Using search engine, Internet explorer goes to the wrong site.
Results of 8 steps revised.
Avira Full version scan . nothing found
Ran temporary file cleaner
Ran malware bytes
Log
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5221
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/30/2010 9:40:52 PM
mbam-log-2010-11-30 (21-40-52).txt
Scan type: Quick scan
Objects scanned: 140516
Time elapsed: 5 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Ran GMER
Log
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-30 22:00:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800JB-00JJA0 rev.05.01C05
Running: eew5n92h.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\pwnoiuog.sys
---- System - GMER 1.0.15 ----
SSDT F260E6F6 ZwCreateKey
SSDT F260E6EC ZwCreateThread
SSDT F260E6FB ZwDeleteKey
SSDT F260E705 ZwDeleteValueKey
SSDT F260E723 ZwLoadDriver
SSDT F260E70A ZwLoadKey
SSDT F260E6D8 ZwOpenProcess
SSDT F260E6DD ZwOpenThread
SSDT F260E714 ZwReplaceKey
SSDT F260E70F ZwRestoreKey
SSDT F260E728 ZwSetSystemInformation
SSDT F260E700 ZwSetValueKey
SSDT F260E6E7 ZwTerminateProcess
SSDT F260E6E2 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2B0C 1 Byte [E2]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB000A
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CC000A
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CA000C
.text C:\WINDOWS\System32\svchost.exe[1464] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1464] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00F8000A
.text C:\WINDOWS\Explorer.EXE[2620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA000A
.text C:\WINDOWS\Explorer.EXE[2620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EB000A
.text C:\WINDOWS\Explorer.EXE[2620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E9000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \Driver\Tcpip \Device\Ip avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\Tcpip \Device\Tcp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 86B2C292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86B2C292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86B2C292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 86B2C292
AttachedDevice \Driver\Tcpip \Device\Udp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\Tcpip \Device\RawIp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJA0______________________05.01C05#5&115774f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 156301232 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
Ran DDS
DDS Log
DDS (Ver_10-11-10.01) - NTFSx86
Run by John at 22:26:25.98 on Tue 11/30/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.992.519 [GMT -5:00]
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\John\Desktop\757\dds.pif
============== Pseudo HJT Report ===============
uSearch Page = 1886680168 (0x70747468)
uSearch Bar = 1886680168 (0x70747468)
uInternet Connection Wizard,ShellNext = iexplore
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON NX420 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigca.exe /fu "c:\windows\temp\E_S1A.tmp" /EF "HKCU"
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utility tray.lnk - c:\windows\system32\sistray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip quick pick.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
Trusted Zone: bettertrades.com
Trusted Zone: bobeldridge.com
Trusted Zone: centra.com
Trusted Zone: darlenenelson.com
Trusted Zone: dedicatedtrader.com
Trusted Zone: ebay.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: markaylatimer.com
Trusted Zone: ryanlitchfield.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://de205.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163300585781
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163300575296
DPF: {78A3FB87-D50E-40DA-B908-0C38A3F96CA9} - hxxp://70.183.9.52:92/VDControl.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Pepsi/Coupons.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://de205.centra.com/SiteRoots/main/InstallJava/CentraDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\windows defender\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2009-5-17 102856]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-17 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirFirewallService;Avira Firewall;c:\program files\avira\antivir desktop\avfwsvc.exe [2009-5-17 539304]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2009-5-17 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-17 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-17 267944]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2009-5-17 403624]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-17 61960]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2009-5-17 79432]
=============== Created Last 30 ================
2010-11-30 04:42:49 2321288 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-11-30 04:42:46 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{5cd46528-1ac0-4303-a2e3-6892c5a22858}\mpengine.dll
2010-11-30 04:42:45 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-29 01:30:02 -------- d-----w- c:\program files\common files\EPSON
2010-11-29 01:29:51 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-11-29 01:29:51 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-11-29 01:29:42 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-11-29 01:29:42 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-11-29 01:11:43 80024 ----a-w- c:\windows\system32\PICSDK.dll
2010-11-29 01:11:43 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2010-11-29 01:11:43 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2010-11-29 01:11:43 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2010-11-29 01:11:43 108704 ----a-w- c:\windows\system32\PICEntry.dll
2010-11-29 01:11:09 93696 ----a-w- c:\windows\system32\E_FLBGCA.DLL
2010-11-29 01:11:09 63488 ----a-w- c:\windows\system32\E_FD4BGCA.DLL
2010-11-29 01:10:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\EPSON
2010-11-29 01:10:13 -------- d-----w- c:\program files\Epson Software
2010-11-29 01:09:39 342016 ----a-w- c:\windows\system32\eswiaud.dll
2010-11-29 01:09:39 15872 ----a-w- c:\windows\system32\escdev.dll
2010-11-29 01:09:39 128392 ----a-w- c:\windows\system32\esdevapp.exe
2010-11-29 01:09:35 -------- d-----w- c:\program files\epson
2010-11-28 21:28:00 -------- d-s---w- C:\ComboFix
2010-11-27 14:11:07 -------- d-sh--w- c:\documents and settings\john\UserData
2010-11-27 12:45:50 -------- d-----w- c:\windows\Downloaded Program Files
2010-11-26 21:17:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-26 21:17:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-25 03:06:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-25 03:06:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-24 07:05:04 -------- d-----w- c:\program files\Microsoft AntiSpyware
2010-11-23 03:11:24 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Corel
2010-11-23 03:04:24 -------- d-----w- c:\program files\common files\Corel
2010-11-23 03:04:18 -------- d-----w- c:\program files\Corel
2010-11-19 01:03:12 -------- d-----w- c:\docume~1\john\applic~1\SUPERAntiSpyware.com
2010-11-18 14:53:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-18 14:53:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-18 14:39:07 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-11-18 14:39:07 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-11-18 14:39:06 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-18 14:39:06 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-18 14:39:03 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-11-18 14:39:03 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-11-11 03:31:19 -------- d-----w- c:\program files\sisagp
2010-11-11 03:31:16 65536 ------w- c:\windows\system32\SiSHook.dll
2010-11-11 03:31:16 110592 ------w- c:\windows\system32\TVMode.dll
2010-11-11 03:31:14 262144 ----a-w- c:\windows\system32\sistray.exe
2010-11-11 03:31:10 7168 ----a-r- c:\windows\InstFunc.dll
2010-11-11 03:31:10 49152 ----a-r- c:\windows\system32\SiSPower.dll
2010-11-11 03:31:10 49152 ----a-r- c:\windows\system32\SiSBase.dll
2010-11-11 03:31:10 36864 ----a-r- c:\windows\InstFunc.exe
2010-11-11 03:31:09 28672 ----a-r- c:\windows\system32\SiSPInst.dll
2010-11-11 03:31:01 -------- d-----w- c:\program files\SiS VGA Utilities V3.71
2010-11-11 03:30:35 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2010-11-11 03:30:35 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2010-11-11 03:30:35 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2010-11-11 03:30:35 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2010-11-11 03:30:35 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2010-11-11 03:30:34 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2010-11-11 03:30:34 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2010-11-11 02:45:29 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes
2010-11-10 23:47:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-10 23:47:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-10 23:47:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-10 23:47:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-06 16:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 16:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
==================== Find3M ====================
2010-09-18 16:23:26 974848 ------w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JB-00JJA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B2C446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86b32504]; MOV EAX, [0x86b32580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86B41AB8]
3 CLASSPNP[0xF788EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000062[0x86B7DF18]
5 ACPI[0xF7805620] -> nt!IofCallDriver[0x804E37D5] -> [0x86B43940]
\Driver\atapi[0x86B54AB8] -> IRP_MJ_CREATE -> 0x86B2C446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJA0______________________05.01C05#5&115774f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B2C292
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 22:28:50.79 ===============
Attach file is attached in zip format.
There are definite signs of root kit infestation.
Please help
Results of 8 steps revised.
Avira Full version scan . nothing found
Ran temporary file cleaner
Ran malware bytes
Log
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5221
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/30/2010 9:40:52 PM
mbam-log-2010-11-30 (21-40-52).txt
Scan type: Quick scan
Objects scanned: 140516
Time elapsed: 5 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Ran GMER
Log
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-30 22:00:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800JB-00JJA0 rev.05.01C05
Running: eew5n92h.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\pwnoiuog.sys
---- System - GMER 1.0.15 ----
SSDT F260E6F6 ZwCreateKey
SSDT F260E6EC ZwCreateThread
SSDT F260E6FB ZwDeleteKey
SSDT F260E705 ZwDeleteValueKey
SSDT F260E723 ZwLoadDriver
SSDT F260E70A ZwLoadKey
SSDT F260E6D8 ZwOpenProcess
SSDT F260E6DD ZwOpenThread
SSDT F260E714 ZwReplaceKey
SSDT F260E70F ZwRestoreKey
SSDT F260E728 ZwSetSystemInformation
SSDT F260E700 ZwSetValueKey
SSDT F260E6E7 ZwTerminateProcess
SSDT F260E6E2 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2B0C 1 Byte [E2]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB000A
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CC000A
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CA000C
.text C:\WINDOWS\System32\svchost.exe[1464] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1464] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00F8000A
.text C:\WINDOWS\Explorer.EXE[2620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA000A
.text C:\WINDOWS\Explorer.EXE[2620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EB000A
.text C:\WINDOWS\Explorer.EXE[2620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E9000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \Driver\Tcpip \Device\Ip avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\Tcpip \Device\Tcp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 86B2C292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86B2C292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86B2C292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 86B2C292
AttachedDevice \Driver\Tcpip \Device\Udp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\Tcpip \Device\RawIp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJA0______________________05.01C05#5&115774f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 156301232 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
Ran DDS
DDS Log
DDS (Ver_10-11-10.01) - NTFSx86
Run by John at 22:26:25.98 on Tue 11/30/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.992.519 [GMT -5:00]
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\John\Desktop\757\dds.pif
============== Pseudo HJT Report ===============
uSearch Page = 1886680168 (0x70747468)
uSearch Bar = 1886680168 (0x70747468)
uInternet Connection Wizard,ShellNext = iexplore
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON NX420 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigca.exe /fu "c:\windows\temp\E_S1A.tmp" /EF "HKCU"
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utility tray.lnk - c:\windows\system32\sistray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip quick pick.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
Trusted Zone: bettertrades.com
Trusted Zone: bobeldridge.com
Trusted Zone: centra.com
Trusted Zone: darlenenelson.com
Trusted Zone: dedicatedtrader.com
Trusted Zone: ebay.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: markaylatimer.com
Trusted Zone: ryanlitchfield.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://de205.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163300585781
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163300575296
DPF: {78A3FB87-D50E-40DA-B908-0C38A3F96CA9} - hxxp://70.183.9.52:92/VDControl.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Pepsi/Coupons.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://de205.centra.com/SiteRoots/main/InstallJava/CentraDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\windows defender\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2009-5-17 102856]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-17 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirFirewallService;Avira Firewall;c:\program files\avira\antivir desktop\avfwsvc.exe [2009-5-17 539304]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2009-5-17 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-17 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-17 267944]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2009-5-17 403624]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-17 61960]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2009-5-17 79432]
=============== Created Last 30 ================
2010-11-30 04:42:49 2321288 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-11-30 04:42:46 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{5cd46528-1ac0-4303-a2e3-6892c5a22858}\mpengine.dll
2010-11-30 04:42:45 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-29 01:30:02 -------- d-----w- c:\program files\common files\EPSON
2010-11-29 01:29:51 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-11-29 01:29:51 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-11-29 01:29:42 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-11-29 01:29:42 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-11-29 01:11:43 80024 ----a-w- c:\windows\system32\PICSDK.dll
2010-11-29 01:11:43 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2010-11-29 01:11:43 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2010-11-29 01:11:43 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2010-11-29 01:11:43 108704 ----a-w- c:\windows\system32\PICEntry.dll
2010-11-29 01:11:09 93696 ----a-w- c:\windows\system32\E_FLBGCA.DLL
2010-11-29 01:11:09 63488 ----a-w- c:\windows\system32\E_FD4BGCA.DLL
2010-11-29 01:10:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\EPSON
2010-11-29 01:10:13 -------- d-----w- c:\program files\Epson Software
2010-11-29 01:09:39 342016 ----a-w- c:\windows\system32\eswiaud.dll
2010-11-29 01:09:39 15872 ----a-w- c:\windows\system32\escdev.dll
2010-11-29 01:09:39 128392 ----a-w- c:\windows\system32\esdevapp.exe
2010-11-29 01:09:35 -------- d-----w- c:\program files\epson
2010-11-28 21:28:00 -------- d-s---w- C:\ComboFix
2010-11-27 14:11:07 -------- d-sh--w- c:\documents and settings\john\UserData
2010-11-27 12:45:50 -------- d-----w- c:\windows\Downloaded Program Files
2010-11-26 21:17:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-26 21:17:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-25 03:06:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-25 03:06:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-24 07:05:04 -------- d-----w- c:\program files\Microsoft AntiSpyware
2010-11-23 03:11:24 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Corel
2010-11-23 03:04:24 -------- d-----w- c:\program files\common files\Corel
2010-11-23 03:04:18 -------- d-----w- c:\program files\Corel
2010-11-19 01:03:12 -------- d-----w- c:\docume~1\john\applic~1\SUPERAntiSpyware.com
2010-11-18 14:53:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-18 14:53:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-18 14:39:07 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-11-18 14:39:07 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-11-18 14:39:06 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-18 14:39:06 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-18 14:39:03 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-11-18 14:39:03 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-11-11 03:31:19 -------- d-----w- c:\program files\sisagp
2010-11-11 03:31:16 65536 ------w- c:\windows\system32\SiSHook.dll
2010-11-11 03:31:16 110592 ------w- c:\windows\system32\TVMode.dll
2010-11-11 03:31:14 262144 ----a-w- c:\windows\system32\sistray.exe
2010-11-11 03:31:10 7168 ----a-r- c:\windows\InstFunc.dll
2010-11-11 03:31:10 49152 ----a-r- c:\windows\system32\SiSPower.dll
2010-11-11 03:31:10 49152 ----a-r- c:\windows\system32\SiSBase.dll
2010-11-11 03:31:10 36864 ----a-r- c:\windows\InstFunc.exe
2010-11-11 03:31:09 28672 ----a-r- c:\windows\system32\SiSPInst.dll
2010-11-11 03:31:01 -------- d-----w- c:\program files\SiS VGA Utilities V3.71
2010-11-11 03:30:35 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2010-11-11 03:30:35 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2010-11-11 03:30:35 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2010-11-11 03:30:35 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2010-11-11 03:30:35 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2010-11-11 03:30:34 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2010-11-11 03:30:34 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2010-11-11 02:45:29 -------- d-----w- c:\docume~1\john\applic~1\Malwarebytes
2010-11-10 23:47:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-10 23:47:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-10 23:47:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-10 23:47:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-06 16:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 16:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
==================== Find3M ====================
2010-09-18 16:23:26 974848 ------w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JB-00JJA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B2C446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86b32504]; MOV EAX, [0x86b32580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86B41AB8]
3 CLASSPNP[0xF788EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000062[0x86B7DF18]
5 ACPI[0xF7805620] -> nt!IofCallDriver[0x804E37D5] -> [0x86B43940]
\Driver\atapi[0x86B54AB8] -> IRP_MJ_CREATE -> 0x86B2C446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJA0______________________05.01C05#5&115774f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B2C292
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 22:28:50.79 ===============
Attach file is attached in zip format.
There are definite signs of root kit infestation.
Please help