Solved Browser auto-redirects, Trojan, & not having fun

dudgorgon · 2011/04/01

[Resolved] Browser auto-redirects, Trojan, & not having fun

I been experiencing browser auto-redirects. I've been somewhat successful in removing most of the malicious Trojans, but more less destructive ones appear. For some reason System Restore won't turn on now. Running through the normal AV and Maleware scans.

Any help would be greatly appreciated.

Here's the latest MalwareByte log from today where a Trojan was deleted:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6242

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/1/2011 10:33:19 PM
mbam-log-2011-04-01 (22-33-19).txt

Scan type: Quick scan
Objects scanned: 199689
Time elapsed: 8 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\cdtdlg.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

broni · 2011/04/01

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================================

Go on....

dudgorgon · 2011/04/03

Thanks for welcoming me aboard.

Today's SAV scan found nothing but I still see redirects, which appear harmless but really annoying.

broni · 2011/04/03

Please, complete all steps listed here: this post

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

dudgorgon · 2011/04/05

I am up to step 2 (running GMER) but the system will blue screen each time I run the exe.

BAD_POOL_CALLER on ftxdapob.sys

I will keep trying unless you know of something else I should do.

broni · 2011/04/05

There are some instructions, what to do, if GMER doesn't want to run.
If still problems, skip it.

dudgorgon · 2011/04/05

Trojan.ZeFarch, Antmalware doctor, browser redirects

Here are the requested logs for Malwarebytes:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6272

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/5/2011 12:06:25 AM
mbam-log-2011-04-05 (00-06-25).txt

Scan type: Quick scan
Objects scanned: 196785
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IKXGVMFZHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Q8PS7ZCLN6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Q8PS7ZCLN6 (Trojan.FakeAlert) -> Value: Q8PS7ZCLN6 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IKXGVMFZHI (Trojan.FakeAlert) -> Value: IKXGVMFZHI -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\kzymua.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\windows\kzymub.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

dudgorgon · 2011/04/05

Trojan.ZeFarch, Antimalware doctor, browser redirects

Requested log for GMER
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-05 23:09:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\symmpi2 SEAGATE_ rev.T109
Running: m9shuuvh.exe; Driver: C:\DOCUME~1\ADMINI~1.ZOO\LOCALS~1\Temp\fxtdapob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi1 8A784AF1
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi2 8A784AF1
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi2Port2Path0Target2Lun0 8A784AF1
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi1Port1Path1Target2dLun0 8A784AF1
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi2Port2Path0Target70Lun0 8A784AF1
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi2Port2Path0Target3Lun0 8A784AF1
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi2Port2Path0Target1Lun0 8A784AF1

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \Device\Scsi\symmpi2Port2Path0Target0Lun0 -> \??\SCSI#Disk&Ven_SEAGATE&Prod_ST3300555SS&Rev_T109#6&34670cd5&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 585922683
Disk \Device\Harddisk0\DR0 PE file @ sector 585922705

---- EOF - GMER 1.0.15 ----

dudgorgon · 2011/04/05

Trojan.ZeFarch, Antimalware doctor, browser redirects

Requested log for MBRCheck:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000ffd

Kernel Drivers (total 179):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E5C000 iaStor.sys
0xB9E44000 atapi.sys
0xB9E29000 symmpi.sys
0xB9E11000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9DEB000 ulsata2.sys
0xBA338000 cercsr6.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DCB000 fltmgr.sys
0xBA5AE000 DLACDBHM.SYS
0xB9DB4000 DRVMCDB.SYS
0xBA118000 vsp.sys
0xBA128000 bb-run.sys
0xBA138000 PxHelp20.sys
0xB9D9D000 KSecDD.sys
0xB9D8A000 WudfPf.sys
0xB9CFD000 Ntfs.sys
0xB9CD0000 NDIS.sys
0xBA148000 sbp2port.sys
0xB9CB6000 Mup.sys
0xBA340000 DontGo.sys
0xBA278000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9688000 \SystemRoot\system32\drivers\ctaud2k.sys
0xB9664000 \SystemRoot\system32\drivers\portcls.sys
0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys
0xB9641000 \SystemRoot\system32\drivers\ks.sys
0xB960F000 \SystemRoot\system32\drivers\ctoss2k.sys
0xB954B000 \SystemRoot\System32\drivers\dmboot.sys
0xBA468000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xB8F9C000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8F88000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8F4F000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA478000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8F2B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA488000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB8F17000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9C46000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9C2D000 \SystemRoot\System32\Drivers\CLBStor.SYS
0xB8EFF000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA308000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA3B0000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB9700000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
0xBA318000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3B8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA6BB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA60A000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA3C0000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA178000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB96FC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8E48000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA188000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA198000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8E37000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA1B8000 \SystemRoot\System32\Drivers\pcouffin.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB8E07000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xBA60C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8DA9000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C5A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA60E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9C52000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA400000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
0xBA208000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB4A21000 \SystemRoot\system32\drivers\ha20x2k.sys
0xB49F4000 \SystemRoot\system32\drivers\emupia2k.sys
0xB49CD000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xB4931000 \SystemRoot\system32\drivers\ctac32k.sys
0xBA408000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB16E9000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
0xB16C7000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xB16B3000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xB1741000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA636000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB9C56000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA6F9000 \SystemRoot\System32\Drivers\Null.SYS
0xBA64A000 \SystemRoot\System32\Drivers\Beep.SYS
0xB1771000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xB1789000 \SystemRoot\System32\drivers\vga.sys
0xBA418000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA5B0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5B4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB9BD5000 \SystemRoot\system32\DRIVERS\wdcsam.sys
