Inactive Virus job... help needed

[SledgeProne]

Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.09.12
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ed :: HOME-PC [administrator]
Protection: Enabled
8/9/2012 8:10:08 PM
mbam-log-2012-08-09 (20-10-08).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 228264
Time elapsed: 4 minute(s), 44 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
===============================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-08-09 20:20:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD800JD-55MUA1 rev.10.01E01
Running: 4l5owe5q.exe; Driver: C:\DOCUME~1\Ed\LOCALS~1\Temp\kxtdipow.sys

---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 89D8B39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89D8B39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89D8B39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89D8B39B
Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD800JD-55MUA1______________________10.01E01#5&16368115&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- EOF - GMER 1.0.15 ----
===================================

 

[SledgeProne]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Ed at 20:23:16 on 2012-08-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1434 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\American Systems\Print Screen\prtsc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============

 

[SledgeProne]

.
uStart Page = hxxp://www.att.net/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80118
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80118
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File
TB: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - No File
TB: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [FixCleaner] c:\program files\fixcleaner\FixCleaner.exe -boot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Print Screen] c:\program files\american systems\print screen\prtsc.exe /m
mRun: [SiteRanker] "c:\program files\siteranker\SiteRankTray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe

 

[SledgeProne]

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet k series\bin\hpoorn07.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1072946965718
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1072946978468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-10 655944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-10 22344]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-4 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-23 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-4 136176]
.
=============== Created Last 30 ================
.
2012-08-10 00:32:38 -------- d-----w- c:\documents and settings\ed\local settings\application data\Identities
2012-08-09 04:55:39 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-08-08 06:39:05 -------- d-----w- c:\documents and settings\ed\local settings\application data\Sun
2012-08-08 02:03:46 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 02:03:46 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-08 02:03:46 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-08 02:03:36 -------- d-----w- c:\program files\Oracle
.
==================== Find3M ====================
.
2012-08-09 05:06:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-08-03 05:31:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-03 05:31:21 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-55MUA1 rev.10.01E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D8B555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d917b0]; MOV EAX, [0x89d9182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89DCDAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000061[0x89E369E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DCFD98]
\Driver\atapi[0x89D9EA08] -> IRP_MJ_CREATE -> 0x89D8B555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD800JD-55MUA1______________________10.01E01#5&16368115&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D8B39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:24:25.48 ===============
　
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80118
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80118
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File
TB: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - No File
TB: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [FixCleaner] c:\program files\fixcleaner\FixCleaner.exe -boot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Print Screen] c:\program files\american systems\print screen\prtsc.exe /m
mRun: [SiteRanker] "c:\program files\siteranker\SiteRankTray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet k series\bin\hpoorn07.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1072946965718
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1072946978468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-10 655944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-10 22344]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-4 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-23 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-4 136176]
.
=============== Created Last 30 ================
.
2012-08-10 00:32:38 -------- d-----w- c:\documents and settings\ed\local settings\application data\Identities
2012-08-09 04:55:39 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-08-08 06:39:05 -------- d-----w- c:\documents and settings\ed\local settings\application data\Sun
2012-08-08 02:03:46 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 02:03:46 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-08 02:03:46 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-08 02:03:36 -------- d-----w- c:\program files\Oracle
.
==================== Find3M ====================
.
2012-08-09 05:06:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-08-03 05:31:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-03 05:31:21 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-55MUA1 rev.10.01E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D8B555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d917b0]; MOV EAX, [0x89d9182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89DCDAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000061[0x89E369E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DCFD98]
\Driver\atapi[0x89D9EA08] -> IRP_MJ_CREATE -> 0x89D8B555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD800JD-55MUA1______________________10.01E01#5&16368115&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D8B39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:24:25.48 ===============

 

[SledgeProne]

DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/1/2004 12:32:02 AM
System Uptime: 8/9/2012 8:06:14 PM (0 hours ago)
.
Motherboard: Intel Corporation | | D945GCNL
Processor: Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz | LGA 775 | 2394/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 50.886 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP981: 5/11/2012 7:03:40 PM - System Checkpoint
RP982: 5/12/2012 7:10:52 PM - System Checkpoint
RP983: 5/13/2012 7:28:20 PM - System Checkpoint
RP984: 5/14/2012 7:36:11 PM - System Checkpoint
RP985: 5/15/2012 8:25:09 PM - System Checkpoint
RP986: 5/16/2012 9:49:56 PM - System Checkpoint
RP987: 5/18/2012 6:42:38 AM - System Checkpoint
RP988: 5/19/2012 12:37:51 PM - System Checkpoint
RP989: 5/20/2012 1:21:22 PM - System Checkpoint
RP990: 5/23/2012 7:27:53 PM - System Checkpoint
RP991: 5/24/2012 8:17:58 PM - System Checkpoint
RP992: 5/26/2012 9:09:22 AM - System Checkpoint
RP993: 5/27/2012 11:53:44 AM - System Checkpoint
RP994: 5/28/2012 12:22:08 PM - System Checkpoint
RP995: 5/29/2012 5:55:04 PM - System Checkpoint
RP996: 5/30/2012 6:42:20 PM - System Checkpoint
RP997: 5/31/2012 6:44:32 PM - System Checkpoint
RP998: 6/1/2012 7:38:21 PM - System Checkpoint
RP999: 6/2/2012 8:09:00 PM - System Checkpoint
RP1000: 6/4/2012 8:05:28 PM - System Checkpoint
RP1001: 6/5/2012 8:55:38 PM - System Checkpoint
RP1002: 6/7/2012 6:16:34 AM - System Checkpoint
RP1003: 6/10/2012 6:04:27 PM - System Checkpoint
RP1004: 6/11/2012 7:54:43 PM - System Checkpoint
RP1005: 6/13/2012 5:25:01 AM - System Checkpoint
RP1006: 6/14/2012 6:16:06 AM - System Checkpoint
RP1007: 6/15/2012 8:05:48 PM - System Checkpoint
RP1008: 6/16/2012 8:06:47 PM - System Checkpoint
RP1009: 6/17/2012 8:43:36 PM - System Checkpoint
RP1010: 6/19/2012 8:27:04 PM - System Checkpoint
RP1011: 6/20/2012 8:58:16 PM - System Checkpoint
RP1012: 6/22/2012 6:21:08 AM - System Checkpoint
RP1013: 6/24/2012 12:16:12 PM - System Checkpoint
RP1014: 6/25/2012 7:23:47 PM - System Checkpoint
RP1015: 6/26/2012 7:56:43 PM - System Checkpoint
RP1016: 6/27/2012 8:06:47 PM - System Checkpoint
RP1017: 6/29/2012 6:24:08 AM - System Checkpoint
RP1018: 6/30/2012 6:32:30 PM - System Checkpoint
RP1019: 7/1/2012 6:38:43 PM - System Checkpoint
RP1020: 7/2/2012 6:40:46 PM - System Checkpoint
RP1021: 7/3/2012 9:05:21 PM - System Checkpoint
RP1022: 7/4/2012 11:47:28 PM - System Checkpoint
RP1023: 7/6/2012 5:44:46 AM - System Checkpoint
RP1024: 7/7/2012 12:16:10 PM - System Checkpoint
RP1025: 7/8/2012 3:28:52 PM - System Checkpoint
RP1026: 7/9/2012 4:13:20 PM - System Checkpoint
RP1027: 7/10/2012 6:36:07 PM - System Checkpoint
RP1028: 7/11/2012 6:46:13 PM - System Checkpoint
RP1029: 7/12/2012 7:57:04 PM - System Checkpoint
RP1030: 7/13/2012 8:08:37 PM - System Checkpoint
RP1031: 7/14/2012 8:44:54 PM - System Checkpoint
RP1032: 7/15/2012 9:05:41 PM - System Checkpoint
RP1033: 7/16/2012 9:47:05 PM - System Checkpoint
RP1034: 7/17/2012 10:26:39 PM - System Checkpoint
RP1035: 7/19/2012 4:40:42 AM - System Checkpoint
RP1036: 7/20/2012 11:05:25 AM - System Checkpoint
RP1037: 7/21/2012 12:16:12 PM - System Checkpoint
RP1038: 7/22/2012 1:10:18 PM - System Checkpoint
RP1039: 7/23/2012 1:18:12 PM - System Checkpoint
RP1040: 7/24/2012 9:26:46 PM - System Checkpoint
RP1041: 7/26/2012 12:17:37 AM - System Checkpoint
RP1042: 7/27/2012 5:47:13 AM - System Checkpoint
RP1043: 7/28/2012 9:36:59 AM - System Checkpoint
RP1044: 7/29/2012 6:44:15 PM - System Checkpoint
RP1045: 7/30/2012 7:56:34 PM - System Checkpoint
RP1046: 7/31/2012 8:36:53 PM - System Checkpoint
RP1047: 8/2/2012 6:13:31 AM - System Checkpoint
RP1048: 8/3/2012 11:48:04 AM - System Checkpoint
RP1049: 8/3/2012 7:05:28 PM - Removed Security Update for CAPICOM (KB931906)
RP1050: 8/4/2012 7:16:58 PM - System Checkpoint
RP1051: 8/5/2012 7:55:57 PM - System Checkpoint
RP1052: 8/6/2012 8:30:19 PM - System Checkpoint
RP1053: 8/7/2012 6:28:17 PM - Installed FixCleaner
RP1054: 8/7/2012 6:40:12 PM - Before Cleaning
RP1055: 8/7/2012 7:03:09 PM - Installed Java(TM) 7 Update 5
RP1056: 8/7/2012 7:03:34 PM - Installed JavaFX 2.1.1
RP1057: 8/7/2012 7:06:44 PM - Before Updating
RP1058: 8/7/2012 7:12:15 PM - Before Updating
RP1059: 8/7/2012 7:25:57 PM - Before Updating
RP1060: 8/7/2012 11:05:55 PM - Before Updating
RP1061: 8/7/2012 11:25:31 PM - Before Updating
RP1062: 8/9/2012 6:26:31 AM - System Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Yahoo! Internet Mail
ATT-AACE
att.net Toolbar
Bonjour
CCleaner
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Data Fax SoftModem with SmartCP
Defraggler
FixCleaner
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp instant support
hp officejet k series
Intel(R) Graphics Media Accelerator Driver
Internet Explorer (Enable DEP)
iTunes
Java Auto Updater
Java(TM) 6 Update 17
Java(TM) 6 Update 4
Java(TM) 7 Update 5
JavaFX 2.1.1
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
OpenOffice.org 2.4
Print Screen
QuickTime
QuickTime 3.0
Realtek High Definition Audio Driver
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Spelling Dictionaries Support For Adobe Reader 9
Su-Doku Quest
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Presentation Foundation
Windows XP Service Pack 3
WinZip
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
8/8/2012 9:44:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/8/2012 8:42:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm
8/8/2012 8:41:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/7/2012 7:29:52 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
8/5/2012 11:00:10 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
8/5/2012 10:58:20 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified.
.
==== End Of File ===========================

Please excuse the use of four posts to submit these logs. All attempts of lengthier text, via the infected machine, were denied. Eventually, it became futile.

 

[SledgeProne]

System intermittantly hangs at various points during bootup sequence into normal, or Safe Mode.
Experiences frequent redirects, and continuous freezing of both Safari and IE.
Will attempt to install A\V, as system was without. Trend Micro Housecall scan found two trojans, and fixed. Problems however quickly returned, while consequently a subsequent scan, found no new infection.

 

[Jay Pfoutz]

Hi! Sounds like quite a MBR infection...

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Please download aswMBR from here

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.