allclearhere
Posts: 19 +0
Hi guys. I had a bit of a snowballing virus problem this week. So I tried the 8 Steps (including the Avira > Malwarebytes > GMER > DDS sequence) but I am still getting malware attacks, particularly while using internet explorer. But I'm not sure what else might be happening while I'm not connected to the internet.
If it means anything, BEFORE I did the 8 Steps I tried to remove the problem(s) using Spybot, AVG, registered version of Malwarebytes (quick then full then flash scan) in that order both in safe and normal mode - it cleaned up a lot of things but whatever it is seems to be coming back.
Then I did the 8 Steps.
After the 8 Steps I did a HijackThis just FYI, not sure if that effects anything.
Anyway here are my log files (MALWAREBYTES, GMER, DDS, ATTACH, HIJACKTHIS). Hopefully, you guys can help me fix this problem as I've had to restore this computer once in the past and I really really would like to not have to do that again. Thanks.
MALWAREBYTES
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5564
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/21/2011 12:08:09 PM
mbam-log-2011-01-21 (12-08-09).txt
Scan type: Quick scan
Objects scanned: 154512
Time elapsed: 6 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-21 12:19:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1600JS-75NCB1 rev.10.02E01
Running: gmqf4psi.exe; Driver: C:\DOCUME~1\AL09C6~1\LOCALS~1\Temp\pwloapod.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- System - GMER 1.0.15 ----
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xB9E765DC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xB9E82120]
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A64339B
Device \Driver\atapi \Device\Ide\IdePort0 8A5282E8
Device \Driver\atapi \Device\Ide\IdePort0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A64339B
Device \Driver\atapi \Device\Ide\IdePort1 8A5282E8
Device \Driver\atapi \Device\Ide\IdePort1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A64339B
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8A5282E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A64339B
Device \Driver\atapi \Device\Ide\IdePort2 8A5282E8
Device \Driver\atapi \Device\Ide\IdePort2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A64339B
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8A5282E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c
Device \FileSystem\Ntfs \Ntfs 8A6DE1F8
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&289960e9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Modules - GMER 1.0.15 ----
Module _________ B9D03000-B9D1B000 (98304 bytes)
---- EOF - GMER 1.0.15 ----
DDS
DDS (Ver_10-12-12.02) - NTFSx86
Run by A L at 12:22:31.68 on Fri 01/21/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1345 [GMT -8:00]
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Enabled*
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\A L\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp:///
uSearch Page = hxxp://www.google.com/hws/sb/dell/en/side.html
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/side.html
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
mSearchAssistant = hxxp://www.google.com/hws/sb/dell/en/side.html
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {823cf514-7815-4788-9db4-e6c7bdf6f4de} - pabipihe.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: {f1edefe8-2c04-5f83-78a5-7d9bbc727d8e} - c:\windows\ifuhocozisijih.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [CTRegRun] c:\windows\CTRegRun.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIARwA5AEIANwAtAEIARwA3AFcAQwAtAFAAWABSAEMAUgAtAEoASwBBAEgATAAtAEgARQBNAEIAUgA"&"inst=NwA2AC0ANgA5ADEANgAzADcAOQAzADgALQBEADMAOAAxAEwAKwA1AC0AWABPADMANgArADEALQBQAEwAKwA5AC0ATgAxAEQAKwAxAA"&"prod=54"&"ver=9.0.872
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: kozafohew - {a6d261b7-e2cf-4a87-9de9-5f96df1fe2b2} - c:\windows\system32\bekoduya.dll
SSODL: sevehuyot - {00e0cad2-9479-4ba7-8aaf-bf317c78ab5a} - c:\windows\system32\huzivewe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: kupuhivus: {00932a9f-83e7-4273-aca6-72e0fe3f9f96} - c:\windows\system32\foweriyo.dll
STS: {f00da279-ae5a-4ba6-8b1e-63f13e65f444} - No File
STS: jugezatag: {a6d261b7-e2cf-4a87-9de9-5f96df1fe2b2} - c:\windows\system32\bekoduya.dll
STS: mujuzedij: {00e0cad2-9479-4ba7-8aaf-bf317c78ab5a} - c:\windows\system32\huzivewe.dll
LSA: Notification Packages = scecli waners.dll lepopoka.dll
============= SERVICES / DRIVERS ===============
