Inactive Trojan "Backdoor.win32.small.ive"

[Inactive] Trojan "Backdoor.win32.small.ive "

Kaspersky 2009 has detected a Trojan program "Backdoor.win32.small.ive" in C:\WINDOWS\Explorer.EXE. Kaspersky can't disinfect the file and when I deleted the file, I no longer can see icons on my desktop, only the background. So I did a system restore to get my explorer back and working but the trojan is still there. Any help would be much appreciated.

Thanks
Yushi

DDS (Ver_09-12-01.01) - NTFSx86
Run by Moshimoshifishy at 17:06:36.68 on 21/02/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1354 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Moshimoshifishy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Service Pack 3 Internet Explorer
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 0.0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe "
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [<NO NAME>]
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe "
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe "
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe "
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe "
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
dRun: [msnsc] c:\windows\system32\msnsc.exe
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll "
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek usb wireless lan driver and utility\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: Add to QQ Customized Emoticons - c:\program files\tencent\qq\AddEmotion.htm
IE: Add to QQ Customized Panel - c:\program files\tencent\qq\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\tencent\qq\AddEmotion.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\tencent\qq\SendMMS.htm
IE: Send Picture with QQ MMS - c:\program files\tencent\qq\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\tencent\qq\AddToNetDisk.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\tencent\qq\QQ.EXE
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moshim~1\applic~1\mozilla\firefox\profiles\jorr8o4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-09-21 22:24:03 56 --sh--r- c:\windows\system32\CF746F0E1C.sys
2008-09-21 22:24:05 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:08:46.29 ===============

 

DDS (Ver_09-12-01.01) - NTFSx86
Run by Moshimoshifishy at 17:06:36.68 on 21/02/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1354 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Moshimoshifishy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Service Pack 3 Internet Explorer
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 0.0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe "
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [<NO NAME>]
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe "
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe "
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe "
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe "
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
dRun: [msnsc] c:\windows\system32\msnsc.exe
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll "
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek usb wireless lan driver and utility\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: Add to QQ Customized Emoticons - c:\program files\tencent\qq\AddEmotion.htm
IE: Add to QQ Customized Panel - c:\program files\tencent\qq\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\tencent\qq\AddEmotion.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\tencent\qq\SendMMS.htm
IE: Send Picture with QQ MMS - c:\program files\tencent\qq\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\tencent\qq\AddToNetDisk.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\tencent\qq\QQ.EXE
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moshim~1\applic~1\mozilla\firefox\profiles\jorr8o4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-09-21 22:24:03 56 --sh--r- c:\windows\system32\CF746F0E1C.sys
2008-09-21 22:24:05 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:08:46.29 ===============

 

ComboFix 10-02-23.04 - Moshimoshifishy 24/02/2010 16:29:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1683 [GMT 0:00]
Running from: c:\documents and settings\Moshimoshifishy\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\windows\system32\VB6KO.DLL

