TechSpot

Trojan-Clicker.Win32.Wistler.a and  MEM:Rootkit.Win32.TDSS.fa

Inactive
By Clive Jackson
Jan 5, 2011
  1. Greetings.

    I'm running Windows XP on Dell Latitude E6500. I am not that tech savvy, but can try whatever I need. This is a work/home laptop, but complete swiping seems like a hard way to recover from this. I followed directions in Prelim 8-Step Removal, but was unable to achieve proper results for DDS. Maybe Vipre is interfering, but I don't know how to disable script blocking. Kapersky Virus Removal Tool 2010 finds the Trojan-Clicker.Win32.Wistler.a in \Device\Harddisk0\DR0 and MEM:Rootkit.Win32.TDSS.fa in Hidden startup objects, but cannot disinfect them. The only option is to "Skip". I believe this problem was acquired from infected websites and not from a download - maybe streaming.


    Indications: Computer Startup hiccups and sometimes does not yield desktop or task bar. Some appearance settings are altered. Function has slowed. Most programs running correctly, except Itunes. Additional svchost.exe's plus more apparently unneeded .exe's are running as indicated under Window Task Manager Processes. I think this results in acquiring additional temp files for internet sites I know I didn't visit. Also, some browser queries are redirected. Cannot access Microsoft Updates website at all.

    Please help. See the mbam-log.txt and gmer.log respectively below:


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5464

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    1/5/2011 12:09:57 PM
    mbam-log-2011-01-05 (12-09-57).txt

    Scan type: Quick scan
    Objects scanned: 181120
    Time elapsed: 4 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)





    GMER

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-05 12:22:02
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD16 rev.11.0
    Running: 51uthev1.exe; Driver: C:\DOCUME~1\darin\LOCALS~1\Temp\kwldypod.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
    AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

    Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVT-75ZCT2___________________11.01A11#4&3ac9d9dd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
     
  2. Clive Jackson

    Clive Jackson TS Rookie Topic Starter

    dds update

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Darin at 15:53:25.75 on Wed 01/05/2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3024 [GMT -6:00]

    AV: Sunbelt VIPRE *Enabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\drivers\audio\r213367\stacsv.exe
    C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
    C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
    svchost.exe
    C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
    C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
    C:\Program Files\AirPort\APAgent.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\darin\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.live.com
    mDefault_Page_URL = hxxp://www.dell.com
    mStart Page = hxxp://www.dell.com
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [Google Update] "c:\documents and settings\darin\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SBAMTray] c:\program files\sunbelt software\sbeagent\SBAMTray.exe
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    StartupFolder: c:\docume~1\darin\startm~1\programs\startup\setup_~1.lnk - c:\program files\kaperski virus removal tool\setup_9.0.0.722_04.01.2011_18-33\startup.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252531585453
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252531643703
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\darin\applic~1\mozilla\firefox\profiles\a02fw7hr.default\
    FF - prefs.js: browser.startup.homepage - hxxps://ccs.coair.com/CCS/Default.aspx|http://www.ccsmax.com/
    FF - plugin: c:\documents and settings\darin\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\darin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\darin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

    ============= SERVICES / DRIVERS ===============

    R0 49152812;49152812 Boot Guard Driver;c:\windows\system32\drivers\49152812.sys [2011-1-4 37392]
    R1 49152811;49152811;c:\windows\system32\drivers\49152811.sys [2011-1-4 128016]
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-9-10 86552]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-1-18 13360]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
    R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-9-24 203056]
    R1 setup_9.0.0.722_04.01.2011_18-33drv;setup_9.0.0.722_04.01.2011_18-33drv;c:\windows\system32\drivers\4915281.sys [2011-1-4 315408]
    R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-4-9 447264]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
    R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2010-1-4 1012080]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-1-18 69936]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-9-4 112512]
    R3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-9-4 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-9-4 244368]
    R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2009-9-4 148056]
    R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-9-4 133632]
    R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-9-4 280096]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-9-4 232744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-10 133104]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-9-10 24876]