R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2010-3-13 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2010-3-13 5248]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-21 11608]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-12-21 80640]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-21 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-21 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-21 61960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-19 363344]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-12-21 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-12-21 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-21 122368]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-8-5 91456]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-19 20952]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-12-21 114464]
S0 wrkmlkcz;wrkmlkcz;c:\windows\system32\drivers\pmaaegsb.sys [2011-1-20 53888]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\a l\desktop\ts-h492c_ci06.bin --> c:\documents and settings\a l\desktop\TS-H492C_CI06.bin [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-12-21 245760]
=============== Created Last 30 ================
2011-01-21 17:36:49 -------- d-----w- c:\docume~1\al09c6~1\applic~1\Avira
2011-01-21 17:27:08 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-21 17:27:05 -------- d-----w- c:\program files\Avira
2011-01-21 17:27:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-01-21 08:03:17 -------- d-----w- c:\windows\pss
2011-01-20 19:35:11 53888 ----a-w- c:\windows\system32\drivers\pmaaegsb.sys
2011-01-20 11:37:22 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2011-01-20 11:37:22 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2011-01-20 11:37:22 1677824 ----a-w- c:\windows\system32\dllcache\chsbrkr.dll
2011-01-20 11:37:22 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2011-01-20 11:37:21 98304 ----a-w- c:\windows\system32\msir3jp.dll
2011-01-20 11:37:21 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2011-01-20 11:37:21 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2011-01-20 11:37:21 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2011-01-20 11:37:21 1875968 ----a-w- c:\windows\system32\msir3jp.lex
2011-01-20 11:37:18 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2011-01-20 05:33:12 -------- d-----w- c:\docume~1\al09c6~1\applic~1\Malwarebytes
2011-01-20 05:18:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-20 05:18:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-20 05:17:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-20 05:17:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-19 08:10:52 -------- d-----w- c:\program files\AVG
2011-01-19 07:44:51 -------- d-----w- c:\docume~1\al09c6~1\locals~1\applic~1\{70147CF7-4ABF-4319-A34D-19C3ADF04F16}
2011-01-18 04:48:21 -------- d-----w- c:\program files\Windows Media Connect 2
2011-01-18 04:47:42 -------- d-----w- C:\1b83767d15ac5b981e43347c
2011-01-18 04:46:45 -------- d-----w- C:\3f6cdbb3449a1ae57417e5c66f145759
2011-01-18 04:46:36 -------- d-----w- c:\windows\system32\LogFiles
2011-01-18 04:46:11 -------- d-----w- C:\205ebe4aa73d14f925
2011-01-18 03:35:00 237568 ----a-w- c:\windows\system32\lame_enc.dll
2011-01-18 03:34:57 -------- d-----w- c:\program files\FreeCDRipper
2011-01-18 02:28:08 2560 ------w- c:\windows\system32\drivers\cdralw2k.sys
2011-01-18 02:28:08 2432 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2011-01-18 02:28:08 110080 ------w- c:\windows\system32\pxinsi64.exe
2011-01-18 02:28:08 109056 ------w- c:\windows\system32\pxcpyi64.exe
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\snap
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\sample
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\rom
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\nvram
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\memcard
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\inp
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\image
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\hi
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\diff
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\artwork
==================== Find3M ====================
2011-01-19 08:01:36 0 ----a-w- c:\windows\Odacimaf.bin
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A643555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6497b0]; MOV EAX, [0x8a64982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6C1AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A5CAD78]
\Driver\atapi[0x8A6C6AB0] -> IRP_MJ_CREATE -> 0x8A643555
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&289960e9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A64339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 12:24:39.15 ===============
If it means anything, BEFORE I did the 8 Steps I tried to remove the problem(s) using Spybot, AVG, registered version of Malwarebytes (quick then full then flash scan) in that order both in safe and normal mode - it cleaned up a lot of things but whatever it is seems to be coming back.
