Hi my browsers are randomly opeing up new tabs and loading incorrect pages when clicking links, mostly google links. The pages are your standard fare spam search engine but sometime it will randomly open a youtube vid or ebay.
here my logs cheers
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-02 08:48:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3500830AS rev.3.AAD
Running: c5lwcfye.exe; Driver: C:\DOCUME~1\Craig\LOCALS~1\Temp\pwqyrfod.sys
---- System - GMER 1.0.15 ----
SSDT spgg.sys ZwCreateKey [0xB7EB50E0]
SSDT spgg.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spgg.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT spgg.sys ZwOpenKey [0xB7EB50C0]
SSDT spgg.sys ZwQueryKey [0xB7ECE20A]
SSDT spgg.sys ZwQueryValueKey [0xB7ECE08A]
SSDT spgg.sys ZwSetValueKey [0xB7ECE29C]
INT 0x62 ? 89ADABF8
INT 0x74 ? 897DBBF8
INT 0x82 ? 89ADABF8
INT 0x83 ? 89ADABF8
INT 0x84 ? 897DBBF8
INT 0x94 ? 897DBBF8
INT 0xB4 ? 897DBBF8
---- Kernel code sections - GMER 1.0.15 ----
? spgg.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5F9D3A0, 0x5CC259, 0xE8000020]
.text USBPORT.SYS!DllUnload B5EEB8AC 5 Bytes JMP 897DB1D8
.text ap7f3q9r.SYS B5E9A386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ap7f3q9r.SYS B5E9A3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ap7f3q9r.SYS B5E9A3C4 3 Bytes [00, 80, 02]
.text ap7f3q9r.SYS B5E9A3C9 1 Byte [30]
.text ap7f3q9r.SYS B5E9A3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1104] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00AA000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spgg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spgg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spgg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spgg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spgg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spgg.sys
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 89AD91F8
Device \FileSystem\Fastfat \FatCdrom 897A51F8
Device \Driver\PCI_PNP0180 \Device\00000040 spgg.sys
Device \Driver\usbohci \Device\USBPDO-0 898951F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B39CC196-669E-4494-A518-3F5765F4198B} 894CF500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89A6E1F8
Device \Driver\dmio \Device\DmControl\DmConfig 89A6E1F8
Device \Driver\dmio \Device\DmControl\DmPnP 89A6E1F8
Device \Driver\dmio \Device\DmControl\DmInfo 89A6E1F8
Device \Driver\usbohci \Device\USBPDO-1 898951F8
Device \Driver\usbehci \Device\USBPDO-2 897CC1F8
Device \Driver\usbohci \Device\USBPDO-3 898951F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89ADB1F8
Device \Driver\Cdrom \Device\CdRom0 898AB500
Device \Driver\sptd \Device\3338092680 spgg.sys
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 899C139B
Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 899C139B
Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 899C139B
Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 899C139B
Device \Driver\atapi \Device\Ide\IdePort3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-1b 899C139B
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-13 899C139B
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 898AB500
Device \Driver\Cdrom \Device\CdRom2 898AB500
Device \Driver\NetBT \Device\NetBt_Wins_Export 894CF500
Device \Driver\usbohci \Device\USBFDO-0 898951F8
Device \Driver\usbohci \Device\USBFDO-1 898951F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 899101F8
Device \Driver\usbohci \Device\USBFDO-2 898951F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 899101F8
Device \Driver\usbehci \Device\USBFDO-3 897CC1F8
Device \Driver\Ftdisk \Device\FtControl 89ADB1F8
Device \Driver\ap7f3q9r \Device\Scsi\ap7f3q9r1Port4Path0Target0Lun0 89877500
Device \Driver\ap7f3q9r \Device\Scsi\ap7f3q9r1 89877500
Device \FileSystem\Fastfat \Fat 897A51F8
Device \FileSystem\Cdfs \Cdfs 894CD500
Device \Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3500830AS_____________________________3.AAD___#5&30d63931&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0x98 0xAD 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAC 0x50 0x77 0xB9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x28 0xE7 0xCE 0xFB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0x98 0xAD 0x95 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAC 0x50 0x77 0xB9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x28 0xE7 0xCE 0xFB ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
---- EOF - GMER 1.0.15 ----
-------------------------------------------------------------------------------------------------------
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Craig at 8:55:54.34 on 02/04/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1064 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [KUGHGZXAKT] c:\windows\temp\Kn1.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mmhgbaed.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\craig\applic~1\mozilla\firefox\profiles\nopf7y05.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\craig\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2011-3-4 1523008]
S3 apf001;apf001;c:\games\gunbound\gunboundis\apf001.sys [2011-1-13 10872]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 332928]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-03-29 20:30:35 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-03-29 20:30:35 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-28 01:27:15 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-03-28 01:27:14 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2011-03-28 01:26:53 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-03-26 22:06:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 22:06:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 22:06:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 21:36:43 98816 ----a-w- c:\windows\sed.exe
