32 1469440 ---ha-w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 19:19:40 . 2010-12-20 22:58:53 919552 ---ha-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:19:40 . 2010-12-20 22:58:52 43520 ---ha-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-01 16:05:38 . 2010-07-16 11:04:26 1289216 ---ha-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:00 . 2010-12-09 13:29:00 33280 ---ha-w- C:\WINDOWS\system32\csrsrv.dll
2011-10-26 00:22:34 . 2010-12-10 01:39:28 2069376 ---ha-w- C:\WINDOWS\system32\ntkrnlpa.exe
2011-10-25 13:34:49 . 2010-12-09 12:43:18 2192768 ---ha-w- C:\WINDOWS\system32\ntoskrnl.exe
2011-10-25 12:01:01 . 2010-12-20 11:29:19 385024 ---ha-w- C:\WINDOWS\system32\html.iec
2011-10-24 20:29:02 . 2011-10-24 20:29:02 94208 ---ha-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 . 2011-10-24 20:29:02 69632 ---ha-w- C:\WINDOWS\system32\QuickTime.qts
2011-11-24 02:12:46 . 2011-04-12 22:46:38 134104 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2011-03-09 07:29:49 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009 (xpsp_sp3_qfe.100708-1621)] . . C:\WINDOWS\system32\drivers\tcpip.sys
[7] 2008-06-20 11:59:02 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625 (xpsp_sp3_qfe.080620-1309)] . . C:\WINDOWS\system32\dllcache\tcpip.sys

C:\WINDOWS\System32\spoolsv.exe ... is missing !!
C:\WINDOWS\System32\wscntfy.exe ... is missing !!

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2011-10-13 14:27:14 17351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-05-29 09:14:24 114688]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 22:39:40 1037192]
"IJNetworkScanUtility"="C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 06:11:28 206240]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 17:55:28 937920]
"Drag'n Drop CD"="C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 19:36:18 802816]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 01:29:26 40960]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 17:53:08 2567272]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 13:22:28 59240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2011-10-24 20:28:52 421888]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 04:17:54 87751]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 11:00:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 19:32:48 128512]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

Contents of the 'Scheduled Tasks' folder

2012-01-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57:16 . 2011-06-01 23:57:16]

------- Supplementary Scan -------

uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/

- - - - ORPHANS REMOVED - - - -

HKLM-Run-ZoneAlarm Installer - C:\Program Files\CheckPoint\Install\Launcher.exe
HKLM-Run-QimMTimICgL.exe - C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe
HKU-Default-Run-IDMan - C:\Program Files\Internet Download Manager\IDMan.exe
AddRemove-File Download ActiveX - C:\WINDOWS\system32\uninst.exe

ken545 · Jan 19, 2012

Great,

We have some things to fix and I need to go over your CF log real close, in the meantime do this please.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
spoolsv.exe 
wscntfy.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

bluefishbeagle · Jan 19, 2012

Cannot run System Look. I'm getting an error: Box pops up saying "System Look error, script required"

bluefishbeagle · Jan 19, 2012

Here is Malware scan log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.19.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: HASSELCOMPUTER [administrator]

1/19/2012 1:16:59 PM
mbam-log-2012-01-19 (13-16-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 163739
Time elapsed: 10 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ken545 · Jan 19, 2012

Are you entering this script ?

:filefind
spoolsv.exe
wscntfy.exe

If it still doesn't work than drag it to the trash and redownload it from the second location

bluefishbeagle · Jan 19, 2012

No sorry I wasn't entering the scrip

Had to reboot, got the "blue" screen. Tried again, windows loaded however the virus is back, I began losing control as before.

Should I run comboFix again?

ken545 · Jan 19, 2012

Go ahead and run Combofix again, but I am leaning towards your Master Boot Record being infected, lets see if CF will calm things down, run it this time with this script, I may be getting ahead of myself here but since your system is in such bad shape we need to forge ahead.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Fcopy::

Code:

FCopy::
C:\WINDOWS\system32\dllcache\spoolsv.exe | C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\dllcache\wscntfy.exe | C:\WINDOWS\System32\wscntfy.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

bluefishbeagle · Jan 19, 2012

Ran combo fix again regained conrol typing this from infected computer;

Here's the system look file:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:19 on 19/01/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "spoolsv.exe "
No files found.