    =============== File Associations ===============

    .scr=AutoCADLTScriptFile

    =============== Created Last 30 ================

    2011-01-04 16:09:51 37392 ----a-w- c:\windows\system32\drivers\49152812.sys
    2011-01-04 16:09:51 315408 ----a-w- c:\windows\system32\drivers\4915281.sys
    2011-01-04 16:09:51 128016 ----a-w- c:\windows\system32\drivers\49152811.sys
    2011-01-04 16:09:50 -------- d-----w- c:\program files\Kaperski Virus Removal Tool
    2011-01-04 02:14:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-01-03 16:34:49 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-01-03 16:34:49 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-03 16:32:20 -------- d-----w- c:\program files\iTunes
    2011-01-03 16:32:20 -------- d-----w- c:\program files\iPod
    2010-12-27 20:13:29 -------- d-----w- c:\program files\iPod(2)
    2010-12-27 20:13:26 -------- d-----w- c:\program files\iTunes(2)
    2010-12-27 19:53:18 -------- d-----w- c:\program files\QuickTime(2)
    2010-12-21 18:19:13 -------- d-----w- c:\program files\GanttProject

    ==================== Find3M ====================

    2010-12-30 05:28:42 108544 --sha-r- c:\windows\system32\msaud324.dll
    2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD16 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B01E555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b0247b0]; MOV EAX, [0x8b02482c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B02D558]
    3 CLASSPNP[0xBA8E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A64C1B0]
    \Driver\iaStor[0x8B02C770] -> IRP_MJ_CREATE -> 0x8B01E555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVT-75ZCT2___________________11.01A11#4&3ac9d9dd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 312581806 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 15:54:14.42 ===============




    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/9/2009 4:21:08 PM
    System Uptime: 1/5/2011 3:24:25 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0X564R
    Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | Microprocessor | 2393/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 149 GiB total, 99.64 GiB free.
    D: is CDROM ()
    U: is NetworkDisk (NTFS) - 1 GiB total, 17.69 GiB free.
    X: is NetworkDisk (NTFS) - 110 GiB total, 0 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_ASFALRT\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_ASFALRT\0000
    Service:

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: SonicWALL VPN Adapter
    Device ID: ROOT\RCVPN\0000
    Manufacturer: SonicWALL, Inc.
    Name: SonicWALL VPN Adapter
    PNP Device ID: ROOT\RCVPN\0000
    Service: rcvpn