0xBA4A8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB9C6E000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB1759000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8D89000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1519000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB131F000 \SystemRoot\system32\DRIVERS\VX6000Xp.sys
0xB17B1000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xB1751000 \SystemRoot\system32\DRIVERS\VX6KCamd.sys
0xB12C6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB8EEF000 \SystemRoot\system32\drivers\usbaudio.sys
0xB128B000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xB1265000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB1791000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB123D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB8E7F000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB121B000 \SystemRoot\System32\drivers\afd.sys
0xB17D1000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB11B9000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xB8D79000 \SystemRoot\System32\DRIVERS\scsichng.sys
0xB118E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB111E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB17C1000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA428000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xB10C0000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB1053000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB1801000 \SystemRoot\system32\DRIVERS\wacmoumonitor.sys
0xBA258000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB0F7A000 \SystemRoot\System32\Drivers\Udfs.SYS
0xB1047000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0xB0F5F000 \SystemRoot\System32\Drivers\dump_symmpi.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB8D59000 \SystemRoot\System32\drivers\Dxapi.sys
0xB1749000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA710000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF530000 \SystemRoot\System32\ATMFD.DLL
0xBA268000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA6EF000 \SystemRoot\System32\Drivers\DLADResM.SYS
0xB0BB6000 \SystemRoot\System32\Drivers\DLAIFS_M.SYS
0xB10B0000 \SystemRoot\System32\Drivers\DLAOPIOM.SYS
0xB0BF7000 \SystemRoot\System32\Drivers\DLAPoolM.SYS
0xB0B8F000 \SystemRoot\System32\Drivers\CLBUDF.SYS
0xBA470000 \SystemRoot\System32\Drivers\DLABMFSM.SYS
0xBA458000 \SystemRoot\System32\Drivers\DLABOIOM.SYS
0xB0B51000 \SystemRoot\System32\Drivers\DLAUDFAM.SYS
0xB0B3A000 \SystemRoot\System32\Drivers\DLAUDF_M.SYS
0xB0A36000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAF706000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5CC000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAF1E5000 \SystemRoot\system32\DRIVERS\srv.sys
0xAF415000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAF0B8000 \SystemRoot\system32\drivers\wdmaud.sys
0xAF56A000 \SystemRoot\system32\drivers\sysaudio.sys
0xAD92D000 \??\C:\Program Files\CyberLink\PowerDVD8\000.fcl
0xB1779000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xACB68000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xABFBB000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110404.002\navex15.sys
0xABFA7000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110404.002\naveng.sys
0xAB778000 \SystemRoot\system32\drivers\kmixer.sys
0xAB718000 \SystemRoot\System32\Drivers\HTTP.sys
0xAB8BD000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xBA616000 \SystemRoot\system32\drivers\splitter.sys
0xA995E000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 92):
0 System Idle Process
4 System
1004 C:\WINDOWS\system32\smss.exe
1076 csrss.exe
1100 C:\WINDOWS\system32\winlogon.exe
1152 C:\WINDOWS\system32\services.exe
1164 C:\WINDOWS\system32\lsass.exe
1460 C:\WINDOWS\system32\svchost.exe
1572 svchost.exe
1616 C:\WINDOWS\system32\svchost.exe
1696 C:\Program Files\WTouch\WTouchService.exe
1716 C:\WINDOWS\system32\svchost.exe
1916 svchost.exe
1960 C:\WINDOWS\system32\svchost.exe
2012 svchost.exe
188 C:\WINDOWS\system32\svchost.exe
380 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
408 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
660 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
736 C:\WINDOWS\system32\spoolsv.exe
880 svchost.exe
876 C:\WINDOWS\system32\rundll32.exe
984 C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
1052 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1504 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
1704 C:\Program Files\Bonjour\mDNSResponder.exe
1864 C:\Program Files\Symantec AntiVirus\DefWatch.exe
2184 C:\Program Files\Java\jre6\bin\jqs.exe
2232 C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
2288 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
2420 C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
2460 C:\Program Files\Microsoft LifeCam\MSCamS32.exe
2488 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2584 sqlservr.exe
2672 C:\Program Files\CDBurnerXP\NMSAccessU.exe
2752 C:\WINDOWS\system32\PSIService.exe
2832 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2920 C:\Program Files\Symantec AntiVirus\SavRoam.exe
2948 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
3004 sqlbrowser.exe
3068 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
3116 C:\WINDOWS\system32\svchost.exe
3140 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
3224 C:\WINDOWS\system32\Pen_Tablet.exe
3268 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
3304 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3400 C:\Program Files\Symantec\Backup Exec\beremote.exe
3652 C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
3716 C:\Program Files\Canon\CAL\CALMAIN.exe
3804 C:\WINDOWS\system32\searchindexer.exe
1676 beserver.exe
4452 benetns.exe
4532 C:\Program Files\Symantec\Backup Exec\bengine.exe
4804 alg.exe
5564 C:\Program Files\WTouch\WTouchUser.exe
2532 C:\WINDOWS\explorer.exe
5732 C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
6068 wmiprvse.exe
2628 C:\WINDOWS\system32\ctfmon.exe
2784 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
2544 C:\WINDOWS\CTHELPER.EXE
2648 C:\WINDOWS\system32\CTXFIHLP.EXE
5812 C:\Program Files\Winamp\winampa.exe
5856 C:\WINDOWS\system32\CTXFISPI.EXE
5852 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3100 C:\PROGRA~1\SYMANT~1\VPTray.exe
1364 C:\WINDOWS\system32\WDBtnMgr.exe
4604 C:\WINDOWS\vVX6000.exe
5532 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
4972 C:\Program Files\Real\RealPlayer\Update\realsched.exe
5084 C:\Program Files\QuickTime\QTTask.exe
616 C:\Program Files\iTunes\iTunesHelper.exe
5264 C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
5460 C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
1852 C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
1968 C:\Program Files\CyberLink\Shared Files\brs.exe
1948 C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
5568 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
5580 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
5672 C:\WINDOWS\system32\rundll32.exe
1952 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
5780 C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
2536 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
1128 C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
2936 C:\Program Files\Skype\Phone\Skype.exe
5136 C:\Program Files\iPod\bin\iPodService.exe
4888 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
2996 C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
6408 C:\Program Files\Skype\Plugin Manager\skypePM.exe
7896 C:\WINDOWS\system32\searchprotocolhost.exe
7924 searchfilterhost.exe
7956 C:\Documents and Settings\DeLuca\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\L: --> \\.\PhysicalDrive8 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: SEAGATEST3300555SS, Rev: T109
PhysicalDrive1 Model Number: SEAGATEST3450856SS, Rev: 0006
PhysicalDrive8 Model Number: WDMy Passport 070A, Rev: 1030