Searching for "wscntfy.exe"
No files found.

-= EOF =-

Here's a new ComboFix log:

ComboFix 12-01-19.01 - Administrator 01/19/2012 15:53:08.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.605 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Desktop\System Check.lnk
c:\documents and settings\Administrator\Start Menu\Programs\System Check
c:\documents and settings\Administrator\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Administrator\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\All Users\Application Data\~O6tIpy5tsgasDA
c:\documents and settings\All Users\Application Data\~O6tIpy5tsgasDAr
c:\documents and settings\All Users\Application Data\O6tIpy5tsgasDA
c:\documents and settings\All Users\Application Data\O6tIpy5tsgasDA.exe
c:\documents and settings\All Users\Application Data\QimMTimICgL.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\system32\wbem\snmp
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\system32\xircom
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\srchasst
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\program files\microsoft frontpage
2012-01-12 03:19 . 2012-01-12 03:19 -------- d--h--w- c:\program files\ERUNT
2012-01-12 00:54 . 2012-01-19 14:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Norton
2012-01-10 04:10 . 2012-01-10 04:10 -------- d--h--w- c:\windows\Options
2012-01-10 03:07 . 2012-01-12 00:41 -------- d--h--w- c:\program files\CheckPoint
2012-01-10 01:13 . 2012-01-10 01:13 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13 . 2012-01-10 01:13 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13 . 2011-12-10 21:24 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 01:13 . 2012-01-19 19:14 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 18:17 . 2012-01-07 18:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-07 03:00 . 2012-01-10 02:27 -------- d--h--w- c:\windows\Sun
2012-01-04 01:11 . 2012-01-04 16:52 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06 . 2012-01-04 01:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-01-04 01:06 . 2012-01-04 01:06 -------- d--h--w- c:\program files\Common Files\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\program files\Apple Software Update
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14 . 2012-01-04 00:14 -------- d--h--w- c:\documents and settings\Administrator\Application Data\vlc
2012-01-04 00:05 . 2012-01-04 00:22 -------- d--h--w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 23:37 . 2011-06-02 15:24 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29 . 2010-12-31 12:14 1868544 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:19 . 2011-04-10 17:19 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:19 . 2010-12-20 22:58 919552 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:19 . 2010-12-20 22:58 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-11-01 16:05 . 2010-07-16 11:04 1289216 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-12-09 13:29 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-26 00:22 . 2010-12-10 01:39 2069376 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-25 13:34 . 2010-12-09 12:43 2192768 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:01 . 2010-12-20 11:29 385024 ---ha-w- c:\windows\system32\html.iec
2011-10-24 20:29 . 2011-10-24 20:29 94208 ---ha-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29 . 2011-10-24 20:29 69632 ---ha-w- c:\windows\system32\QuickTime.qts
2011-11-24 02:12 . 2011-04-12 22:46 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-09 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-05-29 114688]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 1037192]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Drag'n Drop CD"="c:\program files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 802816]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 2567272]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ZoneAlarm Installer"="c:\program files\CheckPoint\Install\Launcher.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 87751]
"QimMTimICgL.exe"="c:\documents and settings\All Users\Application Data\QimMTimICgL.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/
.
Supplementary scan did not complete!
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 16:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8653E2C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-1708537768-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,60,6b,99,02,8d,f6,41,ba,7b,09,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-19 16:15:42
ComboFix-quarantined-files.txt 2012-01-19 22:15
.
Pre-Run: 31,502,401,536 bytes free
Post-Run: 31,717,122,048 bytes free
.
- - End Of File - - 3B44C7210C318E00AB7566C65A499000

bluefishbeagle · Jan 19, 2012

Had to run combofix per the first method to get control again: Now I'm going to re run it per the CFScript

bluefishbeagle · Jan 19, 2012

Here is the new ComboFix running the CFScript as you requested:

