TechSpot

Maybe its rootkit

By Gars
Dec 22, 2010
  1. Hello and thanks for your help,

    My neighbor running DualCore/2gb on fully patched XP SP3
    MSE is on the front of defense and the Windows firewall is running.

    We have a problem with the update of MSE, also Skype refusing to sign in.

    Here is the logs of MBAM, GMER and DDs:

    MBAM log:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5376

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    22.12.2010 г. 19:53:44
    mbam-log-2010-12-22 (19-53-44).txt

    Scan type: Quick scan
    Objects scanned: 134345
    Time elapsed: 2 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    _____________________________

    GMER log:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-22 19:59:19
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_HD321KJ rev.CP100-10
    Running: echdjhfk.exe; Driver: C:\DOCUME~1\Mim's\LOCALS~1\Temp\pxtdypob.sys


    ---- System - GMER 1.0.15 ----

    SSDT spda.sys ZwCreateKey [0xB7EA80E0]
    SSDT spda.sys ZwEnumerateKey [0xB7EC6CA2]
    SSDT spda.sys ZwEnumerateValueKey [0xB7EC7030]
    SSDT spda.sys ZwOpenKey [0xB7EA80C0]
    SSDT spda.sys ZwQueryKey [0xB7EC7108]
    SSDT spda.sys ZwQueryValueKey [0xB7EC6F88]
    SSDT spda.sys ZwSetValueKey [0xB7EC719A]

    INT 0x62 ? 89E54BF8
    INT 0x63 ? 89E54BF8
    INT 0x63 ? 89E54BF8
    INT 0x63 ? 89BB1BF8
    INT 0x63 ? 89BB1BF8
    INT 0x63 ? 89E54BF8
    INT 0x73 ? 89DE5BF8
    INT 0x82 ? 89E54BF8
    INT 0x84 ? 89BB1BF8
    INT 0xA4 ? 89BB1BF8
    INT 0xB4 ? 89BB1BF8

    ---- Kernel code sections - GMER 1.0.15 ----

    ? spda.sys The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6B2D3A0, 0x59FFE5, 0xE8000020]
    .text USBPORT.SYS!DllUnload B6B0D8AC 5 Bytes JMP 89BB11D8
    .rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xB81F6394]
    .text ajffjo66.SYS B69FB386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
    .text ajffjo66.SYS B69FB3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text ajffjo66.SYS B69FB3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
    .text ajffjo66.SYS B69FB3C9 1 Byte [2E]
    .text ajffjo66.SYS B69FB3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
    .text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
    .text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DC000C
    .text C:\WINDOWS\System32\svchost.exe[1188] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E6000A
    .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0139000A
    .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013A000A
    .text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FF000C

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spda.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spda.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spda.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spda.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spda.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spda.sys
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KfRaiseIrql] 8B000000
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KfLowerIrql] 56C35DE5
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
    IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 89DE11F8
    Device \FileSystem\Fastfat \FatCdrom 89C30500
    Device \Driver\sptd \Device\170484184 spda.sys
    Device \Driver\usbuhci \Device\USBPDO-0 89BB01F8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DE31F8
    Device \Driver\dmio \Device\DmControl\DmConfig 89DE31F8
    Device \Driver\dmio \Device\DmControl\DmPnP 89DE31F8
    Device \Driver\dmio \Device\DmControl\DmInfo 89DE31F8
    Device \Driver\usbuhci \Device\USBPDO-1 89BB01F8
    Device \Driver\usbuhci \Device\USBPDO-2 89BB01F8
    Device \Driver\PCI_PNP7934 \Device\00000046 spda.sys
    Device \Driver\usbehci \Device\USBPDO-3 89B8A1F8
    Device \Driver\usbuhci \Device\USBPDO-4 89BB01F8
    Device \Driver\usbuhci \Device\USBPDO-5 89BB01F8
    Device \Driver\usbuhci \Device\USBPDO-6 89BB01F8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 89E551F8
    Device \Driver\usbehci \Device\USBPDO-7 89B8A1F8
    Device \Driver\Cdrom \Device\CdRom0 89B211F8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 89E551F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89AB7AEA
    Device \Driver\atapi \Device\Ide\IdePort0 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89AB7AEA
    Device \Driver\atapi \Device\Ide\IdePort1 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89AB7AEA
    Device \Driver\atapi \Device\Ide\IdePort2 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89AB7AEA
    Device \Driver\atapi \Device\Ide\IdePort3 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-12 89AB7AEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\Cdrom \Device\CdRom1 89B211F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8912B1F8
    Device \Driver\NetBT \Device\NetbiosSmb 8912B1F8
    Device \Driver\usbuhci \Device\USBFDO-0 89BB01F8
    Device \Driver\usbuhci \Device\USBFDO-1 89BB01F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 891261F8
    Device \Driver\usbuhci \Device\USBFDO-2 89BB01F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 891261F8
    Device \Driver\usbehci \Device\USBFDO-3 89B8A1F8
    Device \Driver\usbuhci \Device\USBFDO-4 89BB01F8
    Device \Driver\Ftdisk \Device\FtControl 89E551F8
    Device \Driver\usbuhci \Device\USBFDO-5 89BB01F8
    Device \Driver\usbuhci \Device\USBFDO-6 89BB01F8
    Device \Driver\usbehci \Device\USBFDO-7 89B8A1F8
    Device \Driver\ajffjo66 \Device\Scsi\ajffjo661 89A651F8
    Device \Driver\ajffjo66 \Device\Scsi\ajffjo661Port5Path0Target0Lun0 89A651F8
    Device \Driver\JRAID \Device\Scsi\JRAID1 89DE21F8
    Device \FileSystem\Fastfat \Fat 89C30500