.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-24 08:37 . 2010-02-24 08:37 -------- d--h--w- c:\windows\PIF
2010-02-23 20:33 . 2010-02-23 20:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-19 23:58 . 2010-02-19 23:58 -------- d-----w- c:\documents and settings\Moshimoshifishy\Local Settings\Application Data\Unity
2010-02-17 21:35 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-16 20:50 . 2010-02-16 20:50 -------- d-----w- c:\windows\system32\RTL8187
2010-02-16 20:50 . 2010-02-16 20:52 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 16:48 . 2007-12-10 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-02-24 16:47 . 2010-01-11 10:11 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\Skype
2010-02-24 16:46 . 2007-12-10 15:00 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\uTorrent
2010-02-24 16:46 . 2010-01-21 19:00 -------- d-----w- c:\program files\DNA
2010-02-24 16:46 . 2010-01-21 19:00 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\DNA
2010-02-24 16:46 . 2009-11-14 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-24 16:37 . 2009-11-14 11:33 7791648 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-24 16:37 . 2009-11-14 11:33 679968 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-24 16:37 . 2009-11-14 11:33 63000 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-24 16:37 . 2009-11-14 11:33 4452 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-23 21:30 . 2009-10-23 14:45 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\vlc
2010-02-23 20:35 . 2008-01-19 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-20 01:15 . 2007-08-31 20:59 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-02-16 20:50 . 2007-08-31 18:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-14 19:27 . 2007-08-31 20:59 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-02-10 21:41 . 2008-09-08 12:46 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\EndNote
2010-01-30 18:46 . 2007-08-31 20:59 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-01-25 22:13 . 2007-08-31 15:48 -------- d-----w- c:\program files\Steam
2010-01-20 22:15 . 2007-12-01 18:49 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\dvdcss
2010-01-13 08:36 . 2007-09-04 16:54 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\Apple Computer
2010-01-11 10:11 . 2010-01-11 10:11 -------- d-----w- c:\program files\Common Files\Skype
2010-01-11 10:11 . 2007-08-31 15:41 -------- d-----r- c:\program files\Skype
2010-01-11 10:11 . 2007-08-31 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-09 18:04 . 2010-01-09 18:04 -------- d-----w- c:\program files\CCP
2010-01-09 17:44 . 2010-01-09 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2010-01-08 00:11 . 2009-10-04 19:44 -------- d-----w- c:\program files\Warzone 2100
2010-01-06 00:48 . 2010-01-06 00:09 -------- d-----w- c:\program files\iTunes
2010-01-06 00:09 . 2010-01-06 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-06 00:09 . 2010-01-06 00:09 -------- d-----w- c:\program files\iPod
2010-01-06 00:09 . 2008-09-11 00:26 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 00:08 . 2010-01-06 00:08 -------- d-----w- c:\program files\Bonjour
2010-01-06 00:07 . 2007-08-31 14:18 -------- d-----w- c:\program files\QuickTime Alternative
2010-01-05 23:56 . 2010-01-05 23:56 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-05 19:20 . 2010-01-05 19:20 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-29 10:25 . 2008-01-29 18:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-11-29 10:25 . 2009-11-14 11:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-29 10:25 . 2009-11-14 11:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-29 10:25 . 2009-11-23 23:50 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\klbg.sys
2009-11-29 10:25 . 2009-11-23 23:50 213520 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\XP\klif.sys
2009-11-29 10:25 . 2009-11-23 23:49 861448 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\updater.dll
2008-09-21 22:24 . 2008-09-07 19:49 56 --sh--r- c:\windows\system32\CF746F0E1C.sys
2008-09-21 22:24 . 2007-10-27 19:43 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2006-01-13 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-13 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2006-01-13 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-19 68856]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"uTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2010-02-05 289584]
"igndlm.exe "= "c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2010-01-21 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"nwiz "= "nwiz.exe" [2007-10-04 1626112]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-01-13 208952]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-01-13 59392]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-25 149280]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"VX3000 "= "c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam "= "c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"AVP "= "c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-11-23 201992]
"QuickTime Task "= "c:\program files\QuickTime Alternative\QTTask.exe" [2009-11-10 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc "= "c:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf "= "move" [X]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2010-2-16 790528]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-2-3 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\Kontiki\\KService.exe "=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe "=
"c:\\Program Files\\Steam\\steamapps\\wizwoo\\half-life 2 deathmatch\\hl2.exe "=
"c:\\Program Files\\Arcen Games, LLC\\AI War\\AIWar.exe "=
"c:\\Program Files\\Arcen Games, LLC\\AI War\\AIWarUpdater.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8945:TCP "= 8945:TCPjronn

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 18:29 33808]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/12/2007 22:33 685816]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [05/01/2010 19:20 38144]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 19:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [25/03/2008 20:07 24592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [31/08/2007 15:09 194304]
S2 ayfzut;Time Microsoft;c:\windows\system32\svchost.exe -k netsvcs [13/01/2006 01:38 14336]
S3 kbeepm;kbeepm;\??\c:\docume~1\MOSHIM~1\LOCALS~1\Temp\kbeepm.sys --> c:\docume~1\MOSHIM~1\LOCALS~1\Temp\kbeepm.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ayfzut
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-02 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 0.0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Add to QQ Customized Emoticons - c:\program files\Tencent\QQ\AddEmotion.htm
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Send Picture with QQ MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
FF - ProfilePath - c:\documents and settings\Moshimoshifishy\Application Data\Mozilla\Firefox\Profiles\jorr8o4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\documents and settings\Moshimoshifishy\Application Data\Mozilla\Firefox\Profiles\jorr8o4m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-4oD - c:\program files\Kontiki\KHost.exe
AddRemove-Legend of Zelda, The Ocarina of Time 1.11 - c:\program files\HDSoft\Legend of Zelda
AddRemove-Mount&Blade - g:\games\Mount & Blade\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 16:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync04.sys >>UNKNOWN [0x89DC71E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba67dcb8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577edc
ParseProcedure -> ntkrnlpa.exe @ 0x80576af8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577edc
ParseProcedure -> ntkrnlpa.exe @ 0x80576af8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xba4f5ba0
PacketIndicateHandler -> NDIS.sys @ 0xba4e4a0b
SendHandler -> NDIS.sys @ 0xba4f8b31
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ayfzut]
"ServiceDll "= "c:\windows\system32\qqxdyhu.dll "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1614895754-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:58,48,36,70,f8,75,ac,56,be,08,fb,c0,a7,75,c4,33,04,0b,aa,37,f1,1f,89,
9e,f6,46,92,67,63,66,6e,eb,3b,85,0a,3c,13,cc,c3,b9,62,5c,da,b6,a6,b3,04,88,\
"?? "=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1757981266-1614895754-725345543-1003\Software\SecuROM\License information*]
"datasecu "=hex:ba,0d,2a,a9,6e,d1,29,7b,f6,93,93,ec,f8,fb,32,d0,4c,75,4f,59,c6,
08,b6,71,c6,85,30,42,d9,04,19,29,14,fc,9b,c8,f7,24,cf,34,45,1c,39,bf,e0,8a,\
"rkeysecu "=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2010-02-24 16:54:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-24 16:54

Pre-Run: 7,564,472,320 bytes free
Post-Run: 12,676,489,216 bytes free

- - End Of File - - A836E932BDC720E4474C2A84666579BC

 

I wasn't able to install Recovery Console as I needed an internet connection but my wireless dongle is being very temperamental.

