TechSpot

Search engine redirect malware

Inactive
By danmich177
Dec 6, 2010
  1. Search engine results are redirected. I also had a hard drive boot problem (Windows XP BSOD, 0000007b stop code) that may have been a root virus. I bypassed the booting problem by switching the Bios from SATA to IDE. here are the logs

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5214

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    12/6/2010 9:35:07 AM
    mbam-log-2010-12-06 (09-35-07).txt

    Scan type: Quick scan
    Objects scanned: 149029
    Time elapsed: 15 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\dmichele\local settings\temp\pyap.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\WORK.DAT (Malware.Trace) -> Quarantined and deleted successfully.


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-06 10:52:50
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3160815AS rev.4.ADA
    Running: 48w2r3k6.exe; Driver: C:\DOCUME~1\DMichele\LOCALS~1\Temp\kwldapog.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA0AA41AB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA0AA412B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA0AA41D5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA0AA413F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA0AA416B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA0AA41FF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA0AA4117]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA0AA41BF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA0AA4155]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA0AA4181]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA0AA4197]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA0AA4215]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA0AA41E9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-12 8B27739B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B27739B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B27739B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8B27739B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8B27739B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8B27739B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8B27739B

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Device\Ide\IdeDeviceP2T0L0-7 -> \??\IDE#DiskST3160815AS_____________________________4.ADA___#5&118455e0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-12-05.01) - NTFSx86
    Run by DMichele at 10:54:59.23 on Mon 12/06/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2769 [GMT -5:00]

    AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Intel\AMT\atchksrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\AMT\LMS.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\AMT\UNS.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Adobe\Distillr\Acrotray.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\DMichele\Desktop\malware logs\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
    mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\distillr\Acrotray.exe"
    mRun: [KeyAccess] c:\windows\keyacc32.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader\reader_sl.exe
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\dmichele\applic~1\mozilla\firefox\profiles\sz8mzhhh.default\
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\documents and settings\dmichele\application data\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\dmichele\application data\move networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\documents and settings\dmichele\application data\move networks\plugins\npqmp071505000011.dll
    FF - plugin: c:\documents and settings\dmichele\application data\mozilla\firefox\profiles\sz8mzhhh.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
    FF - plugin: c:\documents and settings\dmichele\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\adobe\reader\browser\nppdf32.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\sony online entertainment\npsoe.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\dmichele\application data\Move Networks
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\dmichele\applic~1\mozilla\firefox\profiles\sz8mzhhh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-10-6 144704]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-7-7 103744]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-10-6 54608]
    R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-7-7 2521880]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-7-7 72904]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-7-7 34344]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-7-7 177672]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]

    =============== Created Last 30 ================

    2010-12-06 15:45:14 -------- d-s---w- C:\myapplication14494m
    2010-12-06 15:41:15 -------- d-s---w- C:\myapplication
    2010-12-06 15:41:14 389120 ----a-w- c:\windows\system32\CF23067.exe
    2010-12-04 04:39:26 -------- d-sh--w- C:\$RECYCLE.BIN
    2010-12-02 15:56:04 -------- d-----w- c:\docume~1\dmichele\applic~1\Office-Kit.com
    2010-12-02 15:56:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Office-Kit.com
    2010-12-02 15:55:39 438976 ----a-w- c:\windows\system32\MSHFLXGD.OCX
    2010-12-02 15:55:39 232640 ----a-w- c:\windows\system32\MSDATLST.OCX
    2010-12-02 15:55:39 -------- d-----w- c:\program files\OFFICE-KIT.COM

    ==================== Find3M ====================

    2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160815AS rev.4.ADA -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-7

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B277555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b27d7b0]; MOV EAX, [0x8b27d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B256AB8]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B28D2F8]
    \Driver\atapi[0x8B299380] -> IRP_MJ_CREATE -> 0x8B277555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-7 -> \??\IDE#DiskST3160815AS_____________________________4.ADA___#5&118455e0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8B27739B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 10:55:39.28 ===============

    DDS (Ver_10-12-05.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/7/2009 8:10:34 AM
    System Uptime: 12/6/2010 10:39:07 AM (0 hours ago)

    Motherboard: Dell Inc. | | 0GM819
    Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz | CPU | 2660/1333mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 149 GiB total, 122.424 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02111028&REV_02\3&172E68DD&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02111028&REV_02\3&172E68DD&0&FB
    Service:

    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: Beep
    Device ID: ROOT\LEGACY_BEEP\0000
    Manufacturer:
    Name: Beep
    PNP Device ID: ROOT\LEGACY_BEEP\0000
    Service: Beep

