I've got lots of trojans, malwarebytes blocking malicious websites - zentom sys guard

Inactive
By stevebobby
Aug 26, 2011
Topic Status:
Not open for further replies.
  1. My windows problems started with an appearance of a Zentom system guard. I've tried Malwarebytes' anti-malware, superantispyware and avast! without much success. The active Malwarebytes' program keeps blocking 'malicious websites' and repeated scans show many trojans. My computer's performance isn't good and I really need to work!

    Any suggestions?
    thank you!
  2. stevebobby

    stevebobby Newcomer, in training Topic Starter

    malwarebytes log

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7582

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/26/2011 1:02:59 PM
    mbam-log-2011-08-26 (13-02-59).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 272541
    Time elapsed: 1 hour(s), 1 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 4
    Registry Keys Infected: 23
    Registry Values Infected: 5
    Registry Data Items Infected: 3
    Folders Infected: 2
    Files Infected: 22

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\w3swms.dll (Trojan.Hiloti) -> Delete on reboot.
    c:\WINDOWS\$xntuninstall643$\bgjhu.dll (Adware.BHO) -> Delete on reboot.
    c:\WINDOWS\$xntuninstall643$\fbtil.dll (Adware.BHO) -> Delete on reboot.
    c:\WINDOWS\system32\todaxsrkadmeclkf.dll (Trojan.Agent) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{6BC1C77F-B07B-4593-8CAC-510065623BE5} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\brumaokzpgrm.brumaokzpgrm.1.0 (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\brumaokzpgrm.brumaokzpgrm (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BC1C77F-B07B-4593-8CAC-510065623BE5} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6BC1C77F-B07B-4593-8CAC-510065623BE5} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BC1C77F-B07B-4593-8CAC-510065623BE5} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{945B6D2E-4A45-45BA-8357-FD02F2AD038B} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\adfaokzppr.adfaokzppr.1.0 (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\adfaokzppr.adfaokzppr (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{945B6D2E-4A45-45BA-8357-FD02F2AD038B} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{945B6D2E-4A45-45BA-8357-FD02F2AD038B} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{945B6D2E-4A45-45BA-8357-FD02F2AD038B} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zentom System Guard (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Z-opti (Adware.EZula) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Context\Context-Ads (Adware.AdRotator) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Z-opti (Adware.EZula) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Context\Context-Ads (Adware.AdRotator) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{CCDBE201-6CC0-78FF-9509-67FFBF5044BF} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCDBE201-6CC0-78FF-9509-67FFBF5044BF} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCDBE201-6CC0-78FF-9509-67FFBF5044BF} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCDBE201-6CC0-78FF-9509-67FFBF5044BF} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uioavxizuhbnfcue (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$XNTUninstall643$ (Adware.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nfujaquzuwocu (Trojan.Hiloti) -> Value: Nfujaquzuwocu -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Adware.BHO) -> Value: bipro -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*propactioncore.exe (Trojan.FakeAlert) -> Value: *propactioncore.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mllsic70nb.exe (Trojan.FakeAlert) -> Value: mllsic70nb.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\btbigjmzpv (Trojan.Agent) -> Value: btbigjmzpv -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\farnham lab\start menu\Programs\zentom system guard (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
    c:\WINDOWS\$xntuninstall643$ (Adware.AdRotator) -> Delete on reboot.