Also it has taken me a long time as the computer blue screens very frequently. I'm not sure if it is to do with the malware or not.
The blue screen error is "driver_irql_not_less_or_equal" and seems to be helped by removing external devices (wireless dongle and external hard drive).

Cheers
Yushi

 

OK thanks, I'll do that.

I'm away on vacation over the next few days so I will try to do this next Wednesday.

I will do your instructions whilst wired directly to the router.

 

I couldn't get access to the router so still no internet to download Recovery Console.
Here are the logs though:

ComboFix 10-02-23.04 - Moshimoshifishy 03/03/2010 3:56.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1682 [GMT 0:00]
Running from: c:\documents and settings\Moshimoshifishy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Moshimoshifishy\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\docume~1\MOSHIM~1\LOCALS~1\Temp\kbeepm.sys "
"c:\windows\system32\CF746F0E1C.sys "
"c:\windows\system32\qqxdyhu.dll "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\CF746F0E1C.sys
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AYFZUT
-------\Legacy_KBEEPM
-------\Service_ayfzut
-------\Service_kbeepm


((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-02-24 08:37 . 2010-02-24 08:37 -------- d--h--w- c:\windows\PIF
2010-02-23 20:33 . 2010-02-23 20:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-19 23:58 . 2010-02-19 23:58 -------- d-----w- c:\documents and settings\Moshimoshifishy\Local Settings\Application Data\Unity
2010-02-17 21:35 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-16 20:50 . 2010-02-16 20:50 -------- d-----w- c:\windows\system32\RTL8187
2010-02-16 20:50 . 2010-02-16 20:52 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 05:19 . 2007-12-10 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-03-03 05:16 . 2010-01-11 10:11 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\Skype
2010-03-03 05:15 . 2007-12-10 15:00 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\uTorrent
2010-03-03 05:15 . 2010-01-21 19:00 -------- d-----w- c:\program files\DNA
2010-03-03 05:15 . 2010-01-21 19:00 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\DNA
2010-03-03 05:15 . 2009-11-14 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-03 04:03 . 2009-11-14 11:33 7791648 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-03 04:03 . 2009-11-14 11:33 679968 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-03 04:03 . 2009-11-14 11:33 63000 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-03 04:03 . 2009-11-14 11:33 4452 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-03 03:29 . 2009-10-23 14:45 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\vlc
2010-03-02 23:23 . 2008-01-19 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-20 01:15 . 2007-08-31 20:59 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-02-16 20:50 . 2007-08-31 18:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-14 19:27 . 2007-08-31 20:59 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-02-10 21:41 . 2008-09-08 12:46 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\EndNote
2010-01-30 18:46 . 2007-08-31 20:59 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-01-25 22:13 . 2007-08-31 15:48 -------- d-----w- c:\program files\Steam
2010-01-20 22:15 . 2007-12-01 18:49 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\dvdcss
2010-01-13 08:36 . 2007-09-04 16:54 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\Apple Computer
2010-01-11 10:11 . 2010-01-11 10:11 -------- d-----w- c:\program files\Common Files\Skype
2010-01-11 10:11 . 2007-08-31 15:41 -------- d-----r- c:\program files\Skype
2010-01-11 10:11 . 2007-08-31 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-09 18:04 . 2010-01-09 18:04 -------- d-----w- c:\program files\CCP
2010-01-09 17:44 . 2010-01-09 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2010-01-08 00:11 . 2009-10-04 19:44 -------- d-----w- c:\program files\Warzone 2100
2010-01-06 00:48 . 2010-01-06 00:09 -------- d-----w- c:\program files\iTunes
2010-01-06 00:09 . 2010-01-06 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-06 00:09 . 2010-01-06 00:09 -------- d-----w- c:\program files\iPod
2010-01-06 00:09 . 2008-09-11 00:26 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 00:08 . 2010-01-06 00:08 -------- d-----w- c:\program files\Bonjour
2010-01-06 00:07 . 2007-08-31 14:18 -------- d-----w- c:\program files\QuickTime Alternative
2010-01-05 23:56 . 2010-01-05 23:56 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-05 19:20 . 2010-01-05 19:20 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2008-09-21 22:24 . 2007-10-27 19:43 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2006-01-13 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-13 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2006-01-13 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-24_16.46.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 05:17 . 2010-03-03 05:17 16384 c:\windows\temp\Perflib_Perfdata_748.dat
+ 2010-03-03 04:05 . 2010-03-03 04:05 16384 c:\windows\temp\Perflib_Perfdata_2a0.dat
+ 2010-03-03 04:05 . 2010-03-03 04:05 16384 c:\windows\temp\Perflib_Perfdata_290.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-19 68856]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"uTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2010-02-05 289584]
"igndlm.exe "= "c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2010-01-21 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"nwiz "= "nwiz.exe" [2007-10-04 1626112]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-01-13 208952]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-01-13 59392]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-25 149280]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"VX3000 "= "c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam "= "c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"AVP "= "c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-11-23 201992]
"QuickTime Task "= "c:\program files\QuickTime Alternative\QTTask.exe" [2009-11-10 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc "= "c:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2010-2-16 790528]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-2-3 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\Kontiki\\KService.exe "=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe "=
"c:\\Program Files\\Steam\\steamapps\\wizwoo\\half-life 2 deathmatch\\hl2.exe "=
"c:\\Program Files\\Arcen Games, LLC\\AI War\\AIWar.exe "=
"c:\\Program Files\\Arcen Games, LLC\\AI War\\AIWarUpdater.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8945:TCP "= 8945:TCPjronn

