Inactive Maybe its rootkit

Status
Not open for further replies.
Gars

Gars

Posts: 423   +67
Hello and thanks for your help,

My neighbor running DualCore/2gb on fully patched XP SP3
MSE is on the front of defense and the Windows firewall is running.

We have a problem with the update of MSE, also Skype refusing to sign in.

Here is the logs of MBAM, GMER and DDs:

MBAM log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5376

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22.12.2010 г. 19:53:44
mbam-log-2010-12-22 (19-53-44).txt

Scan type: Quick scan
Objects scanned: 134345
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_____________________________

GMER log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-22 19:59:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_HD321KJ rev.CP100-10
Running: echdjhfk.exe; Driver: C:\DOCUME~1\Mim's\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT spda.sys ZwCreateKey [0xB7EA80E0]
SSDT spda.sys ZwEnumerateKey [0xB7EC6CA2]
SSDT spda.sys ZwEnumerateValueKey [0xB7EC7030]
SSDT spda.sys ZwOpenKey [0xB7EA80C0]
SSDT spda.sys ZwQueryKey [0xB7EC7108]
SSDT spda.sys ZwQueryValueKey [0xB7EC6F88]
SSDT spda.sys ZwSetValueKey [0xB7EC719A]

INT 0x62 ? 89E54BF8
INT 0x63 ? 89E54BF8
INT 0x63 ? 89E54BF8
INT 0x63 ? 89BB1BF8
INT 0x63 ? 89BB1BF8
INT 0x63 ? 89E54BF8
INT 0x73 ? 89DE5BF8
INT 0x82 ? 89E54BF8
INT 0x84 ? 89BB1BF8
INT 0xA4 ? 89BB1BF8
INT 0xB4 ? 89BB1BF8

---- Kernel code sections - GMER 1.0.15 ----

? spda.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6B2D3A0, 0x59FFE5, 0xE8000020]
.text USBPORT.SYS!DllUnload B6B0D8AC 5 Bytes JMP 89BB11D8
.rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xB81F6394]
.text ajffjo66.SYS B69FB386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ajffjo66.SYS B69FB3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ajffjo66.SYS B69FB3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ajffjo66.SYS B69FB3C9 1 Byte [2E]
.text ajffjo66.SYS B69FB3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
.text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
.text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DC000C
.text C:\WINDOWS\System32\svchost.exe[1188] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E6000A
.text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0139000A
.text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013A000A
.text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FF000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spda.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spda.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spda.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spda.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spda.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spda.sys
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\ajffjo66.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89DE11F8
Device \FileSystem\Fastfat \FatCdrom 89C30500
Device \Driver\sptd \Device\170484184 spda.sys
Device \Driver\usbuhci \Device\USBPDO-0 89BB01F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DE31F8
Device \Driver\dmio \Device\DmControl\DmConfig 89DE31F8
Device \Driver\dmio \Device\DmControl\DmPnP 89DE31F8
Device \Driver\dmio \Device\DmControl\DmInfo 89DE31F8
Device \Driver\usbuhci \Device\USBPDO-1 89BB01F8
Device \Driver\usbuhci \Device\USBPDO-2 89BB01F8
Device \Driver\PCI_PNP7934 \Device\00000046 spda.sys
Device \Driver\usbehci \Device\USBPDO-3 89B8A1F8
Device \Driver\usbuhci \Device\USBPDO-4 89BB01F8
Device \Driver\usbuhci \Device\USBPDO-5 89BB01F8
Device \Driver\usbuhci \Device\USBPDO-6 89BB01F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89E551F8
Device \Driver\usbehci \Device\USBPDO-7 89B8A1F8
Device \Driver\Cdrom \Device\CdRom0 89B211F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89E551F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89AB7AEA
Device \Driver\atapi \Device\Ide\IdePort0 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89AB7AEA
Device \Driver\atapi \Device\Ide\IdePort1 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89AB7AEA
Device \Driver\atapi \Device\Ide\IdePort2 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89AB7AEA
Device \Driver\atapi \Device\Ide\IdePort3 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-12 89AB7AEA
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 89B211F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8912B1F8
Device \Driver\NetBT \Device\NetbiosSmb 8912B1F8
Device \Driver\usbuhci \Device\USBFDO-0 89BB01F8
Device \Driver\usbuhci \Device\USBFDO-1 89BB01F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 891261F8
Device \Driver\usbuhci \Device\USBFDO-2 89BB01F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 891261F8
Device \Driver\usbehci \Device\USBFDO-3 89B8A1F8
Device \Driver\usbuhci \Device\USBFDO-4 89BB01F8
Device \Driver\Ftdisk \Device\FtControl 89E551F8
Device \Driver\usbuhci \Device\USBFDO-5 89BB01F8
Device \Driver\usbuhci \Device\USBFDO-6 89BB01F8
Device \Driver\usbehci \Device\USBFDO-7 89B8A1F8
Device \Driver\ajffjo66 \Device\Scsi\ajffjo661 89A651F8
Device \Driver\ajffjo66 \Device\Scsi\ajffjo661Port5Path0Target0Lun0 89A651F8
Device \Driver\JRAID \Device\Scsi\JRAID1 89DE21F8
Device \FileSystem\Fastfat \Fat 89C30500