    ==== System Restore Points ===================

    RP159: 10/5/2010 9:19:26 AM - _05-Oct-2010 09:19:23 AM
    RP160: 10/6/2010 10:30:36 AM - _06-Oct-2010 10:30:31 AM
    RP161: 10/7/2010 9:29:25 AM - _07-Oct-2010 09:29:21 AM
    RP162: 10/8/2010 9:33:17 AM - _08-Oct-2010 09:33:13 AM
    RP163: 10/11/2010 9:26:35 AM - _11-Oct-2010 09:26:31 AM
    RP164: 10/12/2010 10:03:45 AM - _12-Oct-2010 10:03:41 AM
    RP165: 10/13/2010 8:41:26 AM - _13-Oct-2010 08:41:22 AM
    RP166: 10/14/2010 11:48:37 AM - _14-Oct-2010 11:48:33 AM
    RP167: 10/15/2010 9:21:09 AM - _15-Oct-2010 09:21:05 AM
    RP168: 10/18/2010 9:26:28 AM - _18-Oct-2010 09:26:24 AM
    RP169: 10/19/2010 9:14:53 AM - _19-Oct-2010 09:14:49 AM
    RP170: 10/20/2010 9:34:56 AM - _20-Oct-2010 09:34:51 AM
    RP171: 10/21/2010 12:03:07 AM - _21-Oct-2010 12:03:01 AM
    RP172: 10/21/2010 12:04:44 AM - Software Distribution Service 3.0
    RP173: 10/21/2010 12:04:59 AM - Software Distribution Service 3.0
    RP174: 10/21/2010 12:05:19 AM - Software Distribution Service 3.0
    RP175: 10/21/2010 12:05:33 AM - Software Distribution Service 3.0
    RP176: 10/21/2010 12:05:49 AM - Software Distribution Service 3.0
    RP177: 10/21/2010 12:06:01 AM - Software Distribution Service 3.0
    RP178: 10/21/2010 12:08:07 AM - Software Distribution Service 3.0
    RP179: 10/21/2010 12:08:29 AM - Software Distribution Service 3.0
    RP180: 10/21/2010 12:08:40 AM - Software Distribution Service 3.0
    RP181: 10/21/2010 12:08:51 AM - Software Distribution Service 3.0
    RP182: 10/21/2010 12:09:06 AM - Software Distribution Service 3.0
    RP183: 10/21/2010 12:11:10 AM - Software Distribution Service 3.0
    RP184: 10/21/2010 12:11:28 AM - Software Distribution Service 3.0
    RP185: 10/21/2010 12:11:41 AM - Software Distribution Service 3.0
    RP186: 10/21/2010 12:11:57 AM - Software Distribution Service 3.0
    RP187: 10/21/2010 12:12:17 AM - Software Distribution Service 3.0
    RP188: 10/21/2010 12:12:28 AM - Software Distribution Service 3.0
    RP189: 10/21/2010 12:12:41 AM - Software Distribution Service 3.0
    RP190: 10/21/2010 12:12:53 AM - Software Distribution Service 3.0
    RP191: 10/21/2010 12:13:10 AM - Software Distribution Service 3.0
    RP192: 10/22/2010 10:11:12 AM - _22-Oct-2010 10:11:07 AM
    RP193: 10/23/2010 12:27:55 AM - _23-Oct-2010 12:27:51 AM
    RP194: 10/24/2010 12:16:20 AM - _24-Oct-2010 12:16:15 AM
    RP195: 10/25/2010 11:42:27 AM - _25-Oct-2010 11:42:23 AM
    RP196: 10/26/2010 9:36:29 AM - _26-Oct-2010 09:36:26 AM
    RP197: 10/27/2010 9:26:03 AM - _27-Oct-2010 09:26:00 AM
    RP198: 10/28/2010 9:48:28 AM - _28-Oct-2010 09:48:25 AM
    RP199: 10/29/2010 9:39:31 AM - _29-Oct-2010 09:39:28 AM
    RP200: 11/1/2010 9:26:46 AM - _01-Nov-2010 09:26:43 AM
    RP201: 11/2/2010 10:53:27 AM - _02-Nov-2010 10:53:23 AM
    RP202: 11/3/2010 9:38:52 AM - _03-Nov-2010 09:38:49 AM
    RP203: 11/4/2010 12:07:03 PM - System Checkpoint
    RP204: 11/5/2010 12:36:55 PM - System Checkpoint
    RP205: 11/6/2010 6:28:49 PM - System Checkpoint
    RP206: 11/9/2010 9:53:56 AM - System Checkpoint
    RP207: 11/11/2010 10:49:35 AM - System Checkpoint
    RP208: 11/15/2010 12:43:24 PM - System Checkpoint
    RP209: 11/16/2010 1:01:02 PM - System Checkpoint
    RP210: 11/18/2010 12:00:10 AM - System Checkpoint
    RP211: 11/19/2010 12:50:09 PM - System Checkpoint
    RP212: 11/22/2010 9:31:45 AM - System Checkpoint
    RP213: 11/23/2010 1:05:28 PM - System Checkpoint
    RP214: 11/29/2010 1:41:47 PM - System Checkpoint
    RP215: 12/1/2010 4:44:11 PM - System Checkpoint
    RP216: 12/3/2010 12:31:49 AM - System Checkpoint
    RP217: 12/6/2010 12:34:15 PM - System Checkpoint
    RP218: 12/7/2010 12:46:07 PM - System Checkpoint
    RP219: 12/8/2010 4:27:19 PM - System Checkpoint
    RP220: 12/10/2010 12:48:58 PM - System Checkpoint
    RP221: 12/13/2010 10:39:44 AM - System Checkpoint
    RP222: 12/14/2010 4:48:09 PM - System Checkpoint
    RP223: 12/16/2010 11:25:18 AM - System Checkpoint
    RP224: 12/19/2010 6:33:18 PM - System Checkpoint
    RP225: 12/21/2010 1:13:47 AM - System Checkpoint
    RP226: 12/22/2010 1:52:04 PM - System Checkpoint
    RP227: 12/23/2010 8:01:23 PM - System Checkpoint
    RP228: 12/24/2010 8:44:04 PM - System Checkpoint
    RP229: 12/25/2010 9:44:05 PM - System Checkpoint
    RP230: 12/26/2010 10:44:03 PM - System Checkpoint
    RP231: 12/28/2010 1:42:14 PM - System Checkpoint
    RP232: 1/2/2011 11:48:55 AM - System Checkpoint
    RP233: 1/3/2011 10:30:38 AM - Restore Operation
    RP234: 1/3/2011 12:34:35 PM - Installed Windows Defender
    RP235: 1/3/2011 12:36:08 PM - Installed Windows Defender
    RP236: 1/3/2011 3:24:29 PM - Restore Operation