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 18:29 33808]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/12/2007 22:33 685816]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [05/01/2010 19:20 38144]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 19:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [25/03/2008 20:07 24592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [31/08/2007 15:09 194304]
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-02 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 0.0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Add to QQ Customized Emoticons - c:\program files\Tencent\QQ\AddEmotion.htm
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Send Picture with QQ MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
FF - ProfilePath - c:\documents and settings\Moshimoshifishy\Application Data\Mozilla\Firefox\Profiles\jorr8o4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\documents and settings\Moshimoshifishy\Application Data\Mozilla\Firefox\Profiles\jorr8o4m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 05:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync04.sys >>UNKNOWN [0x89DC81E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba67dcb8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577edc
ParseProcedure -> ntkrnlpa.exe @ 0x80576af8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577edc
ParseProcedure -> ntkrnlpa.exe @ 0x80576af8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1614895754-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:58,48,36,70,f8,75,ac,56,be,08,fb,c0,a7,75,c4,33,04,0b,aa,37,f1,1f,89,
9e,f6,46,92,67,63,66,6e,eb,3b,85,0a,3c,13,cc,c3,b9,62,5c,da,b6,a6,b3,04,88,\
"?? "=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1757981266-1614895754-725345543-1003\Software\SecuROM\License information*]
"datasecu "=hex:ba,0d,2a,a9,6e,d1,29,7b,f6,93,93,ec,f8,fb,32,d0,4c,75,4f,59,c6,
08,b6,71,c6,85,30,42,d9,04,19,29,14,fc,9b,c8,f7,24,cf,34,45,1c,39,bf,e0,8a,\
"rkeysecu "=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(3148)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2010-03-03 05:24:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-03 05:24
ComboFix2.txt 2010-02-24 16:54

Pre-Run: 12,669,509,632 bytes free
Post-Run: 12,639,195,136 bytes free

- - End Of File - - 481865F73DE7AD838AD5A31DDBD39EF9

------------------------------------------------------------

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 06:03 on 03/03/2010 by Moshimoshifishy (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
"AuthenticationCapabilities "= 0x0000003020 (12320)
"CoInitializeSecurityParam "= 0x0000000001 (1)


-=End Of File=-

-------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:04:00, on 03/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe "
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe "
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: REALTEK USB Wireless LAN Utility.lnk = ?
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 9996 bytes

 

No access as I'm having trouble moving my computer at the moment.

By the way it is tcpip.sys which appears on my bluescreen problems as well.
Do you think it is related to the trojan? I will copy down the bluescreen message when it next happens. Sometimes it is fine for hours on the computer, other times it will bluescreen 10 minutes after turning on. It is a driver_irql_not_less_or_equal error.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

-----------------------------------------

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:11 on 05/03/2010 by Moshimoshifishy (Administrator - Elevation successful)

========== filefind ==========

Searching for "tcpip.sys "
C:\WINDOWS\system32\drivers\tcpip.sys --a--- 360448 bytes [02:03 13/01/2006] [02:03 13/01/2006] 2A4818AEA80ACD2C95D7D92D2F3155F8

Searching for "ntoskrnl.exe "
C:\WINDOWS\system32\ntoskrnl.exe --a--- 2187904 bytes [02:04 13/01/2006] [02:04 13/01/2006] C3B84871DECE94E335B96FAFD756316C

Searching for "explorer.exe "
C:\WINDOWS\explorer.exe --a--- 1075200 bytes [01:46 13/01/2006] [08:36 03/03/2010] (Unable to calculate MD5)

-=End Of File=-

 

OK, I have managed to get a hard line to the computer but explorer has completely failed now so that even with a system restore I can't get links on the desktop. Odd though as one time I booted up, I did get back to desktop.

So windows now thinks that explorer.exe is not a valid win32 application and virustotal doesn't recognise the file.

The blue screen seems to have stopped though, looks like a driver problem with my new wireless dongle, I updated the drivers fairly recently but still issues. But now with the hard line, no more bluescreen.

the bluescreen error:
STOP: 0x000000D1
0x00000011
0x00000002
0x00000000
0xA6CD0907
A6CD0907 base at A6C97000
tcpip.sys,
Datestamp 429cfa61


ComboFix won't run now through the task manager (which I use to run all programs now).