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 899AC500
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD321KJ_________________________CP100-10#3053514d314a5044303437313832202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x3D 0x91 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x11 0x38 0x8E 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCE 0x60 0x6A 0xE2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x3D 0x91 0xCA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x11 0x38 0x8E 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCE 0x60 0x6A 0xE2 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 625142192 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

______________________________
 
DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Mim's at 19:59:29,06 on 22.12.2010 Ј.
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.2047.1543 [GMT 2:00]

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Mim's\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.bg/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - No File
TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\mim's\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232127573437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ungzpw - ungzpw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mjmyxlea.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2010-9-25 20088]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
S0 zbavrf;zbavrf;c:\windows\system32\drivers\ywjnsx.sys [2010-10-26 44160]
S1 MpKsl252bc785;MpKsl252bc785;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{19ef9fa0-5651-4b70-9ff6-470c0e48b909}\mpksl252bc785.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{19ef9fa0-5651-4b70-9ff6-470c0e48b909}\MpKsl252bc785.sys [?]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\cyberlink\powerdvd8\000.fcl --> c:\program files\cyberlink\powerdvd8\000.fcl [?]
S2 AMService;AMService;c:\windows\temp\xrom\setup.exe run --> c:\windows\temp\xrom\setup.exe run [?]
S2 gupdate;Услуга Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]

=============== Created Last 30 ================

2010-12-22 17:46:19 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{fe67226a-400e-4a5f-a483-a727e7adc301}\mpengine.dll
2010-12-22 17:28:57 -------- d-----w- c:\docume~1\mim's\locals~1\applic~1\Temp
2010-12-14 16:18:41 10752 ----a-w- c:\windows\system32\ungzpw.dll

==================== Find3M ====================

2010-09-25 11:08:01 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-09-25 11:08:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-09-25 11:05:27 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-09-25 10:13:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-25 10:13:57 423656 ----a-w- c:\windows\system32\deployJava1.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD321KJ rev.CP100-10 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89AB7EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88405872; SUB DWORD [EBP-0x4], 0x8840512e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D9CAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x89D75218]
5 ACPI[0xB7E67620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89D9ED98]
[0x8994F550] -> IRP_MJ_CREATE -> 0x89AB7EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD321KJ_________________________CP100-10#3053514d314a5044303437313832202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89AB7AEA
user & kernel MBR OK
sectors 625142446 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 20:00:39,06 ===============

______________________________________________

Attach log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 15.1.2009 г. 14:57:12
System Uptime: 22.12.2010 г. 19:45:32 (1 hours ago)

Motherboard: Foxconn | | P35AX-S
Processor: Intel(R) Celeron(R) CPU E1200 @ 1.60GHz | SOCKET775 M/B | 1606/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 49 GiB total, 37,593 GiB free.
D: is FIXED (NTFS) - 249 GiB total, 134,917 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_0CE8105B&REV_10\4&19ABE7DE&0&08F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_0CE8105B&REV_10\4&19ABE7DE&0&08F0
Service: RTL8023xp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13031186&REV_10\4&19ABE7DE&0&18F0
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13031186&REV_10\4&19ABE7DE&0&18F0
Service: rtl8139