    ==== System Restore Points ===================

    RP412: 9/5/2010 2:15:13 AM - System Checkpoint
    RP413: 9/6/2010 3:15:13 AM - System Checkpoint
    RP414: 9/7/2010 4:15:13 AM - System Checkpoint
    RP415: 9/8/2010 5:15:13 AM - System Checkpoint
    RP416: 9/9/2010 6:15:13 AM - System Checkpoint
    RP417: 9/10/2010 7:15:13 AM - System Checkpoint
    RP418: 9/11/2010 8:15:07 AM - System Checkpoint
    RP419: 9/12/2010 9:15:06 AM - System Checkpoint
    RP420: 9/13/2010 10:17:27 PM - System Checkpoint
    RP421: 9/15/2010 8:07:05 AM - System Checkpoint
    RP422: 9/16/2010 3:00:13 AM - Software Distribution Service 3.0
    RP423: 9/17/2010 3:21:29 AM - System Checkpoint
    RP424: 9/18/2010 4:21:28 AM - System Checkpoint
    RP425: 9/19/2010 5:21:28 AM - System Checkpoint
    RP426: 9/20/2010 6:21:28 AM - System Checkpoint
    RP427: 9/21/2010 7:21:28 AM - System Checkpoint
    RP428: 9/22/2010 8:21:29 AM - System Checkpoint
    RP429: 9/23/2010 10:29:07 AM - System Checkpoint
    RP430: 9/24/2010 12:22:59 PM - System Checkpoint
    RP431: 9/25/2010 1:21:20 PM - System Checkpoint
    RP432: 9/26/2010 2:22:25 PM - System Checkpoint
    RP433: 9/28/2010 1:08:50 AM - System Checkpoint
    RP434: 9/29/2010 1:21:21 AM - System Checkpoint
    RP435: 9/29/2010 3:00:12 AM - Software Distribution Service 3.0
    RP436: 9/30/2010 3:21:20 AM - System Checkpoint
    RP437: 10/1/2010 4:21:21 AM - System Checkpoint
    RP438: 10/2/2010 5:21:14 AM - System Checkpoint
    RP439: 10/3/2010 6:21:10 AM - System Checkpoint
    RP440: 10/4/2010 7:21:10 AM - System Checkpoint
    RP441: 10/5/2010 12:16:34 PM - System Checkpoint
    RP442: 10/6/2010 3:00:13 AM - Software Distribution Service 3.0
    RP443: 10/7/2010 4:30:52 AM - System Checkpoint
    RP444: 10/8/2010 4:54:49 AM - System Checkpoint
    RP445: 10/9/2010 5:21:11 AM - System Checkpoint
    RP446: 10/10/2010 6:21:08 AM - System Checkpoint
    RP447: 10/11/2010 7:21:08 AM - System Checkpoint
    RP448: 10/12/2010 8:21:08 AM - System Checkpoint
    RP449: 10/13/2010 9:29:24 AM - System Checkpoint
    RP450: 10/14/2010 3:00:13 AM - Software Distribution Service 3.0
    RP451: 10/15/2010 3:21:59 AM - System Checkpoint
    RP452: 10/16/2010 3:22:02 AM - System Checkpoint
    RP453: 10/17/2010 4:22:02 AM - System Checkpoint
    RP454: 10/18/2010 5:22:02 AM - System Checkpoint
    RP455: 10/19/2010 6:22:02 AM - System Checkpoint
    RP456: 10/20/2010 7:22:03 AM - System Checkpoint
    RP457: 10/21/2010 8:21:30 AM - System Checkpoint
    RP458: 10/22/2010 10:19:06 AM - System Checkpoint
    RP459: 10/23/2010 11:46:55 AM - System Checkpoint
    RP460: 10/24/2010 12:21:54 PM - System Checkpoint
    RP461: 10/25/2010 12:23:00 PM - System Checkpoint
    RP462: 10/26/2010 3:02:22 PM - System Checkpoint
    RP463: 10/27/2010 4:09:29 PM - System Checkpoint
    RP464: 10/28/2010 6:04:02 PM - System Checkpoint
    RP465: 10/28/2010 10:35:43 PM - Installed EndNote X4
    RP466: 10/29/2010 11:21:55 PM - System Checkpoint
    RP467: 10/31/2010 12:15:27 AM - System Checkpoint
    RP468: 11/1/2010 12:21:53 AM - System Checkpoint
    RP469: 11/2/2010 1:21:53 AM - System Checkpoint
    RP470: 11/3/2010 2:48:20 AM - System Checkpoint
    RP471: 11/4/2010 7:12:44 AM - System Checkpoint
    RP472: 11/5/2010 7:21:53 AM - System Checkpoint
    RP473: 11/6/2010 8:21:53 AM - System Checkpoint
    RP474: 11/7/2010 8:21:52 AM - System Checkpoint
    RP475: 11/8/2010 9:39:03 AM - System Checkpoint
    RP476: 11/9/2010 10:06:32 AM - System Checkpoint
    RP477: 11/10/2010 3:00:13 AM - Software Distribution Service 3.0
    RP478: 11/11/2010 4:21:52 AM - System Checkpoint
    RP479: 11/12/2010 5:21:52 AM - System Checkpoint
    RP480: 11/12/2010 11:13:10 AM - Software Distribution Service 3.0
    RP481: 11/13/2010 11:21:53 AM - System Checkpoint
    RP482: 11/14/2010 12:21:53 PM - System Checkpoint
    RP483: 11/15/2010 2:20:31 PM - System Checkpoint
    RP484: 11/16/2010 8:00:33 PM - System Checkpoint
    RP485: 11/17/2010 8:21:53 PM - System Checkpoint
    RP486: 11/18/2010 9:21:53 PM - System Checkpoint