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs 899AC500
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD321KJ_________________________CP100-10#3053514d314a5044303437313832202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x3D 0x91 0xCA ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x11 0x38 0x8E 0x9A ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCE 0x60 0x6A 0xE2 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x3D 0x91 0xCA ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x11 0x38 0x8E 0x9A ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCE 0x60 0x6A 0xE2 ...

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 625142192 (+254): rootkit-like behavior;

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious modification; TDL3 <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----

    ______________________________
     
  2. Gars

    Gars TS Booster Topic Starter Posts: 224

    DDS log:


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Mim's at 19:59:29,06 on 22.12.2010 Ј.
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.2047.1543 [GMT 2:00]

    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\Mim's\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.bg/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
    TB: {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - No File
    TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
    uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [Google Update] "c:\documents and settings\mim's\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [RunNarrator] Narrator.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232127573437
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: ungzpw - ungzpw.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mjmyxlea.dll
    LSA: Authentication Packages = msv1_0 nwprovau

    ============= SERVICES / DRIVERS ===============

    R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2010-9-25 20088]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
    S0 zbavrf;zbavrf;c:\windows\system32\drivers\ywjnsx.sys [2010-10-26 44160]
    S1 MpKsl252bc785;MpKsl252bc785;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{19ef9fa0-5651-4b70-9ff6-470c0e48b909}\mpksl252bc785.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{19ef9fa0-5651-4b70-9ff6-470c0e48b909}\MpKsl252bc785.sys [?]
    S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\cyberlink\powerdvd8\000.fcl --> c:\program files\cyberlink\powerdvd8\000.fcl [?]
    S2 AMService;AMService;c:\windows\temp\xrom\setup.exe run --> c:\windows\temp\xrom\setup.exe run [?]
    S2 gupdate;Услуга Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]

    =============== Created Last 30 ================

    2010-12-22 17:46:19 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{fe67226a-400e-4a5f-a483-a727e7adc301}\mpengine.dll
    2010-12-22 17:28:57 -------- d-----w- c:\docume~1\mim's\locals~1\applic~1\Temp
    2010-12-14 16:18:41 10752 ----a-w- c:\windows\system32\ungzpw.dll

    ==================== Find3M ====================

    2010-09-25 11:08:01 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-09-25 11:08:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-09-25 11:05:27 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-09-25 10:13:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-25 10:13:57 423656 ----a-w- c:\windows\system32\deployJava1.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: SAMSUNG_HD321KJ rev.CP100-10 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89AB7EC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88405872; SUB DWORD [EBP-0x4], 0x8840512e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D9CAB8]
    3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x89D75218]
    5 ACPI[0xB7E67620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89D9ED98]
    [0x8994F550] -> IRP_MJ_CREATE -> 0x89AB7EC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD321KJ_________________________CP100-10#3053514d314a5044303437313832202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x89AB7AEA
    user & kernel MBR OK
    sectors 625142446 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 20:00:39,06 ===============