    ==== Installed Programs ======================

    2007 Microsoft Office system
    Adobe Acrobat 9 Standard - English, Français, Deutsch
    Adobe Acrobat 9.4.1 - CPSID_83708
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop Elements 6.0
    AirPort
    All Day Battery Life Configuration
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AutoCAD LT 2008 - English
    Autodesk DWF Viewer 7
    BioAPI Framework
    Bonjour
    Broadcom USH Host Components
    Canon Camera Access Library
    Canon Camera Support Core Library
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MOV Decoder
    Canon MOV Encoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon Pro9000 II series Printer Driver
    Canon Pro9000 Mark II series User Registration
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 3.6
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities Easy-PhotoPrint Pro
    Canon Utilities EOS Utility
    Canon Utilities My Printer
    Canon Utilities MyCamera
    Canon Utilities Original Data Security Tools
    Canon Utilities PhotoStitch
    Canon Utilities Picture Style Editor
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities Solution Menu
    Canon Utilities WFT-E1/E2/E3/E4 Utility
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    CCleaner
    Choice Guard
    COMcheck 3.7.0
    COMcheck 3.7.1
    Compatibility Pack for the 2007 Office system
    Dell Backup and Recovery Manager
    Dell ControlPoint System Manager
    Dell Driver Download Manager
    Dell Security Device Driver Pack
    Dell Touchpad
    Dell Webcam Central
    DW WLAN Card Utility
    Free RAR Extract Frog
    Google Calendar Sync
    Google Chrome
    Google Earth
    Google SketchUp 7
    Google Talk Plugin
    Google Update Helper
    Google Updater
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB945436)
    Hotfix for Windows XP (KB949764)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB953955)
    Hotfix for Windows XP (KB954434)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB958347)
    Hotfix for Windows XP (KB959252)
    Index.dat Analyzer v2.0
    Integrated Webcam Driver (1.06.03.0309)
    Intel(R) Network Connections 13.0.42.0
    Intel(R) PRO Alerting Agent
    Intel® Matrix Storage Manager
    iTunes
    Java(TM) 6 Update 17
    Junk Mail filter update
    Malwarebytes' Anti-Malware
    MFCLOC
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft XML Parser
    Mozilla Firefox (3.6.3)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 6.0 Parser (KB933579)
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    PowerDVD DX
    QuickTime
    Recuva
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE 10.3
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Safari
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Serif PhotoPlus SE
    Skype™ 4.1
    SonicWALL Global VPN Client
    SonicWALL Global VPN Client 4.0.0.835
    Spybot - Search & Destroy
    SRS Premium Sound
    Sunbelt Enterprise Agent
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    VLC media player 0.9.2
    WebEx
    WebFldrs XP
    WIDCOMM Bluetooth Software
    Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    XML Paper Specification Shared Components Pack 1.0
    ZipGenius 6 (6.3.1.2612)