Virustotal results:

explorer.exe:
0 bytes size received / Se ha recibido un archivo vacio

------------------------
userinit.exe

File size: 24576 bytes
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x50E5
timedatestamp.....: 0x41107B78 (Wed Aug 4 08:00:24 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4DB8 0x4E00 6.01 16aee663ed180007a0bf5bf24b845096
.data 0x6000 0x14C 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0xB60 0xC00 3.27 b388ab1541ccd9727979fb26a23f72e1

( 7 imports )

> advapi32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> crypt32.dll: CryptProtectData
> kernel32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> user32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> winspool.drv: SpoolerInit

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=39b1ffb03c2296323832acbae50d2aff
ssdeep: 384NkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCSF4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Userinit Logon Application
original name: USERINIT.EXE
internal name: userinit
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: USERINIT.EXE, userinit.exe
( Microsoft )

MSDN Disc 2428.4: userinit.exeMSDN Disc 2428.5: userinit.exeMSDN Disc 2428.8: userinit.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: userinit.exeVirtual PC for Mac Windows XP Home Edition: userinit.exeVirtual PC for Mac Windows XP Professional Edition: userinit.exe

------------------------------
svchost.exe

Additional information
File size: 14336 bytes
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2509
timedatestamp.....: 0x41107ED6 (Wed Aug 4 08:14:46 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2C00 0x2C00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1F0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=8f078ae4ed187aaabc0a305146de6716
ssdeep: 384:cpiRrTp13SkhnRCwOV5JpeLCdw9rDpWCl8CbW:dT/3Ska6Lh8C
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Generic Host Process for Win32 Services
original name: svchost.exe
internal name: svchost.exe
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
PDFiD : ['-', None, None]
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: SVCHOST.EXE, svchost.exe
( Microsoft )

MSDN Disc 2428.4: svchost.exeMSDN Disc 2428.5: svchost.exeMSDN Disc 2428.8: svchost.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: svchost.exeVirtual PC for Mac Windows XP Home Edition: svchost.exeVirtual PC for Mac Windows XP Professional Edition: svchost.exe

 

Nope, same message (not surprising really).
It looks like the virus has deleted the real explorer.exe and replaced it with this file which isn't recognised as a win32 application.

0 bytes size received / Se ha recibido un archivo vacio

 

Tried jotti.org for explorer.exe; same type of thing: "File is empty (0 bytes)! "
I have already uploaded svchost.exe and userinit.exe and they were fine (see back a few posts)

 

Luckily explorer has appeared today so it was easy to use TDSkiller:

-------------------------------

08:19:27:421 3408 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
08:19:27:421 3408 ================================================================================
08:19:27:421 3408 SystemInfo:

