Inactive Rootkit infection

alpha1978 · 2010/11/01

[Inactive] Rootkit infection

Greetings all. I have a Windows XP Home SP3 system infected with a rootkit, at least I think so. I have run Super AntiSpyware, Malwarebytes and Avira on the system and removed some trojan infections along with other malware. My webbing is being redirected and I cannot access Windows Update. I ran combofix and the log showed a possible TDL3 rootkit infection. Below are my logs. TIA!

DDS (Ver_10-10-31.01) - NTFSx86
Run by HP_Owner at 11:25:57.60 on Mon 11/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.45 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Live Security Suite *On-access scanning disabled* (Updated) {1EE419F5-F5D8-4458-B14C-366867AD9CAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\VS7JIT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe "
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: turbotax.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
TCP: {6389E114-8DDC-40CE-A13D-5F052998E2F1} = 24.92.226.11
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-29 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-29 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-29 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-29 60936]

=============== Created Last 30 ================

2010-11-01 14:42:35 98816 ----a-w- c:\windows\sed.exe
2010-11-01 14:42:35 85504 ----a-w- c:\windows\MBR.exe
2010-11-01 14:42:35 256512 ----a-w- c:\windows\PEV.exe
2010-11-01 14:42:35 161792 ----a-w- c:\windows\SWREG.exe
2010-11-01 10:22:33 14336 ----a-w- c:\windows\system32\svchost.exe
2010-10-29 19:59:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-29 19:59:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-29 19:58:41 430080 -c--a-w- c:\windows\system32\dllcache\vbscript.dll
2010-10-29 19:58:41 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-10-29 19:54:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-29 19:54:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-29 17:50:19 -------- d-----w- c:\windows\system32\NtmsData
2010-10-29 17:48:46 -------- d-----w- c:\docume~1\hp_owner\applic~1\Avira
2010-10-29 17:37:49 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-29 17:37:48 -------- d-----w- c:\program files\Avira
2010-10-29 17:37:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-10-28 15:48:52 -------- d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes
2010-10-28 15:48:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-28 15:48:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-28 14:24:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-28 14:23:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-28 14:23:57 -------- d-----w- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2010-10-27 12:11:55 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\Identities
2010-10-12 17:59:51 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 17:59:51 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 17:58:24 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200822A rev.3.01 -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84F13446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x84f19504]; MOV EAX, [0x84f19580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x84F90030]
3 CLASSPNP[0xF76CEFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005e[0x84F22940]
5 ACPI[0xF7645620] -> nt!IofCallDriver[0x804E37D5] -> [0x84F5C030]
\Driver\atapi[0x84F66030] -> IRP_MJ_CREATE -> 0x84F13446
error: Read The system cannot find the file specified.
kernel: MBR read successfully
detected hooks:
\Device\Ide\IdeDeviceP2T0L0-1b -> \??\IDE#DiskST3200822A______________________________3.01____#5&35664e95&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x84F13292
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 11:27:35.93 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-31.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/25/2006 5:15:44 PM
System Uptime: 11/1/2010 11:04:45 AM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon(tm) XP 3200+ | Socket A | 2200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 180 GiB total, 162.326 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.754 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1148: 8/4/2010 8:33:20 AM - System Checkpoint
RP1149: 8/5/2010 9:11:41 AM - System Checkpoint
RP1150: 8/6/2010 9:45:16 AM - System Checkpoint