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 RE: Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: ED0B19E36914D028E2802BBB4AC96BBF34B6CF5B
419 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
930 GB \\.\PhysicalDrive8 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

dudgorgon · 2011/04/05

Trojan.ZeFarch, Antimalware doctor, browser redirects

Requested logs for DDS:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by DeLuca at 23:24:57.10 on Tue 04/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.1962 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WTouch\WTouchService.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\vVX6000.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\DeLuca\Desktop\MBRCheck.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\DeLuca\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: DeLorme Send To GPS: {fbaad182-3c7a-4bc4-a5e9-207b8e0f02fd} - c:\program files\delorme\sendtogps\PNPluginForIE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {47D66F71-DAC2-439C-836D-18C055AF389C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [OfotoNow USB Detection] c:\windows\system32\rundll32.exe c:\progra~1\ofoto\ofotonow\OFUSBS.DLL,WatchForConnection OfotoNow
uRun: [Google Update] "c:\documents and settings\deluca\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe "
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe" /Startup
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe "
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe "
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe "
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [InstantBurn] c:\progra~1\cyberl~1\instan~1\win2k\IBurn.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5 "
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe "
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0 "
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0 "
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe "
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe "
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0 "
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\blu-ray disc suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\blu-ray disc suite" updatewithcreateonce "software\cyberlink\PowerStarter "
mRun: [Ijodasax] rundll32.exe "c:\windows\evivamiwokojegig.dll ",Startup
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0 "
StartupFolder: c:\docume~1\deluca\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: webconference.com
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206284446328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
IFEO: image file execution options - svchost.exe
Hosts: 66.232.102.249 www.google.com
Hosts: 66.232.102.249 google.com
Hosts: 66.232.102.249 google.com.au
Hosts: 66.232.102.249 www.google.com.au
Hosts: 66.232.102.249 google.be
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\deluca\applic~1\mozilla\firefox\profiles\2nws9g7u.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\deluca\application data\mozilla\firefox\profiles\2nws9g7u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\deluca\application data\mozilla\firefox\profiles\2nws9g7u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\documents and settings\deluca\application data\mozilla\firefox\profiles\2nws9g7u.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\deluca\application data\mozilla\firefox\profiles\2nws9g7u.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\deluca\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\deluca\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\deluca\application data\mozilla\firefox\profiles\2nws9g7u.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\deluca\local settings\application data\google\update\1.3.21.49\npGoogleUpdate2.dll
FF - plugin: c:\documents and settings\deluca\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppnplugin.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\windows\downloaded program files\npsoe.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2010-3-14 7680]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2010-3-14 105984]
R0 VSP;Volume Snapshot Provider;c:\windows\system32\drivers\VSP.sys [2008-10-16 54192]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2011-2-2 15784]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 SCSIChanger;SCSIChanger;c:\windows\system32\drivers\SCSICHNG.SYS [2007-8-24 20272]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2011/02/02 22:15:52];c:\program files\cyberlink\powerdvd8\000.fcl [2009-8-28 87536]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2011-2-2 163368]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-12-4 91392]
R2 MSSQL$BKUPEXEC;SQL Server (BKUPEXEC);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-8-7 4497704]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-8-7 113448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-3 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110404.002\naveng.sys [2011-4-4 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110404.002\navex15.sys [2011-4-4 1393144]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-8-7 2077840]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-8-7 16168]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S1 halfinchVRTS;halfinchVRTS;c:\windows\system32\drivers\halfinch.sys [2008-1-23 39600]
S2 gupdate1c98d7ec96b1f2a;Google Update Service (gupdate1c98d7ec96b1f2a);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-1 29744]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-12-4 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-12-4 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-12-4 23936]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 tpfilter;Symantec SCSI Tape/Changer Log Driver;c:\windows\system32\drivers\tpfilter.sys [2008-9-8 32816]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2011-04-04 00:52:20 -------- d-----w- c:\docume~1\deluca\locals~1\applic~1\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}
2011-04-04 00:51:04 -------- d-----w- c:\docume~1\deluca\applic~1\4BBF50ADB298B2D518030D529D60C533
2011-03-31 02:15:14 -------- d-----w- c:\program files\TDSSKiller
2011-03-27 12:57:47 -------- d-----w- c:\program files\CleanUp!
2011-03-27 01:11:41 54016 ----a-w- c:\windows\system32\drivers\jeeiq.sys
2011-03-26 01:03:17 0 ----a-w- c:\windows\Phopirikijirazoh.bin
2011-03-26 01:01:57 149504 --sha-r- c:\windows\system32\olecliy.dll
2011-03-22 04:22:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-22 04:22:39 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-12 16:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-02-13 23:27:01 10532 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 03:13:31 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SEAGATE_ rev.T109 -> Harddisk0\DR0 -> \Device\Scsi\symmpi2
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x88A89AED]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; LEA EAX, [EBP+0x8]; MOV [EBP-0x4], EAX; CMP ESP, 0x4b; JNZ 0x10; XCHG EBX, EAX; MOV EAX, [0x88b05630]; MOV ECX, [EBP+0x10]; CMP ECX, [EAX]; JBE 0x58; MOV EAX, [EBP+0x10]; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC82AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A82E030]
[0x8A84C8D8] -> IRP_MJ_CREATE -> 0x8A71FECC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c1a; MOV DI, 0x600; MOV CX, 0x1e6; PUSH AX; PUSH DI; CLD ; REP MOVSB ; RETF ; MOV SI, 0x7a4; MOV CL, 0x4; NOP ; CMP BYTE [SI], 0x80; JZ 0x32; CMP [SI], CH; }
detected disk devices:
\Device\Scsi\symmpi2Port2Path0Target0Lun0 -> \??\SCSI#Disk&Ven_SEAGATE&Prod_ST3300555SS&Rev_T109#6&34670cd5&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x88ae53b0
user & kernel MBR OK
copy of MBR has been found in sector 585922680
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:25:59.48 ===============