2011-03-26 21:36:43 89088 ----a-w- c:\windows\MBR.exe
2011-03-26 21:36:43 256512 ----a-w- c:\windows\PEV.exe
2011-03-26 21:36:43 161792 ----a-w- c:\windows\SWREG.exe
2011-03-23 10:44:35 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-23 10:44:35 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-23 10:44:35 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-23 10:44:35 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-23 10:44:35 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-23 10:44:35 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-23 10:44:35 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-23 10:44:35 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-21 02:29:02 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-03-21 02:29:02 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
2011-03-21 02:26:50 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-03-21 02:25:27 468480 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-03-21 02:25:27 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-03-21 02:25:26 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2011-03-21 02:25:26 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-03-21 02:25:26 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2011-03-21 02:25:26 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2011-03-21 02:25:25 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2011-03-21 02:25:24 6075904 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-03-21 02:24:30 249856 -c----w- c:\windows\system32\dllcache\odbc32.dll
2011-03-21 02:24:30 143360 -c----w- c:\windows\system32\dllcache\msadco.dll
2011-03-21 02:24:29 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2011-03-21 02:24:29 200704 -c----w- c:\windows\system32\dllcache\msadox.dll
2011-03-21 02:24:29 180224 -c----w- c:\windows\system32\dllcache\msadomd.dll
2011-03-21 02:24:29 102400 -c----w- c:\windows\system32\dllcache\msjro.dll
2011-03-21 02:24:14 369664 -c----w- c:\windows\system32\dllcache\asp51.dll
2011-03-21 02:23:59 257024 -c----w- c:\windows\system32\dllcache\infocomm.dll
2011-03-21 02:22:35 126976 -c----w- c:\windows\system32\dllcache\ftpsvc2.dll
2011-03-21 02:22:19 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2011-03-21 02:22:04 268288 -c----w- c:\windows\system32\dllcache\httpext.dll
2011-03-21 02:21:07 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
2011-03-21 02:21:07 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2011-03-21 02:20:10 61440 ----a-w- c:\windows\ContextMenuExt.dll
2011-03-21 02:00:54 614992 ----a-w- c:\windows\system32\COMCTL32.OCX
2011-03-21 02:00:54 53248 ----a-w- c:\windows\system32\SSUBTMR6.DLL
2011-03-21 02:00:54 32584 ----a-w- c:\windows\system32\FM20ENU.DLL
2011-03-21 02:00:54 218432 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-03-21 02:00:54 155984 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-03-21 02:00:54 1146184 ----a-w- c:\windows\system32\FM20.DLL
2011-03-21 01:54:10 127808 ----a-w- c:\windows\system32\MSWINSCK.OCX
2011-03-21 01:54:10 10752 ----a-w- c:\windows\system32\aamd532.dll
2011-03-21 01:00:03 -------- d-----w- c:\docume~1\craig\applic~1\DriverCure
2011-03-21 01:00:02 -------- d-----w- c:\docume~1\craig\applic~1\ParetoLogic
2011-03-21 00:59:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-03-20 21:49:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-20 21:43:43 -------- d-----w- c:\windows\system32\NtmsData
2011-03-17 00:44:35 -------- d-----w- c:\docume~1\craig\applic~1\Intelli-studio
2011-03-13 04:42:08 -------- d-----w- c:\docume~1\craig\locals~1\applic~1\Google
2011-03-12 21:49:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2011-03-10 07:08:27 45568 ----a-w- c:\windows\UniFish3.exe
2011-03-04 10:41:03 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-04 10:41:03 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-03-21 02:58:43 241436 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-03-21 02:58:43 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-03-21 02:58:42 241428 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 04:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-14 02:16:33 12920 ----a-w- c:\windows\system32\apl001.sys
2011-01-14 02:16:33 10872 ----a-w- c:\windows\system32\apf001.sys
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3500830AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x899C1555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x899c77b0]; MOV EAX, [0x899c782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89A36AB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000062[0x89AACB58]
5 ACPI[0xB7E74620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89A30D98]
\Driver\atapi[0x899AA2A8] -> IRP_MJ_CREATE -> 0x899C1555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3500830AS_____________________________3.AAD___#5&30d63931&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x899C139B
user & kernel MBR OK
copy of MBR has been found in sector 976752000
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:56:41.17 ===============
malwarebytes comes up clean cheers again.