    ==== Event Viewer Messages From Past Week ========

    12/30/2010 11:17:39 AM, error: NetBT [4321] - The name "TOWNSITE :1d" could not be registered on the Interface with IP address 192.168.1.113. The machine with the IP address 192.168.1.113 did not allow the name to be claimed by this machine.
    12/30/2010 11:12:29 AM, error: NetBT [4321] - The name "TOWNSITE :1d" could not be registered on the Interface with IP address 192.168.1.113. The machine with the IP address 192.168.1.104 did not allow the name to be claimed by this machine.
    12/29/2010 10:36:00 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    1/5/2011 3:15:12 PM, error: Service Control Manager [7034] - The VIPRE Enterprise Agent service terminated unexpectedly. It has done this 2 time(s).
    1/5/2011 12:12:13 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
    1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The VIPRE Enterprise Agent service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The Dell ControlPoint System Manager service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The Dell ControlPoint Button Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:44:33 AM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/5/2011 11:43:52 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:52 AM, error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The DW WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Credential Vault Host Storage service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Credential Vault Host Control Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Audio Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The ASF Agent service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Adobe Active File Monitor V6 service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 11:43:51 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/4/2011 3:41:00 PM, error: NETLOGON [5719] - No Domain Controller is available for domain TOWNSITE due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    1/3/2011 12:00:50 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
    1/3/2011 12:00:50 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/3/2011 12:00:50 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/3/2011 10:36:49 AM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
    1/3/2011 10:26:00 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/2/2011 8:41:00 PM, error: NETLOGON [5719] - No Domain Controller is available for domain TOWNSITE due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

    ==== End Of File ===========================
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! First thing I'd like you to do it forget about all those other scans you ran and what they found. Second thing is to run only what I direct you to do. Malware cleaning is an orderly process- it's not a scan here or there, hoping to fix what's wrong!
    ==============================================
    There is a rootkit on the system. The question is whether it's on the MBR, so we will check that first:

    Please download MBR Rootkit Detector and save it on your desktop.
    • Pause/Stop all antivirus/spyware active protection.
    • Then double click on mbr.exe to run it.
    • Select Run when you receive a Security Warning
    • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
    • A log file will the be created on your desktop where you ran mbr.exe
    • Copy and paste the contents of mbr.log on your next reply.
    ============================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ========================================
    Question about TOWNSITE
    I note several errors trying to reach Domain "TOWNSITE :1d" but I don't see any indication of this Domain in your logs. Can you tell me what this is please?
     
  4. Clive Jackson

    Clive Jackson TS Rookie Topic Starter

    MBR and Combofix

    Bobbye, thank you for much needed assistance. It is very appreciated.

    My "X:" drive connects to Townsite's file server whenever I attach the ethernet Cat5 cable to my computer. It also supplies my hard internet connection. Since infection, I have been connecting and disconnecting the cable to minimize possible exposure to those files. From today forward I will try to simply use the wireless internet connection to further avoid exposure to those files. No programs are run from the Townsite server, only shared file storage. Is this a problem?

    Two notes: Combofix had to reboot the computer for a rootkit matter; is this ok? Also, Combofix indicated that Vipre was active even though I ended its process by Task Manager. I don't know any other way to to disable Vipre.

    Please find the logs you requested below:




    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD16 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    detected disk devices:
    \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVT-75ZCT2___________________11.01A11#4&3ac9d9dd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 312581806 (+255): user != kernel



    ComboFix 11-01-05.06 - Darin 01/06/2011 10:03:43.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3141 [GMT -6:00]
    Running from: c:\documents and settings\darin\Desktop\Housekeeping\ComboFix.exe
    AV: Sunbelt VIPRE *Enabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
    .
    PEV Error: LocalSettingsFile

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\regedit.com
    c:\windows\system32\cmd.com

    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
    .

    2011-01-04 16:09 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\49152812.sys
    2011-01-04 16:09 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\4915281.sys
    2011-01-04 16:09 . 2009-09-25 22:59 128016 ----a-w- c:\windows\system32\drivers\49152811.sys
    2011-01-04 16:09 . 2011-01-04 18:04 -------- d-----w- c:\program files\Kaperski Virus Removal Tool
    2011-01-04 02:39 . 2011-01-04 02:39 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2011-01-04 02:14 . 2011-01-04 02:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-01-03 16:34 . 2011-01-03 16:34 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-03 16:32 . 2011-01-03 16:32 -------- d-----w- c:\program files\QuickTime
    2011-01-03 16:32 . 2011-01-04 20:10 -------- d-----w- c:\program files\iTunes
    2011-01-03 16:32 . 2011-01-04 20:10 -------- d-----w- c:\program files\iPod
    2010-12-30 18:08 . 2011-01-03 16:31 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-12-21 18:19 . 2011-01-03 16:33 -------- d-----w- c:\program files\GanttProject