    RP487: 11/19/2010 9:22:58 PM - System Checkpoint
    RP488: 11/20/2010 9:23:00 PM - System Checkpoint
    RP489: 11/21/2010 10:23:00 PM - System Checkpoint
    RP490: 11/22/2010 11:23:00 PM - System Checkpoint
    RP491: 11/24/2010 12:23:00 AM - System Checkpoint
    RP492: 11/25/2010 1:23:00 AM - System Checkpoint
    RP493: 11/26/2010 2:23:00 AM - System Checkpoint
    RP494: 11/27/2010 3:23:00 AM - System Checkpoint
    RP495: 11/28/2010 4:23:00 AM - System Checkpoint
    RP496: 11/29/2010 5:23:00 AM - System Checkpoint
    RP497: 11/30/2010 6:23:00 AM - System Checkpoint
    RP498: 12/1/2010 7:23:00 AM - System Checkpoint
    RP499: 12/2/2010 11:24:53 AM - System Checkpoint
    RP500: 12/3/2010 12:35:41 PM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Acrobat 7.0 Professional
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.7
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Display Driver
    Bonjour
    Compatibility Pack for the 2007 Office system
    Dell Resource CD
    Demolition Derby & Figure 8 Race
    Digital Video
    EndNote X2
    EndNote X4
    Excel Invoice Manager 2.19.1022
    Google Toolbar for Internet Explorer
    Google Update Helper
    Graphpad Prism 5
    GSC 2.00
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) PRO Network Connections Drivers
    IntelĀ® Active Management Technology
    IntelĀ® Management Engine Interface
    iTunes
    Java(TM) 6 Update 14
    KeyServer MSIS
    Lasergene 8 v8.0.3
    Logitech Webcam Software
    Logitech Webcam Software Driver Package
    Malwarebytes' Anti-Malware
    McAfee AntiSpyware Enterprise Module
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Monster Truck Madness 2 Trial
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Move Media Player
    Mozilla Firefox (3.6.12)
    Nokia Maps Updater 1.0.12
    PC Connectivity Solution
    PosterPrint 2.3
    PowerDVD
    QuickTime
    ResearchSoft Direct Export Helper
    Samsung CLP-500 Series
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SOE Web Installer
    SoundMAX
    Spybot - Search & Destroy
    TeamSpeak 3 Client
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    Ventrilo Client
    WebFldrs XP
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows XP Service Pack 3
    XVID Codec Installation

    ==== Event Viewer Messages From Past Week ========

    12/6/2010 9:46:36 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iastor
    12/6/2010 9:46:14 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    12/6/2010 8:32:51 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/6/2010 8:32:50 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    12/6/2010 10:36:32 AM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:32 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7034] - The Intel(R) Active Management Technology User Notification Service service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7034] - The Intel(R) Active Management Technology System Status Service service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7034] - The Intel(R) Active Management Technology Local Management Service service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    12/6/2010 10:36:31 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

    ==== End Of File ===========================
     
  2. crunchie

    crunchie Malware Helper Posts: 761

    Hi and welcome to TechSpot forums :).

    ====

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  3. danmich177

    danmich177 TS Rookie Topic Starter

    thanks

    when i ran combo fix, it detected rootkit-TDL3 and rebooted. it locked up on Windows background with no icons or toolbar without finishing the scan, so i rebooted again, then combofix loaded and finished the scan. I had to reboot again to get into Windows with a toolbar etc.

    The log is attached (thats some log had to divide it in two!!!)
     

    Attached Files:

  4. crunchie

    crunchie Malware Helper Posts: 761

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.