08:19:27:421 3408 OS Version: 5.1.2600 ServicePack: 2.0
08:19:27:421 3408 Product type: Workstation
08:19:27:421 3408 ComputerName: YUSHI
08:19:27:421 3408 UserName: Moshimoshifishy
08:19:27:421 3408 Windows directory: C:\WINDOWS
08:19:27:421 3408 Processor architecture: Intel x86
08:19:27:421 3408 Number of processors: 1
08:19:27:421 3408 Page size: 0x1000
08:19:27:421 3408 Boot type: Normal boot
08:19:27:421 3408 ================================================================================
08:19:27:437 3408 UnloadDriverW: NtUnloadDriver error 2
08:19:27:437 3408 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
08:19:27:453 3408 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
08:19:27:453 3408 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:19:27:453 3408 wfopen_ex: Trying to KLMD file open
08:19:27:453 3408 wfopen_ex: File opened ok (Flags 2)
08:19:27:453 3408 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
08:19:27:453 3408 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:19:27:453 3408 wfopen_ex: Trying to KLMD file open
08:19:27:453 3408 wfopen_ex: File opened ok (Flags 2)
08:19:27:468 3408 Initialize success
08:19:27:468 3408
08:19:27:468 3408 Scanning Services ...
08:19:27:500 3408 GetAdvancedServicesInfo: Raw services enum returned 357 services
08:19:27:500 3408
08:19:27:500 3408 Scanning Kernel memory ...
08:19:27:500 3408 Devices to scan: 9
08:19:27:500 3408
08:19:27:500 3408 Driver Name: Disk
08:19:27:500 3408 IRP_MJ_CREATE : BA90EC30
08:19:27:500 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F333A
08:19:27:500 3408 IRP_MJ_CLOSE : BA90EC30
08:19:27:500 3408 IRP_MJ_READ : BA908D9B
08:19:27:500 3408 IRP_MJ_WRITE : BA908D9B
08:19:27:500 3408 IRP_MJ_QUERY_INFORMATION : 804F333A
08:19:27:500 3408 IRP_MJ_SET_INFORMATION : 804F333A
08:19:27:500 3408 IRP_MJ_QUERY_EA : 804F333A
08:19:27:500 3408 IRP_MJ_SET_EA : 804F333A
08:19:27:500 3408 IRP_MJ_FLUSH_BUFFERS : BA909366
08:19:27:500 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F333A
08:19:27:500 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F333A
08:19:27:500 3408 IRP_MJ_DIRECTORY_CONTROL : 804F333A
08:19:27:500 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F333A
08:19:27:500 3408 IRP_MJ_DEVICE_CONTROL : BA90944D
08:19:27:500 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
08:19:27:500 3408 IRP_MJ_SHUTDOWN : BA909366
08:19:27:500 3408 IRP_MJ_LOCK_CONTROL : 804F333A
08:19:27:500 3408 IRP_MJ_CLEANUP : 804F333A
08:19:27:500 3408 IRP_MJ_CREATE_MAILSLOT : 804F333A
08:19:27:500 3408 IRP_MJ_QUERY_SECURITY : 804F333A
08:19:27:500 3408 IRP_MJ_SET_SECURITY : 804F333A
08:19:27:500 3408 IRP_MJ_POWER : BA90AEF3
08:19:27:500 3408 IRP_MJ_SYSTEM_CONTROL : BA90FA24
08:19:27:500 3408 IRP_MJ_DEVICE_CHANGE : 804F333A
08:19:27:500 3408 IRP_MJ_QUERY_QUOTA : 804F333A
08:19:27:500 3408 IRP_MJ_SET_QUOTA : 804F333A
08:19:27:531 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:19:27:531 3408
08:19:27:531 3408 Driver Name: USBSTOR
08:19:27:531 3408 IRP_MJ_CREATE : 888EC1E8
08:19:27:531 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F333A
08:19:27:531 3408 IRP_MJ_CLOSE : 888EC1E8
08:19:27:531 3408 IRP_MJ_READ : 888EC1E8
08:19:27:531 3408 IRP_MJ_WRITE : 888EC1E8
08:19:27:531 3408 IRP_MJ_QUERY_INFORMATION : 804F333A
08:19:27:531 3408 IRP_MJ_SET_INFORMATION : 804F333A
08:19:27:531 3408 IRP_MJ_QUERY_EA : 804F333A
08:19:27:531 3408 IRP_MJ_SET_EA : 804F333A
08:19:27:531 3408 IRP_MJ_FLUSH_BUFFERS : 804F333A
08:19:27:531 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F333A
08:19:27:531 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F333A
08:19:27:531 3408 IRP_MJ_DIRECTORY_CONTROL : 804F333A
08:19:27:531 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F333A
08:19:27:531 3408 IRP_MJ_DEVICE_CONTROL : 888EC1E8
08:19:27:531 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA655A7C
08:19:27:531 3408 IRP_MJ_SHUTDOWN : 804F333A
08:19:27:531 3408 IRP_MJ_LOCK_CONTROL : 804F333A
08:19:27:531 3408 IRP_MJ_CLEANUP : 804F333A
08:19:27:531 3408 IRP_MJ_CREATE_MAILSLOT : 804F333A
08:19:27:531 3408 IRP_MJ_QUERY_SECURITY : 804F333A
08:19:27:531 3408 IRP_MJ_SET_SECURITY : 804F333A
08:19:27:531 3408 IRP_MJ_POWER : 888EC1E8
08:19:27:531 3408 IRP_MJ_SYSTEM_CONTROL : 888EC1E8
08:19:27:531 3408 IRP_MJ_DEVICE_CHANGE : 804F333A
08:19:27:531 3408 IRP_MJ_QUERY_QUOTA : 804F333A
08:19:27:531 3408 IRP_MJ_SET_QUOTA : 804F333A
08:19:27:593 3408 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:19:27:593 3408
08:19:27:593 3408 Driver Name: Disk
08:19:27:593 3408 IRP_MJ_CREATE : BA90EC30
08:19:27:593 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F333A
08:19:27:593 3408 IRP_MJ_CLOSE : BA90EC30
08:19:27:593 3408 IRP_MJ_READ : BA908D9B
08:19:27:593 3408 IRP_MJ_WRITE : BA908D9B
08:19:27:593 3408 IRP_MJ_QUERY_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_EA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_EA : 804F333A