    Files Infected:
    c:\WINDOWS\w3swms.dll (Trojan.Hiloti) -> Delete on reboot.
    c:\WINDOWS\$xntuninstall643$\bgjhu.dll (Adware.BHO) -> Delete on reboot.
    c:\WINDOWS\$xntuninstall643$\fbtil.dll (Adware.BHO) -> Delete on reboot.
    c:\documents and settings\localservice\local settings\application data\propactioncore.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\application data\aed8be34363e76d741618ee858692c81\mllsic70nb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\application data\aed8be34363e76d741618ee858692c81\hookdll.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\my documents\graphpadprism5\Patch.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\local settings\Temp\1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\local settings\Temp\aserwoncxm.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\local settings\Temp\FY1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\local settings\Temp\rhc07151_1.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
    c:\documents and settings\localservice\application data\corecenterauth.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{09046f03-ef84-48bb-8fc4-91465583bd68}\RP193\A0021875.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\uioavxizuhbnfcue.exe (Adware.EZula) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\start menu\Programs\Startup\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\Desktop\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\application data\microsoft\internet explorer\quick launch\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\start menu\Programs\zentom system guard\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
    c:\documents and settings\farnham lab\start menu\Programs\zentom system guard\uninstall.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\todaxsrkadmeclkf.dll (Trojan.Agent) -> Delete on reboot.
    c:\WINDOWS\$xntuninstall643$\apuninstall.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
    c:\WINDOWS\$xntuninstall643$\zrpt.xml (Adware.AdRotator) -> Quarantined and deleted successfully.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot! I'll help you get rid of the malware.

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Note for Malwarebytes Before you try to scan>>>

    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Do you have Malwarebytes running on the system? If yes, then "The active Malwarebytes' program keeps blocking 'malicious websites' " is a good thing. But you need to update and do the scan, preferably using the link in the thread steps.

    Go ahead with the rest of the steps and leave the logs in your next reply. If you have problems along the way- let me know. Don't try to get around anything.

    Note please> I am signing off for the night in a few minutes. So I will look for your reply tomorrow.
  4. stevebobby

    stevebobby Newcomer, in training Topic Starter

    gmer log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-26 18:18:09
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9120823AS rev.3.ADB
    Running: zkyrgxtp.exe; Driver: C:\DOCUME~1\FARNHA~1\LOCALS~1\Temp\kgrdipow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA94C5BF2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA94C5A5D]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA951D398]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 89D8531B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89D8531B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89D8531B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 89D8531B
    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'll wait until you finish the scans and leave the log.
  6. stevebobby

    stevebobby Newcomer, in training Topic Starter

    dds

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_2011-08-26.01)
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/21/2010 9:08:39 AM
    System Uptime: 8/26/2011 5:39:52 PM (1 hours ago)
    Motherboard: Dell Inc. | | 0HN338
    Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | Microprocessor | 1975/200mhz

    ==== Disk Partitions =========================
    C: is FIXED (NTFS) - 112 GiB total, 0.732 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    PNP Device ID: ROOT\NET\0000
    Service: vpnva

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0001
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0001
    Service: CVirtA

    ==== System Restore Points ===================
    RP179: 8/8/2011 5:37:12 PM - System Checkpoint
    RP180: 8/9/2011 5:45:40 PM - System Checkpoint
    RP181: 8/10/2011 6:54:03 PM - System Checkpoint
    RP182: 8/11/2011 9:54:38 AM - Software Distribution Service 3.0
    RP183: 8/12/2011 5:23:58 PM - System Checkpoint
    RP184: 8/16/2011 12:42:55 PM - System Checkpoint
    RP185: 8/17/2011 1:19:35 PM - System Checkpoint
    RP186: 8/18/2011 4:15:22 PM - System Checkpoint
    RP187: 8/19/2011 4:18:29 PM - System Checkpoint
    RP188: 8/20/2011 4:23:13 PM - System Checkpoint
    RP189: 8/21/2011 5:23:13 PM - System Checkpoint
    RP190: 8/22/2011 7:31:36 PM - System Checkpoint
    RP191: 8/24/2011 9:36:32 AM - System Checkpoint
    RP192: 8/24/2011 2:31:46 PM - Software Distribution Service 3.0
    RP193: 8/25/2011 3:09:47 PM - System Checkpoint
    RP194: 8/26/2011 1:58:22 PM - avast! Free Antivirus Setup