ComboFix 12-01-19.01 - Administrator 01/19/2012 16:39:15.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.510 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))

2012-01-19 18:39:47 . 2012-01-19 18:39:47 -------- d-----w- C:\WINDOWS\system32\wbem\snmp
2012-01-19 18:39:45 . 2012-01-19 18:39:45 -------- d-----w- C:\WINDOWS\system32\xircom
2012-01-19 18:39:45 . 2012-01-19 18:39:45 -------- d-----w- C:\WINDOWS\srchasst
2012-01-19 18:39:41 . 2012-01-19 18:39:41 -------- d-----w- C:\Program Files\microsoft frontpage
2012-01-12 03:19:24 . 2012-01-12 03:19:34 -------- d-----w- C:\Program Files\ERUNT
2012-01-12 00:54:33 . 2012-01-19 14:30:05 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Norton
2012-01-10 04:10:16 . 2012-01-10 04:10:16 -------- d-----w- C:\WINDOWS\Options
2012-01-10 03:07:09 . 2012-01-12 00:41:30 -------- d-----w- C:\Program Files\CheckPoint
2012-01-10 01:13:58 . 2012-01-10 01:13:58 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13:33 . 2012-01-10 01:13:33 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13:23 . 2011-12-10 21:24:06 20464 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-01-10 01:13:20 . 2012-01-19 19:14:22 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-01-07 18:17:40 . 2012-01-07 18:17:40 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2012-01-07 03:00:49 . 2012-01-10 02:27:37 -------- d-----w- C:\WINDOWS\Sun
2012-01-04 01:11:52 . 2012-01-04 16:52:55 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06:37 . 2012-01-04 01:06:37 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2012-01-04 01:06:04 . 2012-01-04 01:06:04 -------- d-----w- C:\Program Files\Common Files\Apple
2012-01-04 01:05:44 . 2012-01-04 01:05:44 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05:38 . 2012-01-04 01:05:39 -------- d-----w- C:\Program Files\Apple Software Update
2012-01-04 01:05:38 . 2012-01-04 01:05:38 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple
2012-01-04 01:05:11 . 2012-01-04 01:05:11 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14:05 . 2012-01-04 00:14:05 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\vlc
2012-01-04 00:05:53 . 2012-01-04 00:22:39 -------- d-----w- C:\Program Files\VideoLAN
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-28 23:37:14 . 2011-06-02 15:24:06 414368 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 . 2010-12-31 12:14:45 1868544 ----a-w- C:\WINDOWS\system32\win32k.sys
2011-11-04 19:19:40 . 2011-04-10 17:19:32 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 19:19:40 . 2010-12-20 22:58:53 919552 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:19:40 . 2010-12-20 22:58:52 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-01 16:05:38 . 2010-07-16 11:04:26 1289216 ----a-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:00 . 2010-12-09 13:29:00 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2011-10-26 00:22:34 . 2010-12-10 01:39:28 2069376 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
2011-10-25 13:34:49 . 2010-12-09 12:43:18 2192768 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2011-10-25 12:01:01 . 2010-12-20 11:29:19 385024 ----a-w- C:\WINDOWS\system32\html.iec
2011-10-24 20:29:02 . 2011-10-24 20:29:02 94208 ----a-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 . 2011-10-24 20:29:02 69632 ----a-w- C:\WINDOWS\system32\QuickTime.qts
2011-11-24 02:12:46 . 2011-04-12 22:46:38 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2011-03-09 07:29:49 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009 (xpsp_sp3_qfe.100708-1621)] . . C:\WINDOWS\system32\drivers\tcpip.sys
[7] 2008-06-20 11:59:02 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625 (xpsp_sp3_qfe.080620-1309)] . . C:\WINDOWS\system32\dllcache\tcpip.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2011-10-13 14:27:14 17351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-05-29 09:14:24 114688]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 22:39:40 1037192]
"IJNetworkScanUtility"="C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 06:11:28 206240]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"Drag'n Drop CD"="C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 19:36:18 802816]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 01:29:26 40960]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 17:53:08 2567272]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 13:22:28 59240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2011-10-24 20:28:52 421888]
"ZoneAlarm Installer"="C:\Program Files\CheckPoint\Install\Launcher.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 04:17:54 87751]
"QimMTimICgL.exe"="C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 11:00:00 15360]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 19:32:48 128512]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