Then I did the 8 Steps.
After the 8 Steps I did a HijackThis just FYI, not sure if that effects anything.
Anyway here are my log files (MALWAREBYTES, GMER, DDS, ATTACH, HIJACKTHIS). Hopefully, you guys can help me fix this problem as I've had to restore this computer once in the past and I really really would like to not have to do that again. Thanks.
MALWAREBYTES
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5564
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/21/2011 12:08:09 PM
mbam-log-2011-01-21 (12-08-09).txt
Scan type: Quick scan
Objects scanned: 154512
Time elapsed: 6 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-21 12:19:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1600JS-75NCB1 rev.10.02E01
Running: gmqf4psi.exe; Driver: C:\DOCUME~1\AL09C6~1\LOCALS~1\Temp\pwloapod.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- System - GMER 1.0.15 ----
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xB9E765DC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xB9E82120]
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A64339B
Device \Driver\atapi \Device\Ide\IdePort0 8A5282E8
Device \Driver\atapi \Device\Ide\IdePort0
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A64339B
Device \Driver\atapi \Device\Ide\IdePort1 8A5282E8
Device \Driver\atapi \Device\Ide\IdePort1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A64339B
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8A5282E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A64339B
Device \Driver\atapi \Device\Ide\IdePort2 8A5282E8
Device \Driver\atapi \Device\Ide\IdePort2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A64339B
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8A5282E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c
Device \FileSystem\Ntfs \Ntfs 8A6DE1F8
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&289960e9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Modules - GMER 1.0.15 ----
Module _________ B9D03000-B9D1B000 (98304 bytes)
---- EOF - GMER 1.0.15 ----
DDS
DDS (Ver_10-12-12.02) - NTFSx86
Run by A L at 12:22:31.68 on Fri 01/21/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1345 [GMT -8:00]
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Enabled*
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\A L\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp:///
uSearch Page = hxxp://www.google.com/hws/sb/dell/en/side.html
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/side.html
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
mSearchAssistant = hxxp://www.google.com/hws/sb/dell/en/side.html
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {823cf514-7815-4788-9db4-e6c7bdf6f4de} - pabipihe.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: {f1edefe8-2c04-5f83-78a5-7d9bbc727d8e} - c:\windows\ifuhocozisijih.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [CTRegRun] c:\windows\CTRegRun.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIARwA5AEIANwAtAEIARwA3AFcAQwAtAFAAWABSAEMAUgAtAEoASwBBAEgATAAtAEgARQBNAEIAUgA"&"inst=NwA2AC0ANgA5ADEANgAzADcAOQAzADgALQBEADMAOAAxAEwAKwA1AC0AWABPADMANgArADEALQBQAEwAKwA5AC0ATgAxAEQAKwAxAA"&"prod=54"&"ver=9.0.872
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: kozafohew - {a6d261b7-e2cf-4a87-9de9-5f96df1fe2b2} - c:\windows\system32\bekoduya.dll
SSODL: sevehuyot - {00e0cad2-9479-4ba7-8aaf-bf317c78ab5a} - c:\windows\system32\huzivewe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: kupuhivus: {00932a9f-83e7-4273-aca6-72e0fe3f9f96} - c:\windows\system32\foweriyo.dll
STS: {f00da279-ae5a-4ba6-8b1e-63f13e65f444} - No File
STS: jugezatag: {a6d261b7-e2cf-4a87-9de9-5f96df1fe2b2} - c:\windows\system32\bekoduya.dll
STS: mujuzedij: {00e0cad2-9479-4ba7-8aaf-bf317c78ab5a} - c:\windows\system32\huzivewe.dll
LSA: Notification Packages = scecli waners.dll lepopoka.dll
============= SERVICES / DRIVERS ===============
R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2010-3-13 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2010-3-13 5248]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-21 11608]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-12-21 80640]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-21 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-21 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-21 61960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-19 363344]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-12-21 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-12-21 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-21 122368]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-8-5 91456]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-19 20952]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-12-21 114464]