    ==== Installed Programs ======================
    Adobe Acrobat 9 Pro - English, Fran├žais, Deutsc
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Drive CS4
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Illustrator 10
    Adobe Linguistics CS4
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe SVG Viewer 3.0
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    avast! Free Antivirus
    Bio-Rad CFX Manager 2.0
    Bonjour
    Broadcom Gigabit Integrated Controller
    ChipSeq Tool Set Fast
    Cisco AnyConnect VPN Client
    Conexant HDA D330 MDC V.92 Modem
    Connect
    Dell Touchpad
    Dropbox
    EndNote X4
    ExtraPutty 0.22
    ffdshow [rev 2527] [2008-12-19]
    GraphPad Prism 5 (Trial)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    IGB 6.5.3
    Intel PROSet Wireless
    Intel(R) PROSet/Wireless WiFi Software
    iTunes
    J2SE Runtime Environment 5.0 Update 18
    Java Auto Updater
    Java(TM) 6 Update 23
    kuler
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 6.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA Drivers
    Opera 11.10
    OZ776 SCR Driver V1.1.4.202
    PDF Settings CS4
    Photoshop Camera Raw
    Python 2.7.1
    Python 3.2b2
    QuickTime
    R for Windows 2.13.1
    ResearchSoft Direct Export Helper
    Screen Grab Pro
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2416400)
    Security Update for Windows XP (KB241963)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    SigmaTel Audio
    SignalMap
    SpywareBlaster 4.4
    Suite Shared Configuration CS4
    SUPERAntiSpyware
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Outlook 2007 Junk Email Filter (KB2586924)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VPN Client
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Search 4.
    WinRAR 4.00 beta 4 (32-bit)
    WinSCP 4.2.9

    ==== Event Viewer Messages From Past Week ========
    8/26/2011 11:47:43 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    8/25/2011 9:53:27 AM, error: Dhcp [1002] - The IP address lease 192.168.1.68 for the Network Card with network address 001B77C41956 has been denied by the DHCP server 68.181.195.147 (The DHCP Server sent a DHCPNACK message
    8/24/2011 8:46:44 AM, error: Service Control Manager [7000] - The CoLinuxDriver service failed to start due to the following error: The system cannot find the path specified.
    8/24/2011 8:46:44 AM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    ==== End Of File ===========================
  7. stevebobby

    stevebobby Newcomer, in training Topic Starter

    dds

    .

    DDS (Ver_2011-08-26.01) - NTFSx86

    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

    Run by Farnham Lab at 18:04:50 on 2011-08-26

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.904 [GMT -7:00]

    .

    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    .

    ============== Running Processes ===============

    .

    C:\WINDOWS\system32\svchost -k DcomLaunch

    svchost.exe

    C:\WINDOWS\System32\svchost.exe -k netsvcs

    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

    svchost.exe

    svchost.exe

    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

    C:\Program Files\AVAST Software\Avast\AvastSvc.exe

    C:\WINDOWS\system32\spoolsv.exe

    svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

    C:\Program Files\Bonjour\mDNSResponder.exe

    C:\Program Files\Cisco\Vpn Client\cvpnd.exe

    C:\Program Files\Intel\WiFi\bin\EvtEng.exe

    C:\WINDOWS\system32\hasplms.exe

    C:\Program Files\Java\jre6\bin\jqs.exe

    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

    C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

    C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

    C:\WINDOWS\system32\SearchIndexer.exe

    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

    C:\Program Files\DellTPad\Apoint.exe

    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\WINDOWS\system32\RUNDLL32.EXE

    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

    C:\Program Files\Common Files\Java\Java Update\jusched.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\Program Files\DellTPad\ApMsgFwd.exe

    C:\Program Files\AVAST Software\Avast\avastUI.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Windows Desktop Search\WindowsSearch.exe

    C:\Program Files\DellTPad\Apntex.exe

    C:\Program Files\DellTPad\HidFind.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\WINDOWS\system32\wbem\unsecapp.exe

    C:\Program Files\iPod\bin\iPodService.exe

    .