dudgorgon · 2011/04/05

Trojan.ZeFarch, Antimalware doctor, browser redirects

Requested log for Attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/22/2008 11:46:24 PM
System Uptime: 4/5/2011 11:11:42 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0MY171
Processor: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz | Microprocessor | 2660/1333mhz
Processor: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz | Microprocessor | 2660/1333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 279 GiB total, 234.983 GiB free.
D: is FIXED (NTFS) - 1258 GiB total, 279.97 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is CDROM (UDF1.50)
L: is FIXED (NTFS) - 931 GiB total, 814.667 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Hosts File Hijack ======================
.
Hosts: 66.232.102.249 www.google.com
Hosts: 66.232.102.249 google.com
Hosts: 66.232.102.249 google.com.au
Hosts: 66.232.102.249 www.google.com.au
Hosts: 66.232.102.249 google.be
Hosts: 66.232.102.249 www.google.be
Hosts: 66.232.102.249 google.com.br
Hosts: 66.232.102.249 www.google.com.br
Hosts: 66.232.102.249 google.ca
Hosts: 66.232.102.249 www.google.ca
Hosts: 66.232.102.249 google.ch
Hosts: 66.232.102.249 www.google.ch
Hosts: 66.232.102.249 google.de
Hosts: 66.232.102.249 www.google.de
Hosts: 66.232.102.249 google.dk
Hosts: 66.232.102.249 www.google.dk
Hosts: 66.232.102.249 google.fr
Hosts: 66.232.102.249 www.google.fr
Hosts: 66.232.102.249 google.ie
Hosts: 66.232.102.249 www.google.ie
Hosts: 66.232.102.249 google.it
Hosts: 66.232.102.249 www.google.it
Hosts: 66.232.102.249 google.co.jp
Hosts: 66.232.102.249 www.google.co.jp
Hosts: 66.232.102.249 google.nl
Hosts: 66.232.102.249 www.google.nl
Hosts: 66.232.102.249 google.no
Hosts: 66.232.102.249 www.google.no
Hosts: 66.232.102.249 google.co.nz
Hosts: 66.232.102.249 www.google.co.nz
Hosts: 66.232.102.249 google.pl
Hosts: 66.232.102.249 www.google.pl
Hosts: 66.232.102.249 google.se
Hosts: 66.232.102.249 www.google.se
Hosts: 66.232.102.249 google.co.uk
Hosts: 66.232.102.249 www.google.co.uk
Hosts: 66.232.102.249 google.co.za
Hosts: 66.232.102.249 www.google.co.za
Hosts: 66.232.102.249 www.google-analytics.com
Hosts: 66.232.102.249 www.bing.com
Hosts: 66.232.102.249 search.yahoo.com
Hosts: 66.232.102.249 www.search.yahoo.com
Hosts: 66.232.102.249 uk.search.yahoo.com
Hosts: 66.232.102.249 ca.search.yahoo.com
Hosts: 66.232.102.249 de.search.yahoo.com
Hosts: 66.232.102.249 fr.search.yahoo.com
Hosts: 66.232.102.249 au.search.yahoo.com
.
==== Installed Programs ======================
.
32 bit Windows Card Reader Driver
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 7.0
Adobe Reader 9.4.3
Adobe Shockwave Player 11.5
Any Video Converter 2.1.1
AnyDVD
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applet_App
Applet_Copy
Applet_Creativity
Applet_Email
Applet_Epp
Applet_File
Applet_OCR
Applet_Web
ArcSoft PhotoImpression 3.0
AutoUpdate
Bamboo
BlackBerry Desktop Software 4.3
Bonjour
Broadcom Gigabit Integrated Controller
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon EOS 5D WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.3
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
CDBurnerXP
Chinese Traditional Fonts Support For Adobe Reader 9
CleanUp!
Color Efex Pro 3.0 Wacom Edition 3
Conexant D850 56K V.9x DFVc Modem
Copy Utility
Corel Paint Shop Pro Photo XI
Corel Snapfire DVD Maker
Corel Snapfire Plus
CP Blizzard
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.7
CyberLink Blu-ray Disc Suite
CyberLink InstantBurn
CyberLink LabelPrint
CyberLink Power2Go
CyberLink PowerBackup
CyberLink PowerDirector
CyberLink PowerDVD 8
CyberLink PowerProducer
Dell Driver Download Manager
DeLorme Send To GPS 1.2
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Doom 3
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EPSON Photo Print
EPSON Smart Panel
EPSON TWAIN 5
Facebook Plug-In
Film Factory Lite
Free Realms
Garmin MapSource
Garmin Trip and Waypoint Manager v5
Garmin USB Drivers
Garmin WebUpdater
GearDrvs
Google Chrome
Google Desktop
Google Earth
Google Photos Screensaver
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Drive Key Boot Utility
Ideal DVD Copy V3.2.4
InstallMgr
InterVideo WinDVD
iTunes
Japanese Fonts Support For Adobe Reader 9
Java Auto Updater
Java(TM) 6 Update 23
K-Lite Codec Pack 3.8.5 Full
Karen's Replicator
Korean Fonts Support For Adobe Reader 9
LiveUpdate (Symantec Corporation)
LucasArts' The Infernal Machine
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Corporation
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Report Viewer Redistributable 2005
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Express Edition (BKUPEXEC)
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2008 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
MobileMe Control Panel
MotoConnect
Motorola Driver Installation 4.5.0
Move Media Player
Mozilla Firefox 4.0 (x86 en-US)
MSDN Library for Microsoft Visual Studio 2008 Express Editions
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
NVIDIA Drivers
OfotoNow
OGA Notifier 2.0.0048.0
Opera 11.01
Pando Media Booster
PhotoNow! 1.0
PokerStars
Primo
Prism Video Converter
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Return to Castle Wolfenstein
Roblox for DeLuca
Roxio Media Manager
Roxio XingTones
Runtime
Safari
ScanToWeb
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SightSpeed (remove only)
Skype Toolbars
Skypeâ„¢ 5.1
Sony Picture Utility
Spybot - Search & Destroy
Star Wars JK II Jedi Outcast
Symantec AntiVirus
Symantec Backup Exec (TM) 12.5 for Windows Servers
Symantec Backup Exec for Windows Servers
Symantec Backup Exec for Windows Servers (Hotfix 17)
Symantec Backup Exec for Windows Servers (Hotfix 300287)
Symantec Backup Exec for Windows Servers (Hotfix 300290)
Symantec Backup Exec for Windows Servers (Hotfix 302418)
Symantec Backup Exec for Windows Servers (Hotfix 302980)
Symantec Backup Exec for Windows Servers (Hotfix 302981)
Symantec Backup Exec for Windows Servers (Hotfix 302982)
Symantec Backup Exec for Windows Servers (Hotfix 303865)
Symantec Backup Exec for Windows Servers (Hotfix 304179)
Symantec Backup Exec for Windows Servers (Hotfix 304392)
Symantec Backup Exec for Windows Servers (Hotfix 304586)
Symantec Backup Exec for Windows Servers (Hotfix 304662)
Symantec Backup Exec for Windows Servers (Hotfix 304922)
Symantec Backup Exec for Windows Servers (Hotfix 304964)
Symantec Backup Exec for Windows Servers (Hotfix 306240)
Symantec Backup Exec for Windows Servers (Hotfix 306945)
Symantec Backup Exec for Windows Servers (Hotfix 306950)
Symantec Backup Exec for Windows Servers (Hotfix 307617)
Symantec Backup Exec for Windows Servers (Hotfix 307711)
Symantec Backup Exec for Windows Servers (Hotfix 336087)
Symantec Backup Exec for Windows Servers (Service Pack 1)
Symantec Backup Exec for Windows Servers (Service Pack 3)
Symantec Backup Exec License Assessment Tool
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
Try Corel Snapfire muvee autoProducer add on
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2508979)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 8.0 Runtime Setup Package
VLC media player 1.0.5
VZAccess Manager for RIM
WD Diagnostics
WD Firewire HID Driver
WebConference.com Multimedia Conferencing Version 7.0.0
WebFldrs XP
WebTablet IE Plugin
WebTablet Netscape Plugin
Winamp
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
4/5/2011 7:45:47 AM, error: System Error [1003] - Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 00000000, parameter4 ad24e138.
4/5/2011 10:02:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/4/2011 8:39:39 PM, error: System Error [1003] - Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 00000000, parameter4 ad2f6138.
4/4/2011 8:22:08 PM, error: System Error [1003] - Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 00000000, parameter4 a9c02138.
4/4/2011 7:17:37 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:36 PM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:36 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:36 PM, error: Service Control Manager [7034] - The TabletServicePen service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:36 PM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:35 PM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:35 PM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:34 PM, error: Service Control Manager [7034] - The SQL Server (SQLEXPRESS) service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:34 PM, error: Service Control Manager [7034] - The SQL Server (BKUPEXEC) service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:34 PM, error: Service Control Manager [7034] - The MSCamSvc service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:34 PM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:34 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:33 PM, error: Service Control Manager [7034] - The ProtexisLicensing service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:33 PM, error: Service Control Manager [7034] - The NMSAccess service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:33 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor V7 service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 7:17:33 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/4/2011 7:17:32 PM, error: Service Control Manager [7034] - The WTouch Service service terminated unexpectedly. It has done this 1 time(s).
4/4/2011 6:59:29 PM, error: System Error [1003] - Error code 1000007f, parameter1 00000008, parameter2 ba378d70, parameter3 00000000, parameter4 00000000.
4/4/2011 6:54:26 PM, error: Service Control Manager [7024] - The Symantec SPBBCSvc service terminated with service-specific error 4294967295 (0xFFFFFFFF).
3/31/2011 7:48:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cercsr6
3/31/2011 7:42:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/31/2011 7:39:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cercsr6 eeCtrl ElbyCDIO Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SCSIChanger SPBBCDrv SYMTDI Tcpip
3/31/2011 7:39:00 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2011 7:39:00 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2011 7:39:00 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2011 7:39:00 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2011 7:39:00 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2011 7:39:00 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2011 6:51:12 PM, error: Service Control Manager [7031] - The MotoConnect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
3/31/2011 6:50:36 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/31/2011 6:49:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi cercsr6
3/29/2011 4:37:51 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
3/29/2011 4:37:51 PM, error: SideBySide [59] - Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
3/29/2011 4:37:51 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
.
==== End Of File ===========================