Contents of the 'Scheduled Tasks' folder

2012-01-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57:16 . 2011-06-01 23:57:16]

------- Supplementary Scan -------

uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 16:51:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8653E2C6
user & kernel MBR OK

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1708537768-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,60,6b,99,02,8d,f6,41,ba,7b,09,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
C:\WINDOWS\system32\WININET.dll

- - - - - - - > 'lsass.exe'(624)
C:\WINDOWS\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1008)
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\WPDShServiceObj.dll
C:\WINDOWS\system32\PortableDeviceTypes.dll
C:\WINDOWS\system32\PortableDeviceApi.dll

Completion time: 2012-01-19 16:56:03
ComboFix-quarantined-files.txt 2012-01-19 22:55:55
ComboFix2.txt 2012-01-19 22:15:47

Pre-Run: 31,727,501,312 bytes free
Post-Run: 31,728,074,752 bytes free

- - End Of File - - 808F38E2297609360DB5C8FB44571F01

ken545 · Jan 19, 2012

Lets check your Master Boot Record

Download MBRCheck.exe to your desktop.

Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

bluefishbeagle · Jan 19, 2012

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0x867CB000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF7357000 sptd.sys
0xF7987000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF733F000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7311000 ACPI.sys
0xF7300000 pci.sys
0xF7487000 ohci1394.sys
0xF7497000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF74A7000 isapnp.sys
0xF789F000 compbatt.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7989000 intelide.sys
0xF72E2000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF72C3000 ftdisk.sys
0xF798B000 dmload.sys
0xF729D000 dmio.sys
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF7285000 atapi.sys
0xF726F000 Si3112.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF724F000 fltMgr.sys
0xF723D000 sr.sys
0xF78A7000 PxHelp20.sys
0xF7226000 KSecDD.sys
0xF7199000 Ntfs.sys
0xF716C000 NDIS.sys
0xF7152000 Mup.sys
0xF6C32000 kl1.sys
0xF7717000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF7677000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF64A2000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF648E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF646A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77BF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF644A000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF63A5000 \SystemRoot\system32\DRIVERS\w70n51.sys
0xF7687000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7697000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7943000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\smcirda.sys
0xF7947000 \SystemRoot\system32\DRIVERS\irenum.sys
0xF6391000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF636E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF633C000 \SystemRoot\system32\drivers\STAC97.sys
0xF6318000 \SystemRoot\system32\drivers\portcls.sys
0xF76F7000 \SystemRoot\system32\drivers\drmk.sys
0xF61FD000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF77D7000 \SystemRoot\System32\Drivers\Modem.SYS
0xF795B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7AB8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xF7507000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF795F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF61E6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7517000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7527000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF61D4000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7537000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6104000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7547000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A15000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF607E000 \SystemRoot\system32\DRIVERS\update.sys
0xF7973000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7567000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEDFC2000 \SystemRoot\system32\drivers\ialmkchw.sys
0xEDFA5000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF7587000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A1F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEDEDA000 \SystemRoot\system32\DRIVERS\klif.sys
0xF64C0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7AEE000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A21000 \SystemRoot\System32\Drivers\Beep.SYS
0xF780F000 \SystemRoot\System32\drivers\vga.sys
0xF7A23000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A25000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7817000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF781F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF64BC000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEDE7F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEDE26000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEDDFE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDD6E000 \SystemRoot\System32\vsdatant.sys
0xF793F000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEDD48000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEDD26000 \SystemRoot\System32\drivers\afd.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEDCFB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEDC8B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF75B7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7607000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEDC4B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A29000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF605A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF782F000 \SystemRoot\System32\watchdog.sys
0xBE000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B74000 \SystemRoot\System32\drivers\dxgthk.sys
0xBE020000 \SystemRoot\System32\ialmdnt5.dll
0xBE012000 \SystemRoot\System32\ialmrnt5.dll
0xBE042000 \SystemRoot\System32\ialmdev5.DLL
0xBE072000 \SystemRoot\System32\ialmdd5.DLL
0xF7617000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7627000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xEC679000 \SystemRoot\system32\DRIVERS\irda.sys
0xEC85F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEC394000 \SystemRoot\system32\drivers\wdmaud.sys
0xEC707000 \SystemRoot\system32\drivers\sysaudio.sys
0xEC24A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79F7000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEC405000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xEC1A2000 \SystemRoot\system32\DRIVERS\srv.sys
0xEBB21000 \SystemRoot\System32\Drivers\HTTP.sys
0xEB827000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF79D1000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF7867000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
0xEB39C000
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 21):
0 System Idle Process
4 System
464 C:\WINDOWS\system32\smss.exe
532 csrss.exe
564 C:\WINDOWS\system32\winlogon.exe
612 C:\WINDOWS\system32\services.exe
624 C:\WINDOWS\system32\lsass.exe
784 C:\WINDOWS\system32\svchost.exe
1252 svchost.exe
1296 C:\WINDOWS\system32\svchost.exe
1504 svchost.exe
1672 svchost.exe
1552 svchost.exe
1532 C:\Program Files\Common Files\Motive\McciCMService.exe
272 C:\WINDOWS\system32\svchost.exe
1080 C:\WINDOWS\system32\hkcmd.exe
676 C:\WINDOWS\AGRSMMSG.exe
1860 alg.exe
2836 C:\WINDOWS\system32\svchost.exe
1008 C:\WINDOWS\explorer.exe
2124 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHI_DK23EA-40, Rev: 00K3A0A6