S0 wrkmlkcz;wrkmlkcz;c:\windows\system32\drivers\pmaaegsb.sys [2011-1-20 53888]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\a l\desktop\ts-h492c_ci06.bin --> c:\documents and settings\a l\desktop\TS-H492C_CI06.bin [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-12-21 245760]
=============== Created Last 30 ================
2011-01-21 17:36:49 -------- d-----w- c:\docume~1\al09c6~1\applic~1\Avira
2011-01-21 17:27:08 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-21 17:27:05 -------- d-----w- c:\program files\Avira
2011-01-21 17:27:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-01-21 08:03:17 -------- d-----w- c:\windows\pss
2011-01-20 19:35:11 53888 ----a-w- c:\windows\system32\drivers\pmaaegsb.sys
2011-01-20 11:37:22 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2011-01-20 11:37:22 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2011-01-20 11:37:22 1677824 ----a-w- c:\windows\system32\dllcache\chsbrkr.dll
2011-01-20 11:37:22 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2011-01-20 11:37:21 98304 ----a-w- c:\windows\system32\msir3jp.dll
2011-01-20 11:37:21 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2011-01-20 11:37:21 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2011-01-20 11:37:21 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2011-01-20 11:37:21 1875968 ----a-w- c:\windows\system32\msir3jp.lex
2011-01-20 11:37:18 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2011-01-20 05:33:12 -------- d-----w- c:\docume~1\al09c6~1\applic~1\Malwarebytes
2011-01-20 05:18:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-20 05:18:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-20 05:17:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-20 05:17:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-19 08:10:52 -------- d-----w- c:\program files\AVG
2011-01-19 07:44:51 -------- d-----w- c:\docume~1\al09c6~1\locals~1\applic~1\{70147CF7-4ABF-4319-A34D-19C3ADF04F16}
2011-01-18 04:48:21 -------- d-----w- c:\program files\Windows Media Connect 2
2011-01-18 04:47:42 -------- d-----w- C:\1b83767d15ac5b981e43347c
2011-01-18 04:46:45 -------- d-----w- C:\3f6cdbb3449a1ae57417e5c66f145759
2011-01-18 04:46:36 -------- d-----w- c:\windows\system32\LogFiles
2011-01-18 04:46:11 -------- d-----w- C:\205ebe4aa73d14f925
2011-01-18 03:35:00 237568 ----a-w- c:\windows\system32\lame_enc.dll
2011-01-18 03:34:57 -------- d-----w- c:\program files\FreeCDRipper
2011-01-18 02:28:08 2560 ------w- c:\windows\system32\drivers\cdralw2k.sys
2011-01-18 02:28:08 2432 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2011-01-18 02:28:08 110080 ------w- c:\windows\system32\pxinsi64.exe
2011-01-18 02:28:08 109056 ------w- c:\windows\system32\pxcpyi64.exe
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\snap
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\sample
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\rom
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\nvram
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\memcard
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\inp
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\image
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\hi
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\diff
2011-01-02 09:07:27 -------- d-----w- c:\documents and settings\a l\artwork
==================== Find3M ====================
2011-01-19 08:01:36 0 ----a-w- c:\windows\Odacimaf.bin
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A643555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6497b0]; MOV EAX, [0x8a64982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6C1AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A5CAD78]
\Driver\atapi[0x8A6C6AB0] -> IRP_MJ_CREATE -> 0x8A643555
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&289960e9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A64339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 12:24:39.15 ===============