broni · 2011/04/05

You're infected with TDL rootkit.

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

dudgorgon · 2011/04/06

TDSSKiller log

2011/04/06 21:04:59.0468 6772 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/06 21:04:59.0640 6772 ================================================================================
2011/04/06 21:04:59.0640 6772 SystemInfo:
2011/04/06 21:04:59.0640 6772
2011/04/06 21:04:59.0640 6772 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/06 21:04:59.0640 6772 Product type: Workstation
2011/04/06 21:04:59.0640 6772 ComputerName: DADDYO
2011/04/06 21:04:59.0640 6772 UserName: DeLuca
2011/04/06 21:04:59.0640 6772 Windows directory: C:\WINDOWS
2011/04/06 21:04:59.0640 6772 System windows directory: C:\WINDOWS
2011/04/06 21:04:59.0640 6772 Processor architecture: Intel x86
2011/04/06 21:04:59.0640 6772 Number of processors: 8
2011/04/06 21:04:59.0640 6772 Page size: 0x1000
2011/04/06 21:04:59.0640 6772 Boot type: Normal boot
2011/04/06 21:04:59.0640 6772 ================================================================================
2011/04/06 21:05:00.0906 6772 Initialize success
2011/04/06 21:05:07.0890 1320 ================================================================================
2011/04/06 21:05:07.0890 1320 Scan started
2011/04/06 21:05:07.0890 1320 Mode: Manual;
2011/04/06 21:05:07.0890 1320 ================================================================================
2011/04/06 21:05:09.0046 1320 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/06 21:05:09.0078 1320 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/06 21:05:09.0109 1320 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/06 21:05:09.0140 1320 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/06 21:05:09.0218 1320 AnyDVD (7e0323162c933dce87d2bbf11a255174) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2011/04/06 21:05:09.0234 1320 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/06 21:05:09.0312 1320 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/06 21:05:09.0328 1320 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/06 21:05:09.0359 1320 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/06 21:05:09.0375 1320 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/06 21:05:09.0406 1320 b57w2k (741dfbf3a4dc41a400dbc71199564853) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/04/06 21:05:09.0437 1320 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
2011/04/06 21:05:09.0468 1320 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/06 21:05:09.0515 1320 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/06 21:05:09.0546 1320 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/06 21:05:09.0593 1320 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/06 21:05:09.0609 1320 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/06 21:05:09.0625 1320 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/06 21:05:09.0671 1320 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/04/06 21:05:09.0718 1320 CLBStor (f5c8f7a7d1a3f569bf77574a795cc19e) C:\WINDOWS\system32\drivers\CLBStor.sys
2011/04/06 21:05:09.0734 1320 CLBUDF (07b3e4fc5d4943ba802607ddf8f5d418) C:\WINDOWS\system32\drivers\CLBUDF.sys
2011/04/06 21:05:09.0796 1320 ctac32k (8a9c65ce4fe6e8cb24ce06ba28d951a0) C:\WINDOWS\system32\drivers\ctac32k.sys
2011/04/06 21:05:09.0828 1320 ctaud2k (47236971dfb3e03690b98e41665d0924) C:\WINDOWS\system32\drivers\ctaud2k.sys
2011/04/06 21:05:09.0859 1320 ctdvda2k (5a0eeb00b02fc78605aa9d3590b24978) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2011/04/06 21:05:09.0875 1320 ctprxy2k (2381cf056c15271f6b8dab50ff82cf3a) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2011/04/06 21:05:09.0890 1320 ctsfm2k (da1c530de86c85a701138b30fb145af3) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2011/04/06 21:05:09.0953 1320 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/06 21:05:09.0984 1320 DLABMFSM (f334299a3ba04206825aa9fcddb93906) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
2011/04/06 21:05:10.0000 1320 DLABOIOM (9df7fd7a31aa4444b20dd8a93c185c0a) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
2011/04/06 21:05:10.0000 1320 DLACDBHM (7c7b0ebb364e016735b3aaad3347de81) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/04/06 21:05:10.0015 1320 DLADResM (706350858342059c9ea81f06e37f4e72) C:\WINDOWS\system32\Drivers\DLADResM.SYS
2011/04/06 21:05:10.0031 1320 DLAIFS_M (3aa7958756330169881c3f47eea37bcc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
2011/04/06 21:05:10.0046 1320 DLAOPIOM (5a2b563fc4e10639ecb0569e48b942c0) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
2011/04/06 21:05:10.0046 1320 DLAPoolM (15a737af1dad3af3d202350da5d820c0) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
2011/04/06 21:05:10.0062 1320 DLARTL_M (4c1f0e1aa60d4ce1d508c118b16866df) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2011/04/06 21:05:10.0078 1320 DLAUDFAM (df4e0c57e52f5e4d91609e5bdbd50863) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
2011/04/06 21:05:10.0093 1320 DLAUDF_M (02c51b8a38b50a0da4af7c1eb7484270) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
2011/04/06 21:05:10.0125 1320 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/06 21:05:10.0140 1320 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/06 21:05:10.0156 1320 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/06 21:05:10.0171 1320 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/06 21:05:10.0187 1320 dontgo (ee1cf616037552f4e75fd6592d0677b6) C:\WINDOWS\system32\DRIVERS\DontGo.sys
2011/04/06 21:05:10.0203 1320 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/06 21:05:10.0218 1320 DRVMCDB (99b8d4fda8db7f61eeac6170355f7d6e) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/04/06 21:05:10.0234 1320 DRVNDDM (5446f12f7157a1944cfd417085ebb62a) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/04/06 21:05:10.0281 1320 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/04/06 21:05:10.0328 1320 ElbyCDIO (309ac30471a0f1c3a89dee1c81230576) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/04/06 21:05:10.0343 1320 emupia (661cf27263f3e0b553be050a42d357db) C:\WINDOWS\system32\drivers\emupia2k.sys
2011/04/06 21:05:10.0359 1320 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/04/06 21:05:10.0375 1320 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/06 21:05:10.0406 1320 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/06 21:05:10.0421 1320 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/06 21:05:10.0437 1320 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/06 21:05:10.0453 1320 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/06 21:05:10.0484 1320 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/06 21:05:10.0500 1320 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/06 21:05:10.0500 1320 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/04/06 21:05:10.0531 1320 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/06 21:05:10.0546 1320 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
2011/04/06 21:05:10.0593 1320 ha20x2k (4b1e6b601c6c8c1cced6c945a9f6e83e) C:\WINDOWS\system32\drivers\ha20x2k.sys
2011/04/06 21:05:10.0625 1320 halfinchVRTS (fc0262c724abab6fd4f1fe9c230e8616) C:\WINDOWS\system32\DRIVERS\halfinch.sys
2011/04/06 21:05:10.0640 1320 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/06 21:05:10.0671 1320 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/04/06 21:05:10.0718 1320 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/04/06 21:05:10.0734 1320 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/06 21:05:10.0781 1320 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/04/06 21:05:10.0796 1320 iastor (2358c53f30cb9dcd1d3843c4e2f299b2) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/04/06 21:05:10.0828 1320 Imapi (b6775c2220d2b4cddd3fee1dee5007e7) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/06 21:05:10.0828 1320 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: b6775c2220d2b4cddd3fee1dee5007e7, Fake md5: 083a052659f5310dd8b6a6cb05edcf8e
2011/04/06 21:05:10.0828 1320 Imapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/06 21:05:10.0875 1320 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/06 21:05:10.0890 1320 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/06 21:05:10.0906 1320 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/06 21:05:10.0921 1320 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/06 21:05:10.0937 1320 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/06 21:05:10.0953 1320 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/06 21:05:10.0984 1320 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/06 21:05:10.0984 1320 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/06 21:05:11.0000 1320 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/06 21:05:11.0015 1320 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/06 21:05:11.0046 1320 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/06 21:05:11.0062 1320 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/06 21:05:11.0093 1320 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/06 21:05:11.0140 1320 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/06 21:05:11.0156 1320 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/06 21:05:11.0187 1320 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/04/06 21:05:11.0203 1320 motccgp (c741717b0a18813dd7d12085937cee72) C:\WINDOWS\system32\DRIVERS\motccgp.sys
2011/04/06 21:05:11.0218 1320 motccgpfl (b812da6605caf02641312f1f65c75419) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
2011/04/06 21:05:11.0234 1320 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2011/04/06 21:05:11.0265 1320 motport (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motport.sys