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-21 00:09 . 2010-04-20 16:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 00:08 . 2010-04-20 16:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\darin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-10 133104]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2010-01-04 669008]
    "AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-02-03 2670592]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

    c:\documents and settings\darin\Start Menu\Programs\Startup\
    setup_9.0.0.722_04.01.2011_18-33.lnk - c:\program files\Kaperski Virus Removal Tool\setup_9.0.0.722_04.01.2011_18-33\startup.exe [2011-1-4 72208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    backup=c:\windows\pss\Bluetooth.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2010-09-22 23:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
    2010-09-23 09:42 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2007-09-11 06:43 67488 -c--a-w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2008-03-17 16:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2008-12-11 16:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
    2008-10-17 15:41 442536 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-24 07:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2008-08-28 00:06 13537280 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
    2008-08-28 00:07 90112 ----a-w- c:\windows\system32\nvhotkey.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2008-08-28 00:07 86016 ----a-w- c:\windows\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2009-02-05 02:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-10-11 10:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\darin\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Documents and Settings\\darin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

    R0 49152812;49152812 Boot Guard Driver;c:\windows\system32\drivers\49152812.sys [1/4/2011 10:09 AM 37392]
    R1 49152811;49152811;c:\windows\system32\drivers\49152811.sys [1/4/2011 10:09 AM 128016]
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [9/10/2009 8:27 AM 86552]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/18/2010 9:33 AM 13360]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 8:22 AM 95024]
    R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [9/24/2009 12:23 PM 203056]
    R1 setup_9.0.0.722_04.01.2011_18-33drv;setup_9.0.0.722_04.01.2011_18-33drv;c:\windows\system32\drivers\4915281.sys [1/4/2011 10:09 AM 315408]
    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 4:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 10:07 AM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 9:19 AM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 9:19 AM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [4/9/2009 1:02 PM 447264]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 9:53 AM 374152]
    R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [1/4/2010 5:02 PM 1012080]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/18/2010 9:35 AM 69936]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/4/2009 4:12 AM 112512]
    R3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 4:28 AM 42832]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [9/4/2009 4:12 AM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [9/4/2009 4:12 AM 244368]
    R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [9/4/2009 4:12 AM 148056]
    R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [9/4/2009 4:12 AM 133632]
    R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [9/4/2009 4:12 AM 280096]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [9/4/2009 1:58 AM 232744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/10/2009 8:13 AM 133104]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [9/10/2009 8:27 AM 24876]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2011-01-06 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-10 14:09]

    2011-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-10 14:13]

    2011-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-10 14:13]

    2010-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955818812-2593963823-2349310179-1238Core.job
    - c:\documents and settings\darin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 14:13]

    2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955818812-2593963823-2349310179-1238UA.job
    - c:\documents and settings\darin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 14:13]

    2011-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955818812-2593963823-2349310179-1417Core.job
    - c:\documents and settings\msadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-13 03:28]

    2011-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955818812-2593963823-2349310179-1417UA.job
    - c:\documents and settings\msadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-13 03:28]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.dell.com
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\darin\Application Data\Mozilla\Firefox\Profiles\a02fw7hr.default\
    FF - prefs.js: browser.startup.homepage - hxxps://ccs.coair.com/CCS/Default.aspx|http://www.ccsmax.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    .
    .
    ------- File Associations -------
    .
    .scr=AutoCADLTScriptFile
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-06 10:12
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD16 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B015555]<<
    c:\docume~1\darin\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b01b7b0]; MOV EAX, [0x8b01b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B05C770]
    3 CLASSPNP[0xBA8E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AFD8B10]
    \Driver\iaStor[0x8B023B38] -> IRP_MJ_CREATE -> 0x8B015555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVT-75ZCT2___________________11.01A11#4&3ac9d9dd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 312581806 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-01-06 10:16:07
    ComboFix-quarantined-files.txt 2011-01-06 16:15

    Pre-Run: 106,823,573,504 bytes free
    Post-Run: 106,785,112,064 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    [spybotsd]
    timeout.old=30

    - - End Of File - - 59AB818152E3DA7AD85A8374636BEB8D
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.