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

ken545 · Jan 20, 2012

See if this program will run and post the log please

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

bluefishbeagle · Jan 20, 2012

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 18:30:56
-----------------------------
18:30:56.230 OS Version: Windows 5.1.2600 Service Pack 3
18:30:56.230 Number of processors: 1 586 0x905
18:30:56.230 ComputerName: HASSELCOMPUTER UserName: Administrator
18:30:57.041 Initialize success
18:31:20.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:31:20.635 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
18:31:20.635 Device \Driver\atapi -> DriverStartIo 8653e2c6
18:31:20.655 Disk 0 MBR read successfully
18:31:20.655 Disk 0 MBR scan
18:31:20.655 Disk 0 TDL4@MBR code has been found
18:31:20.655 Disk 0 Windows XP default MBR code found via API
18:31:20.665 Disk 0 MBR hidden
18:31:20.665 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
18:31:20.665 Disk 0 MBR [TDL4] **ROOTKIT**
18:31:20.665 Disk 0 trace - called modules:
18:31:20.665 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8653e49f]<<
18:31:20.675 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86942ab8]
18:31:20.675 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x869f4f18]
18:31:20.995 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> [0x86989940]
18:31:20.995 \Driver\atapi[0x86662248] -> IRP_MJ_CREATE -> 0x8653e49f
18:31:20.995 Scan finished successfully
18:31:39.121 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:31:39.131 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

ken545 · Jan 20, 2012

What I need you to do is to zip this file and attach it in your next reply, I am going to have one of the MBR experts check it . It was dumped on your desktop when you ran aswMBR

Desktop\MBR.dat <--This file

Then do this

Re-Run aswMBR

Click Scan

On completion of the scan

Click Fix

Save the log as before and post in your next reply

bluefishbeagle · Jan 20, 2012

Hard to move locations and then reboot. Ran combofix again. have regained control of computer, I shouldn't have to move again. heres the zip file.

Trogan/virus

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member