RP1151: 8/7/2010 10:18:20 AM - System Checkpoint
RP1152: 8/8/2010 10:30:50 AM - System Checkpoint
RP1153: 8/9/2010 11:41:56 AM - System Checkpoint
RP1154: 8/10/2010 12:18:19 PM - System Checkpoint
RP1155: 8/11/2010 1:43:51 PM - System Checkpoint
RP1156: 8/12/2010 8:00:35 AM - Software Distribution Service 3.0
RP1157: 8/16/2010 8:45:53 AM - System Checkpoint
RP1158: 8/17/2010 9:18:31 AM - System Checkpoint
RP1159: 8/18/2010 9:27:22 AM - System Checkpoint
RP1160: 8/19/2010 9:28:26 AM - System Checkpoint
RP1161: 8/20/2010 10:09:18 AM - System Checkpoint
RP1162: 8/21/2010 12:47:35 PM - System Checkpoint
RP1163: 8/22/2010 1:09:20 PM - System Checkpoint
RP1164: 8/23/2010 2:10:48 PM - System Checkpoint
RP1165: 8/24/2010 3:08:14 PM - System Checkpoint
RP1166: 8/25/2010 6:12:35 PM - System Checkpoint
RP1167: 8/26/2010 7:08:15 PM - System Checkpoint
RP1168: 8/27/2010 8:08:15 PM - System Checkpoint
RP1169: 8/28/2010 9:09:22 PM - System Checkpoint
RP1170: 8/29/2010 10:08:16 PM - System Checkpoint
RP1171: 8/30/2010 11:56:17 PM - System Checkpoint
RP1172: 9/1/2010 12:47:53 AM - System Checkpoint
RP1173: 9/2/2010 12:50:47 AM - System Checkpoint
RP1174: 9/3/2010 1:50:46 AM - System Checkpoint
RP1175: 9/4/2010 2:33:39 AM - System Checkpoint
RP1176: 9/5/2010 3:23:19 AM - System Checkpoint
RP1177: 9/6/2010 4:23:19 AM - System Checkpoint
RP1178: 9/7/2010 5:15:47 AM - System Checkpoint
RP1179: 9/8/2010 6:15:46 AM - System Checkpoint
RP1180: 9/8/2010 8:00:16 AM - Software Distribution Service 3.0
RP1181: 9/9/2010 8:15:49 AM - System Checkpoint
RP1182: 9/10/2010 8:58:55 AM - System Checkpoint
RP1183: 9/11/2010 9:35:14 AM - System Checkpoint
RP1184: 9/12/2010 10:15:48 AM - System Checkpoint
RP1185: 9/13/2010 11:16:54 AM - System Checkpoint
RP1186: 9/14/2010 12:15:56 PM - System Checkpoint
RP1187: 9/15/2010 8:00:33 AM - Software Distribution Service 3.0
RP1188: 9/16/2010 8:59:36 AM - System Checkpoint
RP1189: 9/17/2010 9:51:20 AM - System Checkpoint
RP1190: 9/18/2010 10:02:50 AM - System Checkpoint
RP1191: 9/19/2010 11:02:49 AM - System Checkpoint
RP1192: 9/20/2010 11:30:19 AM - System Checkpoint
RP1193: 9/21/2010 11:57:18 AM - System Checkpoint
RP1194: 9/22/2010 11:59:21 AM - System Checkpoint
RP1195: 9/23/2010 2:15:14 PM - System Checkpoint
RP1196: 9/24/2010 3:05:59 PM - System Checkpoint
RP1197: 9/25/2010 3:38:48 PM - System Checkpoint
RP1198: 9/26/2010 4:38:48 PM - System Checkpoint
RP1199: 9/27/2010 5:51:49 PM - System Checkpoint
RP1200: 9/28/2010 7:23:03 PM - System Checkpoint
RP1201: 9/29/2010 8:00:20 AM - Software Distribution Service 3.0
RP1202: 9/30/2010 8:38:50 AM - System Checkpoint
RP1203: 10/1/2010 9:02:58 AM - System Checkpoint
RP1204: 10/2/2010 9:50:58 AM - System Checkpoint
RP1205: 10/3/2010 10:50:58 AM - System Checkpoint
RP1206: 10/4/2010 10:54:39 AM - System Checkpoint
RP1207: 10/5/2010 11:50:59 AM - System Checkpoint
RP1208: 10/6/2010 8:00:24 AM - Software Distribution Service 3.0
RP1209: 10/7/2010 8:39:00 AM - System Checkpoint
RP1210: 10/8/2010 9:02:03 AM - System Checkpoint
RP1211: 10/9/2010 9:49:00 AM - System Checkpoint
RP1212: 10/10/2010 10:48:58 AM - System Checkpoint
RP1213: 10/11/2010 11:27:38 AM - System Checkpoint
RP1214: 10/12/2010 12:30:15 PM - System Checkpoint
RP1215: 10/13/2010 8:00:44 AM - Software Distribution Service 3.0
RP1216: 10/14/2010 8:53:29 AM - System Checkpoint
RP1217: 10/15/2010 9:08:15 AM - System Checkpoint
RP1218: 10/16/2010 9:52:32 AM - System Checkpoint
RP1219: 10/17/2010 10:53:38 AM - System Checkpoint
RP1220: 10/18/2010 11:52:35 AM - System Checkpoint
RP1221: 10/19/2010 11:53:37 AM - System Checkpoint
RP1222: 10/20/2010 12:02:55 PM - System Checkpoint
RP1223: 10/21/2010 12:52:33 PM - System Checkpoint
RP1224: 10/22/2010 1:40:41 PM - System Checkpoint
RP1225: 10/23/2010 1:50:07 PM - System Checkpoint
RP1226: 10/24/2010 2:21:46 PM - System Checkpoint
RP1227: 10/25/2010 3:21:44 PM - System Checkpoint
RP1228: 10/26/2010 5:46:17 PM - System Checkpoint
RP1229: 10/27/2010 6:41:35 PM - System Checkpoint
RP1230: 10/28/2010 10:22:30 AM - Removed Norton AntiVirus Corporate Edition
RP1231: 10/28/2010 10:23:56 AM - Installed SUPERAntiSpyware Free Edition
RP1232: 10/29/2010 9:33:44 AM - Removed SUPERAntiSpyware Free Edition
RP1233: 10/29/2010 12:06:33 PM - Removed Norton AntiVirus Corporate Edition
RP1234: 10/29/2010 3:53:36 PM - Installed Java(TM) 6 Update 22
RP1235: 10/30/2010 4:31:05 PM - System Checkpoint
RP1236: 10/31/2010 5:31:03 PM - System Checkpoint