here my logs cheers
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-02 08:48:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3500830AS rev.3.AAD
Running: c5lwcfye.exe; Driver: C:\DOCUME~1\Craig\LOCALS~1\Temp\pwqyrfod.sys
---- System - GMER 1.0.15 ----
SSDT spgg.sys ZwCreateKey [0xB7EB50E0]
SSDT spgg.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spgg.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT spgg.sys ZwOpenKey [0xB7EB50C0]
SSDT spgg.sys ZwQueryKey [0xB7ECE20A]
SSDT spgg.sys ZwQueryValueKey [0xB7ECE08A]
SSDT spgg.sys ZwSetValueKey [0xB7ECE29C]
INT 0x62 ? 89ADABF8
INT 0x74 ? 897DBBF8
INT 0x82 ? 89ADABF8
INT 0x83 ? 89ADABF8
INT 0x84 ? 897DBBF8
INT 0x94 ? 897DBBF8
INT 0xB4 ? 897DBBF8
---- Kernel code sections - GMER 1.0.15 ----
? spgg.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5F9D3A0, 0x5CC259, 0xE8000020]
.text USBPORT.SYS!DllUnload B5EEB8AC 5 Bytes JMP 897DB1D8
.text ap7f3q9r.SYS B5E9A386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ap7f3q9r.SYS B5E9A3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ap7f3q9r.SYS B5E9A3C4 3 Bytes [00, 80, 02]
.text ap7f3q9r.SYS B5E9A3C9 1 Byte [30]
.text ap7f3q9r.SYS B5E9A3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1104] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00AA000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spgg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spgg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spgg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spgg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spgg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spgg.sys
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ap7f3q9r.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 89AD91F8
Device \FileSystem\Fastfat \FatCdrom 897A51F8
Device \Driver\PCI_PNP0180 \Device\00000040 spgg.sys
Device \Driver\usbohci \Device\USBPDO-0 898951F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B39CC196-669E-4494-A518-3F5765F4198B} 894CF500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89A6E1F8
Device \Driver\dmio \Device\DmControl\DmConfig 89A6E1F8
Device \Driver\dmio \Device\DmControl\DmPnP 89A6E1F8
Device \Driver\dmio \Device\DmControl\DmInfo 89A6E1F8
Device \Driver\usbohci \Device\USBPDO-1 898951F8
Device \Driver\usbehci \Device\USBPDO-2 897CC1F8
Device \Driver\usbohci \Device\USBPDO-3 898951F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89ADB1F8
Device \Driver\Cdrom \Device\CdRom0 898AB500
Device \Driver\sptd \Device\3338092680 spgg.sys
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 899C139B
Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 899C139B
Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 899C139B
Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 899C139B
Device \Driver\atapi \Device\Ide\IdePort3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-1b 899C139B
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-13 899C139B
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 898AB500
Device \Driver\Cdrom \Device\CdRom2 898AB500
Device \Driver\NetBT \Device\NetBt_Wins_Export 894CF500
Device \Driver\usbohci \Device\USBFDO-0 898951F8
Device \Driver\usbohci \Device\USBFDO-1 898951F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 899101F8
Device \Driver\usbohci \Device\USBFDO-2 898951F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 899101F8
Device \Driver\usbehci \Device\USBFDO-3 897CC1F8
Device \Driver\Ftdisk \Device\FtControl 89ADB1F8
Device \Driver\ap7f3q9r \Device\Scsi\ap7f3q9r1Port4Path0Target0Lun0 89877500
Device \Driver\ap7f3q9r \Device\Scsi\ap7f3q9r1 89877500
Device \FileSystem\Fastfat \Fat 897A51F8
Device \FileSystem\Cdfs \Cdfs 894CD500
Device \Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3500830AS_____________________________3.AAD___#5&30d63931&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0x98 0xAD 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAC 0x50 0x77 0xB9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x28 0xE7 0xCE 0xFB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0x98 0xAD 0x95 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAC 0x50 0x77 0xB9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x28 0xE7 0xCE 0xFB ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
---- EOF - GMER 1.0.15 ----
-------------------------------------------------------------------------------------------------------
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Craig at 8:55:54.34 on 02/04/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1064 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [KUGHGZXAKT] c:\windows\temp\Kn1.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mmhgbaed.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\craig\applic~1\mozilla\firefox\profiles\nopf7y05.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\craig\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2011-3-4 1523008]
S3 apf001;apf001;c:\games\gunbound\gunboundis\apf001.sys [2011-1-13 10872]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 332928]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-03-29 20:30:35 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-03-29 20:30:35 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-28 01:27:15 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-03-28 01:27:14 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2011-03-28 01:26:53 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-03-26 22:06:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 22:06:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 22:06:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 21:36:43 98816 ----a-w- c:\windows\sed.exe
2011-03-26 21:36:43 89088 ----a-w- c:\windows\MBR.exe
2011-03-26 21:36:43 256512 ----a-w- c:\windows\PEV.exe
2011-03-26 21:36:43 161792 ----a-w- c:\windows\SWREG.exe
2011-03-23 10:44:35 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-23 10:44:35 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-23 10:44:35 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-23 10:44:35 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-23 10:44:35 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-23 10:44:35 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-23 10:44:35 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-23 10:44:35 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-21 02:29:02 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-03-21 02:29:02 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
2011-03-21 02:26:50 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-03-21 02:25:27 468480 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-03-21 02:25:27 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-03-21 02:25:26 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2011-03-21 02:25:26 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-03-21 02:25:26 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2011-03-21 02:25:26 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2011-03-21 02:25:25 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2011-03-21 02:25:24 6075904 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-03-21 02:24:30 249856 -c----w- c:\windows\system32\dllcache\odbc32.dll
2011-03-21 02:24:30 143360 -c----w- c:\windows\system32\dllcache\msadco.dll
2011-03-21 02:24:29 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2011-03-21 02:24:29 200704 -c----w- c:\windows\system32\dllcache\msadox.dll
2011-03-21 02:24:29 180224 -c----w- c:\windows\system32\dllcache\msadomd.dll
2011-03-21 02:24:29 102400 -c----w- c:\windows\system32\dllcache\msjro.dll
2011-03-21 02:24:14 369664 -c----w- c:\windows\system32\dllcache\asp51.dll
2011-03-21 02:23:59 257024 -c----w- c:\windows\system32\dllcache\infocomm.dll
2011-03-21 02:22:35 126976 -c----w- c:\windows\system32\dllcache\ftpsvc2.dll
2011-03-21 02:22:19 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2011-03-21 02:22:04 268288 -c----w- c:\windows\system32\dllcache\httpext.dll
2011-03-21 02:21:07 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
2011-03-21 02:21:07 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2011-03-21 02:20:10 61440 ----a-w- c:\windows\ContextMenuExt.dll
2011-03-21 02:00:54 614992 ----a-w- c:\windows\system32\COMCTL32.OCX
2011-03-21 02:00:54 53248 ----a-w- c:\windows\system32\SSUBTMR6.DLL
2011-03-21 02:00:54 32584 ----a-w- c:\windows\system32\FM20ENU.DLL
2011-03-21 02:00:54 218432 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-03-21 02:00:54 155984 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-03-21 02:00:54 1146184 ----a-w- c:\windows\system32\FM20.DLL
2011-03-21 01:54:10 127808 ----a-w- c:\windows\system32\MSWINSCK.OCX
2011-03-21 01:54:10 10752 ----a-w- c:\windows\system32\aamd532.dll
2011-03-21 01:00:03 -------- d-----w- c:\docume~1\craig\applic~1\DriverCure
2011-03-21 01:00:02 -------- d-----w- c:\docume~1\craig\applic~1\ParetoLogic
2011-03-21 00:59:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-03-20 21:49:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-20 21:43:43 -------- d-----w- c:\windows\system32\NtmsData
2011-03-17 00:44:35 -------- d-----w- c:\docume~1\craig\applic~1\Intelli-studio
2011-03-13 04:42:08 -------- d-----w- c:\docume~1\craig\locals~1\applic~1\Google
2011-03-12 21:49:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2011-03-10 07:08:27 45568 ----a-w- c:\windows\UniFish3.exe
2011-03-04 10:41:03 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-04 10:41:03 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-03-21 02:58:43 241436 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-03-21 02:58:43 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-03-21 02:58:42 241428 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 04:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-14 02:16:33 12920 ----a-w- c:\windows\system32\apl001.sys
2011-01-14 02:16:33 10872 ----a-w- c:\windows\system32\apf001.sys
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3500830AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x899C1555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x899c77b0]; MOV EAX, [0x899c782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89A36AB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000062[0x89AACB58]
5 ACPI[0xB7E74620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89A30D98]
\Driver\atapi[0x899AA2A8] -> IRP_MJ_CREATE -> 0x899C1555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3500830AS_____________________________3.AAD___#5&30d63931&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x899C139B
user & kernel MBR OK
copy of MBR has been found in sector 976752000
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:56:41.17 ===============
malwarebytes comes up clean cheers again.