08:19:27:593 3408 IRP_MJ_FLUSH_BUFFERS : BA909366
08:19:27:593 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_DIRECTORY_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_DEVICE_CONTROL : BA90944D
08:19:27:593 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
08:19:27:593 3408 IRP_MJ_SHUTDOWN : BA909366
08:19:27:593 3408 IRP_MJ_LOCK_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_CLEANUP : 804F333A
08:19:27:593 3408 IRP_MJ_CREATE_MAILSLOT : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_SET_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_POWER : BA90AEF3
08:19:27:593 3408 IRP_MJ_SYSTEM_CONTROL : BA90FA24
08:19:27:593 3408 IRP_MJ_DEVICE_CHANGE : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_QUOTA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_QUOTA : 804F333A
08:19:27:593 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:19:27:593 3408
08:19:27:593 3408 Driver Name: Disk
08:19:27:593 3408 IRP_MJ_CREATE : BA90EC30
08:19:27:593 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F333A
08:19:27:593 3408 IRP_MJ_CLOSE : BA90EC30
08:19:27:593 3408 IRP_MJ_READ : BA908D9B
08:19:27:593 3408 IRP_MJ_WRITE : BA908D9B
08:19:27:593 3408 IRP_MJ_QUERY_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_EA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_EA : 804F333A
08:19:27:593 3408 IRP_MJ_FLUSH_BUFFERS : BA909366
08:19:27:593 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_DIRECTORY_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_DEVICE_CONTROL : BA90944D
08:19:27:593 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
08:19:27:593 3408 IRP_MJ_SHUTDOWN : BA909366
08:19:27:593 3408 IRP_MJ_LOCK_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_CLEANUP : 804F333A
08:19:27:593 3408 IRP_MJ_CREATE_MAILSLOT : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_SET_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_POWER : BA90AEF3
08:19:27:593 3408 IRP_MJ_SYSTEM_CONTROL : BA90FA24
08:19:27:593 3408 IRP_MJ_DEVICE_CHANGE : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_QUOTA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_QUOTA : 804F333A
08:19:27:593 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:19:27:593 3408
08:19:27:593 3408 Driver Name: USBSTOR
08:19:27:593 3408 IRP_MJ_CREATE : 888EC1E8
08:19:27:593 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F333A
08:19:27:593 3408 IRP_MJ_CLOSE : 888EC1E8
08:19:27:593 3408 IRP_MJ_READ : 888EC1E8
08:19:27:593 3408 IRP_MJ_WRITE : 888EC1E8
08:19:27:593 3408 IRP_MJ_QUERY_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_EA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_EA : 804F333A
08:19:27:593 3408 IRP_MJ_FLUSH_BUFFERS : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_DIRECTORY_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_DEVICE_CONTROL : 888EC1E8
08:19:27:593 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA655A7C
08:19:27:593 3408 IRP_MJ_SHUTDOWN : 804F333A
08:19:27:593 3408 IRP_MJ_LOCK_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_CLEANUP : 804F333A
08:19:27:593 3408 IRP_MJ_CREATE_MAILSLOT : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_SET_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_POWER : 888EC1E8
08:19:27:593 3408 IRP_MJ_SYSTEM_CONTROL : 888EC1E8
08:19:27:593 3408 IRP_MJ_DEVICE_CHANGE : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_QUOTA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_QUOTA : 804F333A
08:19:27:593 3408 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:19:27:593 3408
08:19:27:593 3408 Driver Name: Disk
08:19:27:593 3408 IRP_MJ_CREATE : BA90EC30
08:19:27:593 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F333A
08:19:27:593 3408 IRP_MJ_CLOSE : BA90EC30
08:19:27:593 3408 IRP_MJ_READ : BA908D9B
08:19:27:593 3408 IRP_MJ_WRITE : BA908D9B
08:19:27:593 3408 IRP_MJ_QUERY_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_EA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_EA : 804F333A
08:19:27:593 3408 IRP_MJ_FLUSH_BUFFERS : BA909366
08:19:27:593 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_DIRECTORY_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_DEVICE_CONTROL : BA90944D
08:19:27:593 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
08:19:27:593 3408 IRP_MJ_SHUTDOWN : BA909366
08:19:27:593 3408 IRP_MJ_LOCK_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_CLEANUP : 804F333A
08:19:27:593 3408 IRP_MJ_CREATE_MAILSLOT : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_SET_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_POWER : BA90AEF3
08:19:27:593 3408 IRP_MJ_SYSTEM_CONTROL : BA90FA24
08:19:27:593 3408 IRP_MJ_DEVICE_CHANGE : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_QUOTA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_QUOTA : 804F333A
08:19:27:593 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:19:27:593 3408
08:19:27:593 3408 Driver Name: USBSTOR
08:19:27:593 3408 IRP_MJ_CREATE : 888EC1E8
08:19:27:593 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F333A
08:19:27:593 3408 IRP_MJ_CLOSE : 888EC1E8
08:19:27:593 3408 IRP_MJ_READ : 888EC1E8
08:19:27:593 3408 IRP_MJ_WRITE : 888EC1E8
08:19:27:593 3408 IRP_MJ_QUERY_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_EA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_EA : 804F333A
08:19:27:593 3408 IRP_MJ_FLUSH_BUFFERS : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F333A
08:19:27:593 3408 IRP_MJ_DIRECTORY_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_DEVICE_CONTROL : 888EC1E8
08:19:27:593 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA655A7C
08:19:27:593 3408 IRP_MJ_SHUTDOWN : 804F333A
08:19:27:593 3408 IRP_MJ_LOCK_CONTROL : 804F333A
08:19:27:593 3408 IRP_MJ_CLEANUP : 804F333A
08:19:27:593 3408 IRP_MJ_CREATE_MAILSLOT : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_SET_SECURITY : 804F333A
08:19:27:593 3408 IRP_MJ_POWER : 888EC1E8
08:19:27:593 3408 IRP_MJ_SYSTEM_CONTROL : 888EC1E8
08:19:27:593 3408 IRP_MJ_DEVICE_CHANGE : 804F333A
08:19:27:593 3408 IRP_MJ_QUERY_QUOTA : 804F333A
08:19:27:593 3408 IRP_MJ_SET_QUOTA : 804F333A
08:19:27:609 3408 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:19:27:609 3408
08:19:27:609 3408 Driver Name: Disk
08:19:27:609 3408 IRP_MJ_CREATE : BA90EC30
08:19:27:609 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F333A
08:19:27:609 3408 IRP_MJ_CLOSE : BA90EC30
08:19:27:609 3408 IRP_MJ_READ : BA908D9B
08:19:27:609 3408 IRP_MJ_WRITE : BA908D9B
08:19:27:609 3408 IRP_MJ_QUERY_INFORMATION : 804F333A
08:19:27:609 3408 IRP_MJ_SET_INFORMATION : 804F333A
08:19:27:609 3408 IRP_MJ_QUERY_EA : 804F333A
08:19:27:609 3408 IRP_MJ_SET_EA : 804F333A
08:19:27:609 3408 IRP_MJ_FLUSH_BUFFERS : BA909366
08:19:27:609 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F333A
08:19:27:609 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F333A
08:19:27:609 3408 IRP_MJ_DIRECTORY_CONTROL : 804F333A
08:19:27:609 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F333A
08:19:27:609 3408 IRP_MJ_DEVICE_CONTROL : BA90944D
08:19:27:609 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
08:19:27:609 3408 IRP_MJ_SHUTDOWN : BA909366
08:19:27:609 3408 IRP_MJ_LOCK_CONTROL : 804F333A
08:19:27:609 3408 IRP_MJ_CLEANUP : 804F333A
08:19:27:609 3408 IRP_MJ_CREATE_MAILSLOT : 804F333A
08:19:27:609 3408 IRP_MJ_QUERY_SECURITY : 804F333A
08:19:27:609 3408 IRP_MJ_SET_SECURITY : 804F333A
08:19:27:609 3408 IRP_MJ_POWER : BA90AEF3
08:19:27:609 3408 IRP_MJ_SYSTEM_CONTROL : BA90FA24
08:19:27:609 3408 IRP_MJ_DEVICE_CHANGE : 804F333A
08:19:27:609 3408 IRP_MJ_QUERY_QUOTA : 804F333A
08:19:27:609 3408 IRP_MJ_SET_QUOTA : 804F333A
08:19:27:609 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:19:27:609 3408
08:19:27:609 3408 Driver Name: nvata
08:19:27:609 3408 IRP_MJ_CREATE : 89D5C1E8
08:19:27:609 3408 IRP_MJ_CREATE_NAMED_PIPE : 89D5C1E8
08:19:27:609 3408 IRP_MJ_CLOSE : 89D5C1E8
08:19:27:609 3408 IRP_MJ_READ : 89D5C1E8
08:19:27:609 3408 IRP_MJ_WRITE : 89D5C1E8
08:19:27:609 3408 IRP_MJ_QUERY_INFORMATION : 89D5C1E8
08:19:27:609 3408 IRP_MJ_SET_INFORMATION : 89D5C1E8
08:19:27:609 3408 IRP_MJ_QUERY_EA : 89D5C1E8
08:19:27:609 3408 IRP_MJ_SET_EA : 89D5C1E8
08:19:27:609 3408 IRP_MJ_FLUSH_BUFFERS : 89D5C1E8
08:19:27:609 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 89D5C1E8
08:19:27:609 3408 IRP_MJ_SET_VOLUME_INFORMATION : 89D5C1E8
08:19:27:609 3408 IRP_MJ_DIRECTORY_CONTROL : 89D5C1E8
08:19:27:609 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 89D5C1E8
08:19:27:609 3408 IRP_MJ_DEVICE_CONTROL : 89D5C1E8
08:19:27:609 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA655A7C
08:19:27:609 3408 IRP_MJ_SHUTDOWN : 89D5C1E8
08:19:27:609 3408 IRP_MJ_LOCK_CONTROL : 89D5C1E8
08:19:27:609 3408 IRP_MJ_CLEANUP : 89D5C1E8
08:19:27:609 3408 IRP_MJ_CREATE_MAILSLOT : 89D5C1E8
08:19:27:609 3408 IRP_MJ_QUERY_SECURITY : 89D5C1E8
08:19:27:609 3408 IRP_MJ_SET_SECURITY : 89D5C1E8
08:19:27:609 3408 IRP_MJ_POWER : 89D5C1E8
08:19:27:609 3408 IRP_MJ_SYSTEM_CONTROL : 89D5C1E8
08:19:27:609 3408 IRP_MJ_DEVICE_CHANGE : 89D5C1E8
08:19:27:609 3408 IRP_MJ_QUERY_QUOTA : 89D5C1E8
08:19:27:609 3408 IRP_MJ_SET_QUOTA : 89D5C1E8
08:19:27:703 3408 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: 1
08:19:27:703 3408
08:19:27:703 3408 Completed
08:19:27:703 3408
08:19:27:703 3408 Results:
08:19:27:703 3408 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
08:19:27:703 3408 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:19:27:703 3408 File objects infected / cured / cured on reboot: 0 / 0 / 0
08:19:27:703 3408
08:19:27:703 3408 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
08:19:27:703 3408 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
08:19:27:703 3408 KLMD(ARK) unloaded successfully