    ============== Pseudo HJT Report ===============

    .

    uInternet Settings,ProxyOverride = *.local

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

    uRun: [AdobeBridge]

    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

    mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

    mRun: [Apoint] c:\program files\delltpad\Apoint.exe

    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

    mRun: [nwiz] nwiz.exe /installquiet

    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

    mRun: [<NO NAME>]

    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

    mRunOnce: [*centercabapi.exe] "c:\windows\centercabapi.exe"

    StartupFolder: c:\docume~1\farnha~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\farnham lab\application data\dropbox\bin\Dropbox.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ucdavi~1.lnk - c:\program files\cisco\vpn client\vpngui.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292978320717

    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292978383842

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

    DPF: {CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_18-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    TCP: DhcpNameServer = 128.125.253.143 128.125.253.194 208.99.184.12

    TCP: Interfaces\{96AEDF37-3C6A-4CE4-BFE7-06C28200C249} : DhcpNameServer = 128.125.253.143 128.125.253.194 208.99.184.12

    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    .

    ================= FIREFOX ===================

    .

    FF - ProfilePath - c:\documents and settings\farnham lab\application data\mozilla\firefox\profiles\utjbm3nt.default\

    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

    .

    ============= SERVICES / DRIVERS ===============

    .

    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-26 441176]

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-26 309848]

    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-26 19544]

    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-26 42184]

    R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-16 366640]

    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2011-5-18 641464]

    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-16 22712]

    S2 CoLinuxDriver;CoLinuxDriver;\??\c:\documents and settings\farnham lab\desktop\portable_ubuntu_tres\colinux\linux.sys --> c:\documents and settings\farnham lab\desktop\portable_ubuntu_tres\colinux\linux.sys [?]

    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-2-16 41272]

    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-1-14 280344]

    .

    =============== Created Last 30 ================

    .

    2011-08-27 01:04:04 94208 ----a-w- c:\windows\centercabapi.exe

    2011-08-26 20:58:58 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

    2011-08-26 20:58:33 40112 ----a-w- c:\windows\avastSS.scr

    2011-08-26 20:58:22 -------- d-----w- c:\program files\AVAST Software

    2011-08-26 20:58:22 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

    2011-08-26 20:48:31 -------- d-----w- c:\program files\SpywareBlaster

    2011-08-22 17:34:36 -------- d-----w- c:\documents and settings\all users\application data\TDM-GCC

    2011-08-12 20:54:32 -------- d-----w- c:\program files\cisgenome_v2.0

    2011-08-04 03:09:10 -------- d-----w- c:\documents and settings\farnham lab\work

    2011-08-04 00:52:32 -------- d-----w- c:\program files\R

    .

    ==================== Find3M ====================

    .

    2011-07-20 23:36:38 90784 ----a-w- c:\windows\system32\EasyHook32.dll

    2011-07-20 23:36:38 109216 ----a-w- c:\windows\system32\EasyHook64.dll

    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

    2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

    2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

    2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

    2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll

    2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

    2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec

    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

    .

    =================== ROOTKIT ====================

    .

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

    Windows 5.1.2600 Disk: ST9120823AS rev.3.ADB -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

    .

    device: opened successfully

    user: MBR read successfully

    .

    Disk trace:

    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D854D0]<<

    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d8b7d0]; MOV EAX, [0x89d8b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89DECAB8]

    3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DD8030]

    \Driver\atapi[0x89DF13D8] -> IRP_MJ_CREATE -> 0x89D854D0

    error: Read A device attached to the system is not functioning.

    kernel: MBR read successfully

    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }

    detected disk devices:

    detected hooks:

    \Driver\atapi DriverStartIo -> 0x89D8531B

    user & kernel MBR OK

    Warning: possible TDL3 rootkit infection !

    .

    ============= FINISH: 18:07:32.28 ===============
  8. stevebobby

    stevebobby Newcomer, in training Topic Starter

    thanks Bobbye, man it is getting bad.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please stop double spacing the log entries!

    Repost the DDS.txt log without the double pasting, please. I fixed the Attach.txt log. It looks like you may be copying in each line separately instead of copying the entire log and pasting it in.

    After you have reposted the log, run this:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    =========================================
    The this: Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =============================================
    Paste logs in as they appear- no double spacing.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.