==== Installed Programs ======================

3D Spring Blossoms Screen Saver
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.5
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
Aloha Solitaire
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Avira AntiVir Personal - Free Antivirus
Bejeweled 2 Deluxe
Bejeweled 2 Deluxe (remove only)
Bejeweled 2 Deluxe 1.0
CCScore
CouponBar
Critical Update for Windows Media Player 11 (KB959772)
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Eye-Q Mini Driver
Fax
FaxTools
Gaim (remove only)
getPlus(R)_ocx
GTK+ Runtime 2.6.9 rev a (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
HLPPDOCK
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 3840
HP Deskjet Preloaded Printer Drivers
HP Diagnostic Assistant
HP PSC & OfficeJet 4.0
HpSdpAppCoreApp
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java(TM) 6 Update 22
Jewel Quest II (remove only)
KBD
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Living Marine Aquarium 2 Screen Saver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# .NET Redistributable Package 1.1
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Photosmart 320,370,7400,8100,8400 Series
PS2
PSPrinters06
QuickTime
Readme
RealPlayer
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SFR
SHASTA
SKIN0001
SKINXSDK
staticcr
Super Bounce Out!
Super Collapse II
Super Collapse! 3
Super GameHouse Solitaire Vol. 1
Super Gem Drop
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnyiper
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wnyiper
TurboTax 2009 wrapper
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
VPRINTOL
WebFldrs XP
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
Yahoo! Install Manager
Yahoo! Search Protection
Yahoo! Software Update
Zulu Gems (remove only)

==== Event Viewer Messages From Past Week ========

10/29/2010 9:33:54 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
10/29/2010 3:50:05 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\vbscript.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.7.6002.22354.
10/29/2010 1:50:25 PM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library USB Flash Memory USB Device.
10/29/2010 1:34:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips
10/29/2010 1:29:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/29/2010 1:29:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/29/2010 1:24:32 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
10/28/2010 9:43:38 AM, error: Dhcp [1002] - The IP address lease 172.22.4.239 for the Network Card with network address 00112F865A95 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
10/28/2010 6:21:44 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service YahooAUService with arguments " " in order to run the server: {90AFF435-B544-4F94-A0C2-CC020EACA4E3}
10/28/2010 6:21:44 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
10/28/2010 2:10:10 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
10/28/2010 2:10:10 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
10/28/2010 2:10:10 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
10/28/2010 11:23:57 AM, error: Service Control Manager [7023] - The Norton AntiVirus Client service terminated with the following error: The environment is incorrect.
10/28/2010 1:07:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fasttx2k SISAGP
10/27/2010 7:03:19 AM, error: Print [23] - Printer Lexmark X74-X75 (Copy 1),0 failed to initialize because a suitable Lexmark X74-X75 driver could not be found.
10/27/2010 7:02:41 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: Access is denied.
10/27/2010 7:02:38 AM, error: Service Control Manager [7000] - The Yahoo! Updater service failed to start due to the following error: Access is denied.
10/27/2010 7:02:38 AM, error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: Access is denied.
10/27/2010 7:02:38 AM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: Access is denied.
10/27/2010 7:02:38 AM, error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: Access is denied.
10/27/2010 7:02:38 AM, error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: Access is denied.
10/27/2010 6:46:14 AM, error: Service Control Manager [7000] - The Machine Debug Manager service failed to start due to the following error: Access is denied.
10/27/2010 6:46:14 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MDM with arguments " " in order to run the server: {943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}
10/27/2010 6:16:24 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/27/2010 3:21:48 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MDM with arguments " " in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

==== End Of File ===========================

ComboFix 10-10-31.04 - HP_Owner 11/01/2010 10:52:55.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.139 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\yazo.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Live Security Suite *On-access scanning disabled* (Updated) {1EE419F5-F5D8-4458-B14C-366867AD9CAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\system32\Thumbs.db
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FREEZESCREENSAVER
-------\Service_FreezeScreenSaver

((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 )))))))))))))))))))))))))))))))
.