2011/04/06 21:05:11.0281 1320 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/06 21:05:11.0296 1320 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/06 21:05:11.0312 1320 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/06 21:05:11.0343 1320 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/06 21:05:11.0375 1320 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/06 21:05:11.0390 1320 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/06 21:05:11.0421 1320 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/06 21:05:11.0437 1320 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/06 21:05:11.0453 1320 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/06 21:05:11.0468 1320 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/06 21:05:11.0500 1320 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/06 21:05:11.0500 1320 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/06 21:05:11.0546 1320 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/06 21:05:11.0609 1320 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110404.002\naveng.sys
2011/04/06 21:05:11.0656 1320 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110404.002\navex15.sys
2011/04/06 21:05:11.0671 1320 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/06 21:05:11.0718 1320 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/06 21:05:11.0734 1320 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/06 21:05:11.0750 1320 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/06 21:05:11.0750 1320 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/06 21:05:11.0781 1320 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/06 21:05:11.0781 1320 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/06 21:05:11.0796 1320 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/06 21:05:11.0812 1320 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/06 21:05:11.0828 1320 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/06 21:05:11.0859 1320 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/06 21:05:11.0890 1320 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/06 21:05:12.0015 1320 nv (57983422e0c9c4de5fe72cf2ace3c928) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/06 21:05:12.0109 1320 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/06 21:05:12.0125 1320 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/06 21:05:12.0125 1320 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/06 21:05:12.0156 1320 ossrv (99f877a7bb6feb5af1184eafe937c208) C:\WINDOWS\system32\drivers\ctoss2k.sys
2011/04/06 21:05:12.0171 1320 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/06 21:05:12.0171 1320 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/06 21:05:12.0187 1320 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/06 21:05:12.0203 1320 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/06 21:05:12.0234 1320 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/06 21:05:12.0250 1320 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/06 21:05:12.0296 1320 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/04/06 21:05:12.0375 1320 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/06 21:05:12.0390 1320 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/06 21:05:12.0390 1320 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/06 21:05:12.0406 1320 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/06 21:05:12.0468 1320 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/06 21:05:12.0484 1320 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/06 21:05:12.0500 1320 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/06 21:05:12.0500 1320 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/06 21:05:12.0515 1320 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/06 21:05:12.0531 1320 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/06 21:05:12.0546 1320 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/06 21:05:12.0562 1320 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/06 21:05:12.0578 1320 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/06 21:05:12.0609 1320 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/04/06 21:05:12.0609 1320 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/04/06 21:05:12.0687 1320 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/04/06 21:05:12.0734 1320 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/04/06 21:05:12.0765 1320 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2011/04/06 21:05:12.0781 1320 SCSIChanger (609761ad18b4c7c82db3d43433a1e108) C:\WINDOWS\system32\DRIVERS\scsichng.sys
2011/04/06 21:05:12.0812 1320 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/06 21:05:12.0828 1320 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/06 21:05:12.0843 1320 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/06 21:05:12.0859 1320 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/06 21:05:12.0906 1320 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/06 21:05:12.0984 1320 SPBBCDrv (ef9760a364d836a0ce6149ebdf71524d) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/04/06 21:05:13.0000 1320 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/06 21:05:13.0031 1320 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/06 21:05:13.0062 1320 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/06 21:05:13.0078 1320 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
2011/04/06 21:05:13.0125 1320 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/06 21:05:13.0140 1320 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/06 21:05:13.0156 1320 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/06 21:05:13.0203 1320 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/04/06 21:05:13.0234 1320 SymIM (54bda52e4b8ee68e9c01d4b9cd75cd95) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2011/04/06 21:05:13.0234 1320 SymIMMP (54bda52e4b8ee68e9c01d4b9cd75cd95) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2011/04/06 21:05:13.0250 1320 symmpi (c94ad269ae05cfdbd71e77c19cdab447) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2011/04/06 21:05:13.0265 1320 SYMREDRV (626f733be7f951116c5c0804b068666c) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/04/06 21:05:13.0296 1320 SYMTDI (cb7cc4ddbe09e224d4cd876760ba982c) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/04/06 21:05:13.0343 1320 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/06 21:05:13.0390 1320 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/06 21:05:13.0406 1320 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/06 21:05:13.0421 1320 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/06 21:05:13.0437 1320 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/06 21:05:13.0484 1320 tpfilter (b4eb4e604528907ab0d413186251d4e6) C:\WINDOWS\system32\DRIVERS\tpfilter.sys
2011/04/06 21:05:13.0500 1320 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/06 21:05:13.0531 1320 ulsata2 (15d89f51056a0005e063333c242a3ded) C:\WINDOWS\system32\DRIVERS\ulsata2.sys
2011/04/06 21:05:13.0609 1320 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/06 21:05:13.0656 1320 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/06 21:05:13.0687 1320 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/04/06 21:05:13.0718 1320 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/06 21:05:13.0781 1320 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/06 21:05:13.0796 1320 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/06 21:05:13.0812 1320 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/06 21:05:13.0843 1320 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/06 21:05:13.0859 1320 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/06 21:05:13.0859 1320 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/06 21:05:13.0890 1320 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/06 21:05:13.0921 1320 VSP (762902446f7186da6346547c337e4947) C:\WINDOWS\system32\DRIVERS\vsp.sys
2011/04/06 21:05:13.0984 1320 VX6000 (23c729c7c2465c901f52979b0a43e0e4) C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys
2011/04/06 21:05:14.0046 1320 wacmoumonitor (8724531219ae3f9e3729012b61dce527) C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys
2011/04/06 21:05:14.0093 1320 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2011/04/06 21:05:14.0171 1320 wacomvhid (51d580f30d1a1f2ea4965af6abc2bcb2) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2011/04/06 21:05:14.0218 1320 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/06 21:05:14.0265 1320 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
2011/04/06 21:05:14.0359 1320 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/04/06 21:05:14.0453 1320 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/06 21:05:14.0500 1320 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
2011/04/06 21:05:14.0578 1320 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/06 21:05:14.0640 1320 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/04/06 21:05:14.0703 1320 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/06 21:05:14.0734 1320 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/06 21:05:14.0765 1320 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/06 21:05:14.0828 1320 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} (74ec37b9eaf9fca015b933a526825c7a) C:\Program Files\CyberLink\PowerDVD8\000.fcl
2011/04/06 21:05:14.0890 1320 \HardDisk3 - detected Backdoor.Win32.Sinowal.knf (0)
2011/04/06 21:05:14.0937 1320 ================================================================================
2011/04/06 21:05:14.0937 1320 Scan finished
2011/04/06 21:05:14.0937 1320 ================================================================================
2011/04/06 21:05:14.0937 7912 Detected object count: 2
2011/04/06 21:05:30.0484 7912 Imapi (b6775c2220d2b4cddd3fee1dee5007e7) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/06 21:05:30.0484 7912 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: b6775c2220d2b4cddd3fee1dee5007e7, Fake md5: 083a052659f5310dd8b6a6cb05edcf8e
2011/04/06 21:05:32.0250 7912 Backup copy found, using it..
2011/04/06 21:05:32.0312 7912 C:\WINDOWS\system32\DRIVERS\imapi.sys - will be cured after reboot
2011/04/06 21:05:32.0312 7912 Rootkit.Win32.TDSS.tdl3(Imapi) - User select action: Cure
2011/04/06 21:05:32.0343 7912 \HardDisk3 (Backdoor.Win32.Sinowal.knf) - will be cured after reboot
2011/04/06 21:05:32.0343 7912 \HardDisk3 - ok
2011/04/06 21:05:32.0343 7912 Backdoor.Win32.Sinowal.knf(\HardDisk3) - User select action: Cure
2011/04/06 21:05:47.0140 3848 Deinitialize success