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
BS.Player FREE
CCleaner
CDBurnerXP
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
CyberLink PowerDVD 8
Defraggler
DeviceFunctionQFolder
DeviceManagementQFolder
DocumentViewerQFolder
eSupportQFolder
FileHippo.com Update Checker
FullDPAppQFolder
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Update
HWiNFO32 Version 3.60
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 21
JMB36X Raid Configurer
K-Lite Mega Codec Pack 5.4.4
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MSVC80_x86
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
Nokia Connectivity Cable Driver
NTREGOPT 1.1j
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX v8.10.13
Readiris Pro 11 Demo
Realtek High Definition Audio Driver
Registry Workshop
SA Dictionary 2005 T2
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype™ 4.2
Unlocker 1.8.7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2291599)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
VCRedistSetup
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver

==== Event Viewer Messages From Past Week ========

22.12.2010 г. 19:47:48, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
22.12.2010 г. 19:46:05, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 19:38:04, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
22.12.2010 г. 19:37:34, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 19:35:57, information: Windows File Protection [64002] - File replacement was attempted on the protected system file cdrom.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
22.12.2010 г. 19:31:18, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
22.12.2010 г. 19:25:51, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
22.12.2010 г. 19:24:20, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 19:16:57, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 19:15:24, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
22.12.2010 г. 19:15:24, error: Service Control Manager [7034] - The NMSAccessU service terminated unexpectedly. It has done this 1 time(s).
22.12.2010 г. 19:15:24, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
22.12.2010 г. 19:13:01, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
22.12.2010 г. 19:11:54, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
22.12.2010 г. 18:52:06, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanProxy:Win32/Minigaway.A&threatid=2147641179 User: NT AUTHORITY\SYSTEM Name: TrojanProxy:Win32/Minigaway.A ID: 2147641179 Severity: Severe Category: Trojan Proxy Server Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.2179.0, AS: 1.95.2179.0 Engine Version: 1.1.6402.0
22.12.2010 г. 18:43:27, error: Service Control Manager [7034] - The AMService service terminated unexpectedly. It has done this 1 time(s).
22.12.2010 г. 18:40:49, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 18:39:15, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanProxy:Win32/Minigaway.A&threatid=2147641179 User: MIM\Mim's Name: TrojanProxy:Win32/Minigaway.A ID: 2147641179 Severity: Severe Category: Trojan Proxy Server Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.2179.0, AS: 1.95.2179.0 Engine Version: 1.1.6402.0
22.12.2010 г. 18:37:27, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 18:34:50, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 18:33:20, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 18:29:23, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
22.12.2010 г. 18:22:19, error: Service Control Manager [7034] - The AMService service terminated unexpectedly. It has done this 1 time(s).
22.12.2010 г. 18:10:38, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
21.12.2010 г. 19:15:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2179.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
21.12.2010 г. 19:04:37, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
20.12.2010 г. 23:04:47, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Mooplids.A&threatid=2147639098 User: NT AUTHORITY\SYSTEM Name: Trojan:Win32/Mooplids.A ID: 2147639098 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.2179.0, AS: 1.95.2179.0 Engine Version: 1.1.6402.0
20.12.2010 г. 19:01:49, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
20.12.2010 г. 18:51:05, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
20.12.2010 г. 18:47:55, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
19.12.2010 г. 17:21:13, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
19.12.2010 г. 17:21:13, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
19.12.2010 г. 17:21:13, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
19.12.2010 г. 17:21:13, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
19.12.2010 г. 17:21:08, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
19.12.2010 г. 17:10:28, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
18.12.2010 г. 13:02:19, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
18.12.2010 г. 11:54:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
18.12.2010 г. 11:54:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
18.12.2010 г. 11:54:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
18.12.2010 г. 11:54:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
18.12.2010 г. 11:54:17, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
18.12.2010 г. 11:43:36, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
17.12.2010 г. 10:48:56, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
17.12.2010 г. 10:48:56, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
17.12.2010 г. 10:48:56, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
17.12.2010 г. 10:48:56, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
17.12.2010 г. 10:48:50, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
17.12.2010 г. 10:38:09, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
17.12.2010 г. 10:17:13, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
16.12.2010 г. 18:35:16, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Mooplids.A&threatid=2147639098 User: NT AUTHORITY\SYSTEM Name: Trojan:Win32/Mooplids.A ID: 2147639098 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.1325.0, AS: 1.95.1325.0 Engine Version: 1.1.6402.0
16.12.2010 г. 10:33:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
16.12.2010 г. 10:33:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
16.12.2010 г. 10:33:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
16.12.2010 г. 10:33:07, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...5.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072f76 Error description: The requested header was not found
16.12.2010 г. 10:33:03, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1325.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
16.12.2010 г. 10:22:21, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
15.12.2010 г. 09:30:23, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.
15.12.2010 г. 09:23:45, error: Service Control Manager [7000] - The {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} service failed to start due to the following error: The system cannot find the path specified.

==== End Of File ===========================
 
Welcome to Techspot! Yes, there is a rootkit, so we'll go after it first: But please ask him to remove these programs from Startup and disable them while I'm working with you:
C:\Program Files\CDBurnerXP\NMSAccessU.exe
c:\program files\utorrent\uTorrent.exe
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result. Please leave the log in your next reply.
  • A reboot is required after disinfection.
==================================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
thanx man
when i wait for response, ive drive into the other treats and in my risk take TDSSkiler

it found it and i choose the option Clear'

after restart MSE updated
the Skype issue is a diffident thingy' -they have a huge problem :)

Thanx for the time and Help!
im always relaying on TS!

sorry for no log
ill chek this in a 10 hours, and if im wrong - plz post me
thanx

ps: totally mess here :)
 
I can't help you until I see the results of the scans in the logs. Maybe now that the Holiday weekend is passing, thing will return to normal.

The directions in TDSSKiller say: Select the action Quarantine to quarantine detected objects.. And the default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43

I do not know what "Clear" does in the above program. Clear is not quarantine.
I do need to see the log.

We have a problem with the update of MSE
Click to expand...
The Error code:m0x80072f76 for Microsoft Antimalware can occur for the following reasons:

  • [*] Applications or processes that interfere with Internet communications
    [*] Resource issues on your computer
    [*] High Internet activity
    [*] Recoverable database errors

Please go down this list and see if any one or combination will allow MSE to update. I note both the Microsoft Antimalware and the AntiVirus Update are failing:


  1. [*] Verify Internet connectivity
    [*] Make sure that Windows Firewall is turned on, and temporarily disable third-party firewalls
    [*] Temporarily disable third-party antivirus software
    [*] Disable software accelerator programs
    [*] Add the Windows Update Web site and the Microsoft Update Web site to the Trusted Sites list
    [*] Make sure that you have the latest Background Intelligent Transfer Service (BITS) update installed

The malware found but not removed by Microsoft Antimalware is TrojanProxy:Win32/Minigaway.A
A proxy trojan serves as an agent between the attacker and the Internet. By installing a proxy trojan on a user’s computer, the attacker is able to carry out actions through that user’s computer and thereby deflect attention to that user and away from the actual attacker. Often, a proxy trojan installs an email proxy which is then used to send large amounts of unsolicited email, i.e. spam, though the infected user’s Internet connection. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.
Click to expand...
Courtesy Microsoft Encyclopedia entry

After I see the logs for the scans I have directed you to run, I will have you do an online virus scan.
 
Due to inactivity, this thread is being closed. If the problem persist, please send your helper a PM and request the thread be reopened. Include the URL of the thread.
 
Status
Not open for further replies.

Similar threads

S
  • Locked
Inactive Please help: Infected-or-not?
Replies
2
Views
3K
Broni
Broni
NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
5K
Broni
Broni
B
Solved Is this malware and how to remove it? "Received message from unexpected origin : chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj
Replies
6
Views
8K
Broni
Broni

Latest posts

Back