    ______________________________________________

    Attach log:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 15.1.2009 г. 14:57:12
    System Uptime: 22.12.2010 г. 19:45:32 (1 hours ago)

    Motherboard: Foxconn | | P35AX-S
    Processor: Intel(R) Celeron(R) CPU E1200 @ 1.60GHz | SOCKET775 M/B | 1606/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 49 GiB total, 37,593 GiB free.
    D: is FIXED (NTFS) - 249 GiB total, 134,917 GiB free.
    E: is CDROM ()
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_0CE8105B&REV_10\4&19ABE7DE&0&08F0
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
    PNP Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_0CE8105B&REV_10\4&19ABE7DE&0&08F0
    Service: RTL8023xp

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
    Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13031186&REV_10\4&19ABE7DE&0&18F0
    Manufacturer: Realtek
    Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
    PNP Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13031186&REV_10\4&19ABE7DE&0&18F0
    Service: rtl8139

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    µTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.3
    BS.Player FREE
    CCleaner
    CDBurnerXP
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    Critical Update for Windows Media Player 11 (KB959772)
    CustomerResearchQFolder
    CyberLink PowerDVD 8
    Defraggler
    DeviceFunctionQFolder
    DeviceManagementQFolder
    DocumentViewerQFolder
    eSupportQFolder
    FileHippo.com Update Checker
    FullDPAppQFolder
    Google Chrome
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Update
    HWiNFO32 Version 3.60
    Japanese Fonts Support For Adobe Reader 8
    Java(TM) 6 Update 21
    JMB36X Raid Configurer
    K-Lite Mega Codec Pack 5.4.4
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft XML Parser
    MSVC80_x86
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 8
    neroxml
    Nokia Connectivity Cable Driver
    NTREGOPT 1.1j
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX v8.10.13
    Readiris Pro 11 Demo
    Realtek High Definition Audio Driver
    Registry Workshop
    SA Dictionary 2005 T2
    Security Update for 2007 Microsoft Office System (KB2277947)
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2251419)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Skype™ 4.2
    Unlocker 1.8.7
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2291599)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    VCRedistSetup
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    22.12.2010 г. 19:47:48, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    22.12.2010 г. 19:46:05, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 19:38:04, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    22.12.2010 г. 19:37:34, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 19:35:57, information: Windows File Protection [64002] - File replacement was attempted on the protected system file cdrom.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
    22.12.2010 г. 19:31:18, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    22.12.2010 г. 19:25:51, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    22.12.2010 г. 19:24:20, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 19:16:57, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 19:15:24, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    22.12.2010 г. 19:15:24, error: Service Control Manager [7034] - The NMSAccessU service terminated unexpectedly. It has done this 1 time(s).
    22.12.2010 г. 19:15:24, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    22.12.2010 г. 19:13:01, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    22.12.2010 г. 19:11:54, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    22.12.2010 г. 18:52:06, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanProxy:Win32/Minigaway.A&threatid=2147641179 User: NT AUTHORITY\SYSTEM Name: TrojanProxy:Win32/Minigaway.A ID: 2147641179 Severity: Severe Category: Trojan Proxy Server Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.2179.0, AS: 1.95.2179.0 Engine Version: 1.1.6402.0
    22.12.2010 г. 18:43:27, error: Service Control Manager [7034] - The AMService service terminated unexpectedly. It has done this 1 time(s).
    22.12.2010 г. 18:40:49, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 18:39:15, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanProxy:Win32/Minigaway.A&threatid=2147641179 User: MIM\Mim's Name: TrojanProxy:Win32/Minigaway.A ID: 2147641179 Severity: Severe Category: Trojan Proxy Server Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.2179.0, AS: 1.95.2179.0 Engine Version: 1.1.6402.0
    22.12.2010 г. 18:37:27, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 18:34:50, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 18:33:20, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 18:29:23, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    22.12.2010 г. 18:22:19, error: Service Control Manager [7034] - The AMService service terminated unexpectedly. It has done this 1 time(s).
    22.12.2010 г. 18:10:38, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    21.12.2010 г. 19:15:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    21.12.2010 г. 19:04:37, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    20.12.2010 г. 23:04:47, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Mooplids.A&threatid=2147639098 User: NT AUTHORITY\SYSTEM Name: Trojan:Win32/Mooplids.A ID: 2147639098 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.2179.0, AS: 1.95.2179.0 Engine Version: 1.1.6402.0
    20.12.2010 г. 19:01:49, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    20.12.2010 г. 18:51:05, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    20.12.2010 г. 18:47:55, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    19.12.2010 г. 17:21:13, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    19.12.2010 г. 17:21:13, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    19.12.2010 г. 17:21:13, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    19.12.2010 г. 17:21:13, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    19.12.2010 г. 17:21:08, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    19.12.2010 г. 17:10:28, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    18.12.2010 г. 13:02:19, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    18.12.2010 г. 11:54:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    18.12.2010 г. 11:54:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    18.12.2010 г. 11:54:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    18.12.2010 г. 11:54:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    18.12.2010 г. 11:54:17, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    18.12.2010 г. 11:43:36, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    17.12.2010 г. 10:48:56, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    17.12.2010 г. 10:48:56, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    17.12.2010 г. 10:48:56, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    17.12.2010 г. 10:48:56, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    17.12.2010 г. 10:48:50, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    17.12.2010 г. 10:38:09, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    17.12.2010 г. 10:17:13, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    16.12.2010 г. 18:35:16, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Mooplids.A&threatid=2147639098 User: NT AUTHORITY\SYSTEM Name: Trojan:Win32/Mooplids.A ID: 2147639098 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.1325.0, AS: 1.95.1325.0 Engine Version: 1.1.6402.0
    16.12.2010 г. 10:33:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    16.12.2010 г. 10:33:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    16.12.2010 г. 10:33:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    16.12.2010 г. 10:33:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
    16.12.2010 г. 10:33:03, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    16.12.2010 г. 10:22:21, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    15.12.2010 г. 09:30:23, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
    15.12.2010 г. 09:23:45, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.