broni · 2011/04/06

How is redirection?

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

dudgorgon · 2011/04/06

Redirection

It still occurs. I will try the next steps you have suggested tomorrow. Gotta get some shuteye.

broni · 2011/04/06

Ok

dudgorgon · 2011/04/06

Ran ComboFix

I decided to run it after all...

Trojan.ZeFarch appears to be gone, according to SAV. Redirects appears to be a thing of the past too.

Below is the requested log. Let me know if there is something else I need to do...your help is greatly appreciated.

ComboFix 11-04-06.01 - DeLuca 04/06/2011 23:26:42.1.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2046 [GMT -4:00]
Running from: c:\documents and settings\DeLuca\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\09c1ee
c:\documents and settings\All Users\Application Data\09c1ee\00e300f0327dc8de5606b0b9f9160ae3.ocx
c:\documents and settings\All Users\Application Data\09c1ee\2788.mof
c:\documents and settings\All Users\Application Data\09c1ee\BackUp\PMB Media Check Tool.lnk
c:\documents and settings\All Users\Application Data\09c1ee\BackUp\Windows Search.lnk
c:\documents and settings\All Users\Application Data\09c1ee\gdjd7tm9q01u8z6agvhsrgown.dll
c:\documents and settings\All Users\Application Data\09c1ee\ISE.ico
c:\documents and settings\All Users\Application Data\09c1ee\mozcrt19.dll
c:\documents and settings\All Users\Application Data\09c1ee\sqlite3.dll
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}\chrome.manifest
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}\chrome\content\_cfg.js
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}\chrome\content\overlay.xul
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}\install.rdf
c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533
c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533\enemies-names.txt
c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533\local.ini
c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533\lsrslt.ini
c:\documents and settings\DeLuca\Application Data\Adobe\plugs
c:\documents and settings\DeLuca\Application Data\Adobe\shed
c:\documents and settings\DeLuca\Application Data\inst.exe
c:\documents and settings\DeLuca\Application Data\PriceGong
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\1.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\a.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\b.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\c.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\d.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\e.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\f.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\g.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\h.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\i.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\J.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\k.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\l.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\m.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\n.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\o.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\p.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\q.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\r.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\s.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\t.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\u.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\v.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\w.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\x.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\y.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\z.xml
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}\chrome.manifest
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}\chrome\content\_cfg.js
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}\chrome\content\overlay.xul
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}\install.rdf
c:\documents and settings\DeLuca\WINDOWS
c:\webupdater\WebUpdater.exe
c:\windows\evivamiwokojegig.dll
c:\windows\system32\Drivers\jeeiq.sys
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-06 22:52 . 2011-04-06 22:52 -------- d-----w- c:\documents and settings\administrator.ZOO-690\Application Data\Malwarebytes
2011-04-06 03:58 . 2011-04-07 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\eIg06504hAhHe06504
2011-04-02 11:07 . 2011-04-02 11:07 -------- d-----w- c:\documents and settings\backup\Application Data\Malwarebytes
2011-03-31 02:15 . 2011-03-31 02:15 -------- d-----w- c:\program files\TDSSKiller
2011-03-27 12:57 . 2011-03-27 12:57 -------- d-----w- c:\program files\CleanUp!
2011-03-26 20:43 . 2011-03-26 20:43 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-03-26 10:23 . 2011-04-02 11:07 -------- d-----w- c:\documents and settings\backup\Application Data\WTablet
2011-03-26 10:23 . 2011-03-26 10:23 -------- d-----w- c:\documents and settings\backup\Application Data\WTouch
2011-03-26 03:17 . 2011-03-26 03:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\skypePM
2011-03-26 03:17 . 2011-03-26 03:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-26 01:15 . 2011-03-26 01:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-26 01:03 . 2011-04-06 04:17 0 ----a-w- c:\windows\Phopirikijirazoh.bin
2011-03-26 01:01 . 2011-03-26 01:01 149504 --sha-r- c:\windows\system32\olecliy.dll
2011-03-22 04:22 . 2011-03-22 04:22 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-07 01:09 . 2004-08-04 10:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 03:13 . 2011-02-03 03:14 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-02-02 07:58 . 2008-03-23 03:39 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-03-23 03:39 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-27 13:21 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2008-08-14 16:50 . 2008-08-14 16:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-01 68856]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"OfotoNow USB Detection "= "c:\progra~1\Ofoto\OfotoNow\OFUSBS.DLL" [2002-11-05 77824]
"Google Update "= "c:\documents and settings\DeLuca\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!) "= "c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"TomTomHOME.exe "= "c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"Power2GoExpress "= "c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2009-10-02 2684200]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-02-27 7933952]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CTHelper "= "CTHELPER.EXE" [2005-11-09 16384]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-03-02 18944]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-14 29744]
"WinampAgent "= "c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"Microsoft Default Manager "= "c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"WD Button Manager "= "WDBtnMgr.exe" [2010-02-28 339968]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LifeCam "= "c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"VX6000 "= "c:\windows\vVX6000.exe" [2009-03-17 713744]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe "= "c:\program files\real\realplayer\update\realsched.exe" [2010-11-20 274608]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"InstantBurn "= "c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2009-07-09 681256]
"UpdateLBPShortCut "= "c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer "= "c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"UpdateP2GoShortCut "= "c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdatePDRShortCut "= "c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"RemoteControl8 "= "c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-17 91432]
"PDVD8LanguageShortcut "= "c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"BDRegion "= "c:\program files\Cyberlink\Shared Files\brs.exe" [2009-08-28 75048]
"UpdatePPShortCut "= "c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdatePSTShortCut "= "c:\program files\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" [2009-10-28 210216]
"Corel Photo Downloader "= "c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-02-06 478800]
.
c:\documents and settings\DeLuca\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-9-5 333088]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft SQL Server\\MSSQL.1\\MSSQL\\Binn\\sqlservr.exe "=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\pvlsvr.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\beserver.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\bengine.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\beremote.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\benetns.exe "=
"c:\\Program Files\\WebConference.com\\Version7\\webconference.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
"c:\\Program Files\\Opera\\opera.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57952:TCP "= 57952:TCPando Media Booster
"57952:UDP "= 57952:UDPando Media Booster
"3389:TCP "= 3389:TCP:Remote Desktop
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"5762:TCP "= 5762:TCP:Services
"9434:TCP "= 9434:TCP:Services
"7716:TCP "= 7716:TCP:Services
"7715:TCP "= 7715:TCP:Services
"9183:TCP "= 9183:TCP:Services
"9590:TCP "= 9590:TCP:Services
"9137:TCP "= 9137:TCP:Services
"7804:TCP "= 7804:TCP:Services
"4652:TCP "= 4652:TCP:Services
"8715:TCP "= 8715:TCP:Services
"4996:TCP "= 4996:TCP:Services
"3794:TCP "= 3794:TCP:Services
"9918:TCP "= 9918:TCP:Services
"6058:TCP "= 6058:TCP:Services
"7090:TCP "= 7090:TCP:Services
"4981:TCP "= 4981:TCP:Services
.
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [3/14/2010 4:57 PM 7680]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [3/14/2010 4:57 PM 105984]
R0 VSP;Volume Snapshot Provider;c:\windows\system32\drivers\VSP.sys [10/16/2008 6:14 PM 54192]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2/2/2011 10:57 PM 15784]
R1 SCSIChanger;SCSIChanger;c:\windows\system32\drivers\SCSICHNG.SYS [8/24/2007 20272]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2011/02/02 22:15];c:\program files\CyberLink\PowerDVD8\000.fcl [8/28/2009 7:36 PM 87536]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2/2/2011 10:57 PM 163368]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/4/2009 11:56 AM 91392]
R2 MSSQL$BKUPEXEC;SQL Server (BKUPEXEC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [8/7/2010 2:17 PM 4497704]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [8/7/2010 2:18 PM 113448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/3/2010 7:44 AM 102448]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [8/7/2010 1:56 PM 2077840]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/7/2010 2:17 PM 16168]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S1 halfinchVRTS;halfinchVRTS;c:\windows\system32\drivers\halfinch.sys [1/23/2008 3:54 PM 39600]
S2 gupdate1c98d7ec96b1f2a;Google Update Service (gupdate1c98d7ec96b1f2a);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2009 10:00 PM 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/1/2008 8:48 AM 29744]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/4/2009 11:57 AM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/4/2009 11:57 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/4/2009 11:57 AM 23936]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 tpfilter;Symantec SCSI Tape/Changer Log Driver;c:\windows\system32\drivers\tpfilter.sys [9/8/2008 4:33 PM 32816]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-04-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-01 00:32]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 02:00]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 02:00]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1336601894-839522115-1003Core.job
- c:\documents and settings\DeLuca\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 03:08]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1336601894-839522115-1003UA.job
- c:\documents and settings\DeLuca\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 03:08]
.
2011-04-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1336601894-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1336601894-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1336601894-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1336601894-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: webconference.com
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\DeLuca\Application Data\Mozilla\Firefox\Profiles\2nws9g7u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-k70ccreloc.exe - c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533\k70ccreloc.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
HKLM-Run-Ijodasax - c:\windows\evivamiwokojegig.dll
HKU-Default-RunOnce-RealUpgradeHelper - c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe
SafeBoot-klmdb.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-06 23:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath "= "c:\windows\system32\GameMon.des -service "
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath "= "\??\c:\program files\CyberLink\PowerDVD8\000.fcl "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(5280)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ctagent.dll
c:\progra~1\Ofoto\OfotoNow\OFUSBS.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\dfshim.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Symantec\Backup Exec\beremote.exe
c:\program files\Symantec\Backup Exec\pvlsvr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Symantec\Backup Exec\beserver.exe
c:\program files\Symantec\Backup Exec\benetns.exe
c:\program files\Symantec\Backup Exec\bengine.exe
c:\program files\WTouch\WTouchUser.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\CTHELPER.EXE
c:\windows\system32\CTXFIHLP.EXE
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RunDLL32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-04-06 23:50:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-07 03:50
.
Pre-Run: 252,018,106,368 bytes free
Post-Run: 251,787,976,704 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 051A3952E789C5A426751B3813C3BF12

broni · 2011/04/06

Good news

There are still some "baddies" there, though.

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\Phopirikijirazoh.bin
c:\windows\system32\olecliy.dll


Folder::
c:\documents and settings\All Users\Application Data\eIg06504hAhHe06504


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
 "DisableMonitoring "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

dudgorgon · 2011/04/07

The system appear much better

Redirects seemed to have stopped and Trojan.ZeFarch is not being detected by SAV.