2010-11-01 10:22 . 2008-04-14 05:42 14336 ----a-w- c:\windows\system32\svchost.exe
2010-10-29 19:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-29 19:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-29 19:58 . 2010-03-09 11:09 430080 -c--a-w- c:\windows\system32\dllcache\vbscript.dll
2010-10-29 19:58 . 2010-03-09 11:09 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-10-29 19:54 . 2010-10-29 19:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-29 19:54 . 2010-10-29 19:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-29 17:50 . 2010-10-29 18:46 -------- d-----w- c:\windows\system32\NtmsData
2010-10-29 17:48 . 2010-10-29 17:48 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Avira
2010-10-29 17:37 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-29 17:37 . 2010-02-16 17:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-29 17:37 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-10-29 17:37 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-10-29 17:37 . 2010-10-29 17:37 -------- d-----w- c:\program files\Avira
2010-10-29 17:37 . 2010-10-29 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-10-28 15:48 . 2010-10-28 15:48 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2010-10-28 15:48 . 2010-10-29 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-28 15:48 . 2010-10-28 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-28 14:24 . 2010-10-28 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-28 14:23 . 2010-10-29 13:33 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2010-10-28 14:23 . 2010-10-29 13:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-27 12:11 . 2010-10-28 17:04 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Identities
2010-10-12 17:59 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 17:59 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 17:58 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-16 21:08 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-16 21:08 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-09 13:38 . 2004-08-07 18:47 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2004-08-07 18:46 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-07 18:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2004-08-07 18:46 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-07 18:46 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2004-08-07 18:46 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-07 18:47 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-07 18:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-07 18:47 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-07 18:47 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 22:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-07 18:46 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-07 18:47 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-07 18:47 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06 "= "c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06 "= "c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-06-30 88363]
"PS2 "= "c:\windows\system32\ps2.exe" [2002-10-16 81920]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-10-01 155648]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AVPath "= "\\\\.\\root\\SecurityCenter:AntiVirusProduct.instanceGuid=\ "{1EE419F5-F5D8-4458-B14C-366867AD9CAB}\" "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe "=
"c:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe "=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Documents and Settings\\HP_Owner\\My Documents\\BounceOut\\BounceOut.exe "=
"c:\\Program Files\\GameHouse\\Solitaire\\Solitaire.exe "=
"%windir%\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4271:UDP "= 4271:UDP:Windows Media Format SDK (iexplore.exe)
"4270:UDP "= 4270:UDP:Windows Media Format SDK (iexplore.exe)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/29/2010 1:37 PM 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: turbotax.com
TCP: {6389E114-8DDC-40CE-A13D-5F052998E2F1} = 24.92.226.11
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE
AddRemove-LiveUpdate1.7 - c:\program files\Symantec\LiveUpdate\LSETUP.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 11:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200822A rev.3.01 -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84F13446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x84f19504]; MOV EAX, [0x84f19580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x84F90030]
3 CLASSPNP[0xF76CEFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005e[0x84F22940]
5 ACPI[0xF7645620] -> nt!IofCallDriver[0x804E37D5] -> [0x84F5C030]
\Driver\atapi[0x84F66030] -> IRP_MJ_CREATE -> 0x84F13446
error: Read The system cannot find the file specified.
kernel: MBR read successfully
detected hooks:
\Device\Ide\IdeDeviceP2T0L0-1b -> \??\IDE#DiskST3200822A______________________________3.01____#5&35664e95&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x84F13292
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed "= "1 "
@=" "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange "= "1 "
"Installed "= "1 "
@=" "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed "= "1 "
@=" "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\WININET.dll
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-01 11:12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-01 15:12

Pre-Run: 173,005,430,784 bytes free
Post-Run: 174,268,268,544 bytes free

- - End Of File - - 9B66EB939BF35FE512884C519EA0BC35

sorry if this shows up twice. I originally tried to submit this thread from the infected machine and when I hit submit I got redirected.

broni · 2010/11/01

Welcome aboard

Never run Combofix on your own!

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Log in or Sign up

Inactive Rootkit infection

alpha1978 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Rootkit infection

alpha1978 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches