Inactive I've got lots of trojans, malwarebytes blocking malicious websites - zentom sys guard

Status
Not open for further replies.

stevebobby

Posts: 6   +0
My windows problems started with an appearance of a Zentom system guard. I've tried Malwarebytes' anti-malware, superantispyware and avast! without much success. The active Malwarebytes' program keeps blocking 'malicious websites' and repeated scans show many trojans. My computer's performance isn't good and I really need to work!

Any suggestions?
thank you!
 
malwarebytes log

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7582

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/26/2011 1:02:59 PM
mbam-log-2011-08-26 (13-02-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 272541
Time elapsed: 1 hour(s), 1 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 23
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\w3swms.dll (Trojan.Hiloti) -> Delete on reboot.
c:\WINDOWS\$xntuninstall643$\bgjhu.dll (Adware.BHO) -> Delete on reboot.
c:\WINDOWS\$xntuninstall643$\fbtil.dll (Adware.BHO) -> Delete on reboot.
c:\WINDOWS\system32\todaxsrkadmeclkf.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6BC1C77F-B07B-4593-8CAC-510065623BE5} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumaokzpgrm.brumaokzpgrm.1.0 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumaokzpgrm.brumaokzpgrm (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BC1C77F-B07B-4593-8CAC-510065623BE5} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6BC1C77F-B07B-4593-8CAC-510065623BE5} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BC1C77F-B07B-4593-8CAC-510065623BE5} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{945B6D2E-4A45-45BA-8357-FD02F2AD038B} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfaokzppr.adfaokzppr.1.0 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfaokzppr.adfaokzppr (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{945B6D2E-4A45-45BA-8357-FD02F2AD038B} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{945B6D2E-4A45-45BA-8357-FD02F2AD038B} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{945B6D2E-4A45-45BA-8357-FD02F2AD038B} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zentom System Guard (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Z-opti (Adware.EZula) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Context\Context-Ads (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Z-opti (Adware.EZula) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Context\Context-Ads (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{CCDBE201-6CC0-78FF-9509-67FFBF5044BF} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCDBE201-6CC0-78FF-9509-67FFBF5044BF} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCDBE201-6CC0-78FF-9509-67FFBF5044BF} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCDBE201-6CC0-78FF-9509-67FFBF5044BF} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uioavxizuhbnfcue (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$XNTUninstall643$ (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nfujaquzuwocu (Trojan.Hiloti) -> Value: Nfujaquzuwocu -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Adware.BHO) -> Value: bipro -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*propactioncore.exe (Trojan.FakeAlert) -> Value: *propactioncore.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mllsic70nb.exe (Trojan.FakeAlert) -> Value: mllsic70nb.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\btbigjmzpv (Trojan.Agent) -> Value: btbigjmzpv -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\farnham lab\start menu\Programs\zentom system guard (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$ (Adware.AdRotator) -> Delete on reboot.

Files Infected:
c:\WINDOWS\w3swms.dll (Trojan.Hiloti) -> Delete on reboot.
c:\WINDOWS\$xntuninstall643$\bgjhu.dll (Adware.BHO) -> Delete on reboot.
c:\WINDOWS\$xntuninstall643$\fbtil.dll (Adware.BHO) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\propactioncore.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\application data\aed8be34363e76d741618ee858692c81\mllsic70nb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\application data\aed8be34363e76d741618ee858692c81\hookdll.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\my documents\graphpadprism5\Patch.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\local settings\Temp\1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\local settings\Temp\aserwoncxm.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\local settings\Temp\FY1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\local settings\Temp\rhc07151_1.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\corecenterauth.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{09046f03-ef84-48bb-8fc4-91465583bd68}\RP193\A0021875.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\uioavxizuhbnfcue.exe (Adware.EZula) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\start menu\Programs\Startup\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\Desktop\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\application data\microsoft\internet explorer\quick launch\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\start menu\Programs\zentom system guard\zentom system guard.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
c:\documents and settings\farnham lab\start menu\Programs\zentom system guard\uninstall.lnk (Rogue.ZentomSystemGuard) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\todaxsrkadmeclkf.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\$xntuninstall643$\apuninstall.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$\zrpt.xml (Adware.AdRotator) -> Quarantined and deleted successfully.
 
Welcome to TechSpot! I'll help you get rid of the malware.

My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Note for Malwarebytes Before you try to scan>>>

Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.pif
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Do you have Malwarebytes running on the system? If yes, then "The active Malwarebytes' program keeps blocking 'malicious websites' " is a good thing. But you need to update and do the scan, preferably using the link in the thread steps.

Go ahead with the rest of the steps and leave the logs in your next reply. If you have problems along the way- let me know. Don't try to get around anything.

Note please> I am signing off for the night in a few minutes. So I will look for your reply tomorrow.
 
gmer log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-26 18:18:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9120823AS rev.3.ADB
Running: zkyrgxtp.exe; Driver: C:\DOCUME~1\FARNHA~1\LOCALS~1\Temp\kgrdipow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA94C5BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA94C5A5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA951D398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 89D8531B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89D8531B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89D8531B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 89D8531B
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----
 
dds

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_2011-08-26.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/21/2010 9:08:39 AM
System Uptime: 8/26/2011 5:39:52 PM (1 hours ago)
Motherboard: Dell Inc. | | 0HN338
Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | Microprocessor | 1975/200mhz

==== Disk Partitions =========================
C: is FIXED (NTFS) - 112 GiB total, 0.732 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0000
Service: vpnva

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA

==== System Restore Points ===================
RP179: 8/8/2011 5:37:12 PM - System Checkpoint
RP180: 8/9/2011 5:45:40 PM - System Checkpoint
RP181: 8/10/2011 6:54:03 PM - System Checkpoint
RP182: 8/11/2011 9:54:38 AM - Software Distribution Service 3.0
RP183: 8/12/2011 5:23:58 PM - System Checkpoint
RP184: 8/16/2011 12:42:55 PM - System Checkpoint
RP185: 8/17/2011 1:19:35 PM - System Checkpoint
RP186: 8/18/2011 4:15:22 PM - System Checkpoint
RP187: 8/19/2011 4:18:29 PM - System Checkpoint
RP188: 8/20/2011 4:23:13 PM - System Checkpoint
RP189: 8/21/2011 5:23:13 PM - System Checkpoint
RP190: 8/22/2011 7:31:36 PM - System Checkpoint
RP191: 8/24/2011 9:36:32 AM - System Checkpoint
RP192: 8/24/2011 2:31:46 PM - Software Distribution Service 3.0
RP193: 8/25/2011 3:09:47 PM - System Checkpoint
RP194: 8/26/2011 1:58:22 PM - avast! Free Antivirus Setup

==== Installed Programs ======================
Adobe Acrobat 9 Pro - English, Français, Deutsc
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator 10
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SVG Viewer 3.0
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Bio-Rad CFX Manager 2.0
Bonjour
Broadcom Gigabit Integrated Controller
ChipSeq Tool Set Fast
Cisco AnyConnect VPN Client
Conexant HDA D330 MDC V.92 Modem
Connect
Dell Touchpad
Dropbox
EndNote X4
ExtraPutty 0.22
ffdshow [rev 2527] [2008-12-19]
GraphPad Prism 5 (Trial)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
IGB 6.5.3
Intel PROSet Wireless
Intel(R) PROSet/Wireless WiFi Software
iTunes
J2SE Runtime Environment 5.0 Update 18
Java Auto Updater
Java(TM) 6 Update 23
kuler
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 6.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
Opera 11.10
OZ776 SCR Driver V1.1.4.202
PDF Settings CS4
Photoshop Camera Raw
Python 2.7.1
Python 3.2b2
QuickTime
R for Windows 2.13.1
ResearchSoft Direct Export Helper
Screen Grab Pro
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB241963)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SigmaTel Audio
SignalMap
SpywareBlaster 4.4
Suite Shared Configuration CS4
SUPERAntiSpyware
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2586924)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VPN Client
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Search 4.
WinRAR 4.00 beta 4 (32-bit)
WinSCP 4.2.9

==== Event Viewer Messages From Past Week ========
8/26/2011 11:47:43 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
8/25/2011 9:53:27 AM, error: Dhcp [1002] - The IP address lease 192.168.1.68 for the Network Card with network address 001B77C41956 has been denied by the DHCP server 68.181.195.147 (The DHCP Server sent a DHCPNACK message
8/24/2011 8:46:44 AM, error: Service Control Manager [7000] - The CoLinuxDriver service failed to start due to the following error: The system cannot find the path specified.
8/24/2011 8:46:44 AM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
==== End Of File ===========================
 
dds

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by Farnham Lab at 18:04:50 on 2011-08-26

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.904 [GMT -7:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco\Vpn Client\cvpnd.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\WINDOWS\system32\hasplms.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\DellTPad\HidFind.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\iPod\bin\iPodService.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AdobeBridge]

mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRunOnce: [*centercabapi.exe] "c:\windows\centercabapi.exe"

StartupFolder: c:\docume~1\farnha~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\farnham lab\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ucdavi~1.lnk - c:\program files\cisco\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292978320717

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292978383842

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 128.125.253.143 128.125.253.194 208.99.184.12

TCP: Interfaces\{96AEDF37-3C6A-4CE4-BFE7-06C28200C249} : DhcpNameServer = 128.125.253.143 128.125.253.194 208.99.184.12

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\farnham lab\application data\mozilla\firefox\profiles\utjbm3nt.default\

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-26 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-26 309848]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-26 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-26 42184]

R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-16 366640]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2011-5-18 641464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-16 22712]

S2 CoLinuxDriver;CoLinuxDriver;\??\c:\documents and settings\farnham lab\desktop\portable_ubuntu_tres\colinux\linux.sys --> c:\documents and settings\farnham lab\desktop\portable_ubuntu_tres\colinux\linux.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-2-16 41272]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-1-14 280344]

.

=============== Created Last 30 ================

.

2011-08-27 01:04:04 94208 ----a-w- c:\windows\centercabapi.exe

2011-08-26 20:58:58 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-08-26 20:58:33 40112 ----a-w- c:\windows\avastSS.scr

2011-08-26 20:58:22 -------- d-----w- c:\program files\AVAST Software

2011-08-26 20:58:22 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-08-26 20:48:31 -------- d-----w- c:\program files\SpywareBlaster

2011-08-22 17:34:36 -------- d-----w- c:\documents and settings\all users\application data\TDM-GCC

2011-08-12 20:54:32 -------- d-----w- c:\program files\cisgenome_v2.0

2011-08-04 03:09:10 -------- d-----w- c:\documents and settings\farnham lab\work

2011-08-04 00:52:32 -------- d-----w- c:\program files\R

.

==================== Find3M ====================

.

2011-07-20 23:36:38 90784 ----a-w- c:\windows\system32\EasyHook32.dll

2011-07-20 23:36:38 109216 ----a-w- c:\windows\system32\EasyHook64.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST9120823AS rev.3.ADB -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D854D0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d8b7d0]; MOV EAX, [0x89d8b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89DECAB8]

3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DD8030]

\Driver\atapi[0x89DF13D8] -> IRP_MJ_CREATE -> 0x89D854D0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x89D8531B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 18:07:32.28 ===============
 
Please stop double spacing the log entries!

Repost the DDS.txt log without the double pasting, please. I fixed the Attach.txt log. It looks like you may be copying in each line separately instead of copying the entire log and pasting it in.

After you have reposted the log, run this:
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
=========================================
The this: Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=============================================
Paste logs in as they appear- no double spacing.
 
Status
Not open for further replies.
Back