    ==== End Of File ===========================
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to Techspot! Yes, there is a rootkit, so we'll go after it first: But please ask him to remove these programs from Startup and disable them while I'm working with you:
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    c:\program files\utorrent\uTorrent.exe

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please leave the log in your next reply.
    • A reboot is required after disinfection.
    ==================================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  4. Gars

    Gars TS Booster Topic Starter Posts: 224

    thanx man
    when i wait for response, ive drive into the other treats and in my risk take TDSSkiler

    it found it and i choose the option Clear'

    after restart MSE updated
    the Skype issue is a diffident thingy' -they have a huge problem :)

    Thanx for the time and Help!
    im always relaying on TS!

    sorry for no log
    ill chek this in a 10 hours, and if im wrong - plz post me
    thanx

    ps: totally mess here :)
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I can't help you until I see the results of the scans in the logs. Maybe now that the Holiday weekend is passing, thing will return to normal.

    The directions in TDSSKiller say: Select the action Quarantine to quarantine detected objects.. And the default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43

    I do not know what "Clear" does in the above program. Clear is not quarantine.
    I do need to see the log.

    The Error code:m0x80072f76 for Microsoft Antimalware can occur for the following reasons:

    • [*] Applications or processes that interfere with Internet communications
      [*] Resource issues on your computer
      [*] High Internet activity
      [*] Recoverable database errors

    Please go down this list and see if any one or combination will allow MSE to update. I note both the Microsoft Antimalware and the AntiVirus Update are failing:


    1. [*] Verify Internet connectivity
      [*] Make sure that Windows Firewall is turned on, and temporarily disable third-party firewalls
      [*] Temporarily disable third-party antivirus software
      [*] Disable software accelerator programs
      [*] Add the Windows Update Web site and the Microsoft Update Web site to the Trusted Sites list
      [*] Make sure that you have the latest Background Intelligent Transfer Service (BITS) update installed

    The malware found but not removed by Microsoft Antimalware is TrojanProxy:Win32/Minigaway.A
    Courtesy Microsoft Encyclopedia entry

    After I see the logs for the scans I have directed you to run, I will have you do an online virus scan.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Due to inactivity, this thread is being closed. If the problem persist, please send your helper a PM and request the thread be reopened. Include the URL of the thread.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...