Here's the Combifix log:
ComboFix 11-04-06.01 - DeLuca 04/06/2011 23:26:42.1.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2046 [GMT -4:00]
Running from: c:\documents and settings\DeLuca\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\09c1ee
c:\documents and settings\All Users\Application Data\09c1ee\00e300f0327dc8de5606b0b9f9160ae3.ocx
c:\documents and settings\All Users\Application Data\09c1ee\2788.mof
c:\documents and settings\All Users\Application Data\09c1ee\BackUp\PMB Media Check Tool.lnk
c:\documents and settings\All Users\Application Data\09c1ee\BackUp\Windows Search.lnk
c:\documents and settings\All Users\Application Data\09c1ee\gdjd7tm9q01u8z6agvhsrgown.dll
c:\documents and settings\All Users\Application Data\09c1ee\ISE.ico
c:\documents and settings\All Users\Application Data\09c1ee\mozcrt19.dll
c:\documents and settings\All Users\Application Data\09c1ee\sqlite3.dll
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}\chrome.manifest
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}\chrome\content\_cfg.js
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}\chrome\content\overlay.xul
c:\documents and settings\backup\Local Settings\Application Data\{6BE1DD88-4360-41AD-91AF-70498E2EF3AF}\install.rdf
c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533
c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533\enemies-names.txt
c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533\local.ini
c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533\lsrslt.ini
c:\documents and settings\DeLuca\Application Data\Adobe\plugs
c:\documents and settings\DeLuca\Application Data\Adobe\shed
c:\documents and settings\DeLuca\Application Data\inst.exe
c:\documents and settings\DeLuca\Application Data\PriceGong
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\1.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\a.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\b.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\c.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\d.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\e.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\f.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\g.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\h.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\i.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\J.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\k.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\l.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\m.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\n.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\o.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\p.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\q.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\r.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\s.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\t.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\u.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\v.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\w.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\x.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\y.xml
c:\documents and settings\DeLuca\Application Data\PriceGong\Data\z.xml
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}\chrome.manifest
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}\chrome\content\_cfg.js
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}\chrome\content\overlay.xul
c:\documents and settings\DeLuca\Local Settings\Application Data\{B0ACF696-2FA2-41D8-90DD-238B0E04F113}\install.rdf
c:\documents and settings\DeLuca\WINDOWS
c:\webupdater\WebUpdater.exe
c:\windows\evivamiwokojegig.dll
c:\windows\system32\Drivers\jeeiq.sys
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-06 22:52 . 2011-04-06 22:52 -------- d-----w- c:\documents and settings\administrator.ZOO-690\Application Data\Malwarebytes
2011-04-06 03:58 . 2011-04-07 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\eIg06504hAhHe06504
2011-04-02 11:07 . 2011-04-02 11:07 -------- d-----w- c:\documents and settings\backup\Application Data\Malwarebytes
2011-03-31 02:15 . 2011-03-31 02:15 -------- d-----w- c:\program files\TDSSKiller
2011-03-27 12:57 . 2011-03-27 12:57 -------- d-----w- c:\program files\CleanUp!
2011-03-26 20:43 . 2011-03-26 20:43 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-03-26 10:23 . 2011-04-02 11:07 -------- d-----w- c:\documents and settings\backup\Application Data\WTablet
2011-03-26 10:23 . 2011-03-26 10:23 -------- d-----w- c:\documents and settings\backup\Application Data\WTouch
2011-03-26 03:17 . 2011-03-26 03:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\skypePM
2011-03-26 03:17 . 2011-03-26 03:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-26 01:15 . 2011-03-26 01:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-26 01:03 . 2011-04-06 04:17 0 ----a-w- c:\windows\Phopirikijirazoh.bin
2011-03-26 01:01 . 2011-03-26 01:01 149504 --sha-r- c:\windows\system32\olecliy.dll
2011-03-22 04:22 . 2011-03-22 04:22 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-07 01:09 . 2004-08-04 10:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 03:13 . 2011-02-03 03:14 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-02-02 07:58 . 2008-03-23 03:39 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-03-23 03:39 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-27 13:21 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2008-08-14 16:50 . 2008-08-14 16:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-01 68856]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"OfotoNow USB Detection "= "c:\progra~1\Ofoto\OfotoNow\OFUSBS.DLL" [2002-11-05 77824]
"Google Update "= "c:\documents and settings\DeLuca\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!) "= "c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"TomTomHOME.exe "= "c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"Power2GoExpress "= "c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2009-10-02 2684200]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-02-27 7933952]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CTHelper "= "CTHELPER.EXE" [2005-11-09 16384]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-03-02 18944]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-14 29744]
"WinampAgent "= "c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"Microsoft Default Manager "= "c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"WD Button Manager "= "WDBtnMgr.exe" [2010-02-28 339968]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LifeCam "= "c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"VX6000 "= "c:\windows\vVX6000.exe" [2009-03-17 713744]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe "= "c:\program files\real\realplayer\update\realsched.exe" [2010-11-20 274608]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"InstantBurn "= "c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2009-07-09 681256]
"UpdateLBPShortCut "= "c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer "= "c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"UpdateP2GoShortCut "= "c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdatePDRShortCut "= "c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"RemoteControl8 "= "c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-17 91432]
"PDVD8LanguageShortcut "= "c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"BDRegion "= "c:\program files\Cyberlink\Shared Files\brs.exe" [2009-08-28 75048]
"UpdatePPShortCut "= "c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdatePSTShortCut "= "c:\program files\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" [2009-10-28 210216]
"Corel Photo Downloader "= "c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-02-06 478800]
.
c:\documents and settings\DeLuca\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-9-5 333088]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft SQL Server\\MSSQL.1\\MSSQL\\Binn\\sqlservr.exe "=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\pvlsvr.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\beserver.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\bengine.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\beremote.exe "=
"c:\\Program Files\\Symantec\\Backup Exec\\benetns.exe "=
"c:\\Program Files\\WebConference.com\\Version7\\webconference.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
"c:\\Program Files\\Opera\\opera.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57952:TCP "= 57952:TCPando Media Booster
"57952:UDP "= 57952:UDPando Media Booster
"3389:TCP "= 3389:TCP:Remote Desktop
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"5762:TCP "= 5762:TCP:Services
"9434:TCP "= 9434:TCP:Services
"7716:TCP "= 7716:TCP:Services
"7715:TCP "= 7715:TCP:Services
"9183:TCP "= 9183:TCP:Services
"9590:TCP "= 9590:TCP:Services
"9137:TCP "= 9137:TCP:Services
"7804:TCP "= 7804:TCP:Services
"4652:TCP "= 4652:TCP:Services
"8715:TCP "= 8715:TCP:Services
"4996:TCP "= 4996:TCP:Services
"3794:TCP "= 3794:TCP:Services
"9918:TCP "= 9918:TCP:Services
"6058:TCP "= 6058:TCP:Services
"7090:TCP "= 7090:TCP:Services
"4981:TCP "= 4981:TCP:Services
.
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [3/14/2010 4:57 PM 7680]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [3/14/2010 4:57 PM 105984]
R0 VSP;Volume Snapshot Provider;c:\windows\system32\drivers\VSP.sys [10/16/2008 6:14 PM 54192]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2/2/2011 10:57 PM 15784]
R1 SCSIChanger;SCSIChanger;c:\windows\system32\drivers\SCSICHNG.SYS [8/24/2007 20272]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2011/02/02 22:15];c:\program files\CyberLink\PowerDVD8\000.fcl [8/28/2009 7:36 PM 87536]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2/2/2011 10:57 PM 163368]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/4/2009 11:56 AM 91392]
R2 MSSQL$BKUPEXEC;SQL Server (BKUPEXEC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [8/7/2010 2:17 PM 4497704]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [8/7/2010 2:18 PM 113448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/3/2010 7:44 AM 102448]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [8/7/2010 1:56 PM 2077840]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/7/2010 2:17 PM 16168]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S1 halfinchVRTS;halfinchVRTS;c:\windows\system32\drivers\halfinch.sys [1/23/2008 3:54 PM 39600]
S2 gupdate1c98d7ec96b1f2a;Google Update Service (gupdate1c98d7ec96b1f2a);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2009 10:00 PM 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/1/2008 8:48 AM 29744]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/4/2009 11:57 AM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/4/2009 11:57 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/4/2009 11:57 AM 23936]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 tpfilter;Symantec SCSI Tape/Changer Log Driver;c:\windows\system32\drivers\tpfilter.sys [9/8/2008 4:33 PM 32816]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-04-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-01 00:32]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 02:00]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 02:00]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1336601894-839522115-1003Core.job
- c:\documents and settings\DeLuca\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 03:08]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1336601894-839522115-1003UA.job
- c:\documents and settings\DeLuca\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 03:08]
.
2011-04-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1336601894-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1336601894-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1336601894-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1336601894-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: webconference.com
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\DeLuca\Application Data\Mozilla\Firefox\Profiles\2nws9g7u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-k70ccreloc.exe - c:\documents and settings\DeLuca\Application Data\4BBF50ADB298B2D518030D529D60C533\k70ccreloc.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
HKLM-Run-Ijodasax - c:\windows\evivamiwokojegig.dll
HKU-Default-RunOnce-RealUpgradeHelper - c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe
SafeBoot-klmdb.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-06 23:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath "= "c:\windows\system32\GameMon.des -service "
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath "= "\??\c:\program files\CyberLink\PowerDVD8\000.fcl "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(5280)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ctagent.dll
c:\progra~1\Ofoto\OfotoNow\OFUSBS.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\dfshim.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Symantec\Backup Exec\beremote.exe
c:\program files\Symantec\Backup Exec\pvlsvr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Symantec\Backup Exec\beserver.exe
c:\program files\Symantec\Backup Exec\benetns.exe
c:\program files\Symantec\Backup Exec\bengine.exe
c:\program files\WTouch\WTouchUser.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\CTHELPER.EXE
c:\windows\system32\CTXFIHLP.EXE
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RunDLL32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-04-06 23:50:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-07 03:50
.
Pre-Run: 252,018,106,368 bytes free
Post-Run: 251,787,976,704 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 051A3952E789C5A426751B3813C3BF12

broni · 2011/04/07

Good news

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\Phopirikijirazoh.bin
c:\windows\system32\olecliy.dll


Folder::
c:\documents and settings\All Users\Application Data\eIg06504hAhHe06504


DDS::
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: webconference.com

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
 "DisableMonitoring "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Log in or Sign up

Solved Browser auto-redirects, Trojan, & not having fun

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

dudgorgon Inactive Thread Starter

dudgorgon Inactive Thread Starter

dudgorgon Inactive Thread Starter

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Browser auto-redirects, Trojan, & not having fun

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

dudgorgon Inactive Thread Starter

dudgorgon Inactive Thread Starter

dudgorgon Inactive Thread Starter

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

dudgorgon Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches