Wooster

Members
  • Content count

    22
  • Joined

  • Last visited

About Wooster

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Since I am unable to run DDS.scr, I ran HijackThis instead. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:04:44 PM, on 12/20/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\AVAST Software\Avast\avastUI.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Spybot\TeaTimer.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Dell\Bluetooth Software\BTTray.exe C:\Program Files\YZ Dock\YzDock.exe C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Wooster\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - HKCU\..\Run: [speedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe O4 - Startup: YzDock.lnk = C:\Program Files\YZ Dock\YzDock.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: PEVSystemStart - Unknown owner - C:\Combo-Fix\pev.3XE (file missing) O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 7007 bytes
  2. I had an isse with a virus called XP Antispyware 2012. I ran Malwarebytes and it seemed to remove all the obvious traces of the program, but right now the computer still has the following problems: 1) Unable to start Windows Firewall 2) Unable to turn on Avast's web shield 3) Unable to connect to the internet Malwarebyte's quick scan finds nothing anymore, as does Avast. I downloaded and ran DDS.scr as per the instructions, but every time it hung and failed to run to completion. Any help you could provide would be most appreciated. Bump.
  3. Malwarebytes log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3989 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/15/2010 12:59:27 AM mbam-log-2010-04-15 (00-59-27).txt Scan type: Quick scan Objects scanned: 108548 Time elapsed: 8 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  4. ComboFix log: ComboFix 10-04-14.01 - User 04/15/2010 0:02.6.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.221 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt AV: avast! antivirus 4.8.1368 [VPS 100413-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 ))))))))))))))))))))))))))))))) . 2010-04-13 20:30 . 2010-04-13 20:30 -------- d-----w- c:\documents and settings\User\DoctorWeb 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 21:39 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-13 19:04 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-15 00:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2504) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\mscan\Msoffice\panel.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\program files\Avast\ashWebSv.exe c:\program files\Avast\ashMaiSv.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-04-15 00:30:15 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-15 07:30 ComboFix2.txt 2010-04-14 22:00 ComboFix3.txt 2010-04-13 08:07 ComboFix4.txt 2010-04-13 06:53 ComboFix5.txt 2010-04-15 06:23 Pre-Run: 15,259,136,000 bytes free Post-Run: 15,218,479,104 bytes free - - End Of File - - C4736639F86389E703799D13E03C4A95 HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:38:17 AM, on 4/15/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\WINDOWS\system32\spoolsv.exe C:\MSCAN\Msoffice\panel.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Avast\ashWebSv.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6958 bytes Internet connection is back, and I can now enable the firewall. I haven't seen any popups yet, but they were pretty sporadic to start with.
  5. ComboFix log: ComboFix 10-04-14.01 - User 04/14/2010 14:31:40.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.162 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1368 [VPS 100413-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PRAGMAyycvksevpe -------\Service_PRAGMAyycvksevpe ((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 ))))))))))))))))))))))))))))))) . 2010-04-13 20:30 . 2010-04-13 20:30 -------- d-----w- c:\documents and settings\User\DoctorWeb 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 21:41 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-13 19:04 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ------- Sigcheck ------- [-] 2010-04-13 21:41 . F8B2F0BB355F55573D7738B96D8A36E2 . 361600 . . [------] . . c:\windows\system32\drivers\tcpip.sys [7] 2010-04-13 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtServicePackUninstall$\tcpip.sys [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-14 14:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(132) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\mscan\Msoffice\panel.exe c:\windows\system32\nvsvc32.exe c:\program files\Avast\ashMaiSv.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-04-14 15:00:11 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-14 22:00 ComboFix2.txt 2010-04-13 08:07 ComboFix3.txt 2010-04-13 06:53 ComboFix4.txt 2010-04-12 07:41 Pre-Run: 15,390,220,288 bytes free Post-Run: 15,274,008,576 bytes free - - End Of File - - 836780DBFCBB06C3D86EA803AB879A4C
  6. DrWeb log: A0101706.sys;C:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1576;BackDoor.Tdss.2459;Cured.; App06868.exe\hp/tmp/Install.JS;D:\I386\APPS\APP06868\App06868.exe;Probably SCRIPT.Virus;; App06868.exe;D:\I386\APPS\APP06868;Archive contains infected objects;Moved.; A0101720.exe\hp/tmp/Install.JS;D:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1577\A0101720.exe;Probably SCRIPT.Virus;; A0101720.exe;D:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1577;Archive contains infected objects;Moved.; The quick scan also found BackDoor.Tdss.2459 in c:\windows\system32\drivers\tcpip.sys and cured it. HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:45:32 PM, on 4/14/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\MSCAN\Msoffice\panel.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Avast\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6719 bytes I am also getting 4 Avast errors on startup (all Error 10050) and can't connect to the internet (won't recognize the connection).
  7. I'm still running the complete scan. It's taking a long time.
  8. The quick scan seems to be curing the same file (c:\windows\system32\drivers\tcpip.sys) over and over again.
  9. I noticed that there was an option to update DrWeb. Should I have done this before starting the scan?
  10. There does not appear to be any change. Still getting occasional popups and I can't enable the firewall.
  11. TDSSKiller log: 12:03:14:187 2508 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04 12:03:14:187 2508 =========================================================================== ===== 12:03:14:187 2508 SystemInfo: 12:03:14:187 2508 OS Version: 5.1.2600 ServicePack: 3.0 12:03:14:187 2508 Product type: Workstation 12:03:14:187 2508 ComputerName: FAMILYCOMPUTER 12:03:14:187 2508 UserName: User 12:03:14:187 2508 Windows directory: C:\WINDOWS 12:03:14:187 2508 Processor architecture: Intel x86 12:03:14:187 2508 Number of processors: 1 12:03:14:187 2508 Page size: 0x1000 12:03:14:234 2508 Boot type: Normal boot 12:03:14:234 2508 =========================================================================== ===== 12:03:14:250 2508 UnloadDriverW: NtUnloadDriver error 2 12:03:14:250 2508 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 12:03:14:359 2508 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 12:03:14:359 2508 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 12:03:14:359 2508 wfopen_ex: Trying to KLMD file open 12:03:14:359 2508 wfopen_ex: File opened ok (Flags 2) 12:03:14:359 2508 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 12:03:14:359 2508 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 12:03:14:359 2508 wfopen_ex: Trying to KLMD file open 12:03:14:359 2508 wfopen_ex: File opened ok (Flags 2) 12:03:14:359 2508 Initialize success 12:03:14:359 2508 12:03:14:359 2508 Scanning Services ... 12:03:16:000 2508 Raw services enum returned 314 services 12:03:16:015 2508 12:03:16:015 2508 Scanning Kernel memory ... 12:03:16:015 2508 Devices to scan: 3 12:03:16:015 2508 12:03:16:015 2508 Driver Name: Disk 12:03:16:015 2508 IRP_MJ_CREATE : F865CBB0 12:03:16:015 2508 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E 12:03:16:015 2508 IRP_MJ_CLOSE : F865CBB0 12:03:16:015 2508 IRP_MJ_READ : F8656D1F 12:03:16:015 2508 IRP_MJ_WRITE : F8656D1F 12:03:16:015 2508 IRP_MJ_QUERY_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_EA : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_EA : 804FA88E 12:03:16:015 2508 IRP_MJ_FLUSH_BUFFERS : F86572E2 12:03:16:015 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_DIRECTORY_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_DEVICE_CONTROL : F86573BB 12:03:16:015 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : F865AF28 12:03:16:015 2508 IRP_MJ_SHUTDOWN : F86572E2 12:03:16:015 2508 IRP_MJ_LOCK_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_CLEANUP : 804FA88E 12:03:16:015 2508 IRP_MJ_CREATE_MAILSLOT : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_SECURITY : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_SECURITY : 804FA88E 12:03:16:015 2508 IRP_MJ_POWER : F8658C82 12:03:16:015 2508 IRP_MJ_SYSTEM_CONTROL : F865D99E 12:03:16:015 2508 IRP_MJ_DEVICE_CHANGE : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_QUOTA : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_QUOTA : 804FA88E 12:03:16:046 2508 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 12:03:16:046 2508 12:03:16:046 2508 Driver Name: Disk 12:03:16:046 2508 IRP_MJ_CREATE : F865CBB0 12:03:16:046 2508 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E 12:03:16:046 2508 IRP_MJ_CLOSE : F865CBB0 12:03:16:046 2508 IRP_MJ_READ : F8656D1F 12:03:16:046 2508 IRP_MJ_WRITE : F8656D1F 12:03:16:046 2508 IRP_MJ_QUERY_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_EA : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_EA : 804FA88E 12:03:16:046 2508 IRP_MJ_FLUSH_BUFFERS : F86572E2 12:03:16:046 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_DIRECTORY_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_DEVICE_CONTROL : F86573BB 12:03:16:046 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : F865AF28 12:03:16:046 2508 IRP_MJ_SHUTDOWN : F86572E2 12:03:16:046 2508 IRP_MJ_LOCK_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_CLEANUP : 804FA88E 12:03:16:046 2508 IRP_MJ_CREATE_MAILSLOT : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_SECURITY : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_SECURITY : 804FA88E 12:03:16:046 2508 IRP_MJ_POWER : F8658C82 12:03:16:046 2508 IRP_MJ_SYSTEM_CONTROL : F865D99E 12:03:16:046 2508 IRP_MJ_DEVICE_CHANGE : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_QUOTA : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_QUOTA : 804FA88E 12:03:16:078 2508 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 12:03:16:078 2508 12:03:16:078 2508 Driver Name: atapi 12:03:16:078 2508 IRP_MJ_CREATE : 826DEAC8 12:03:16:078 2508 IRP_MJ_CREATE_NAMED_PIPE : 826DEAC8 12:03:16:078 2508 IRP_MJ_CLOSE : 826DEAC8 12:03:16:078 2508 IRP_MJ_READ : 826DEAC8 12:03:16:078 2508 IRP_MJ_WRITE : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_EA : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_EA : 826DEAC8 12:03:16:078 2508 IRP_MJ_FLUSH_BUFFERS : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_VOLUME_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_DIRECTORY_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_DEVICE_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_SHUTDOWN : 826DEAC8 12:03:16:078 2508 IRP_MJ_LOCK_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_CLEANUP : 826DEAC8 12:03:16:078 2508 IRP_MJ_CREATE_MAILSLOT : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_SECURITY : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_SECURITY : 826DEAC8 12:03:16:078 2508 IRP_MJ_POWER : 826DEAC8 12:03:16:078 2508 IRP_MJ_SYSTEM_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_DEVICE_CHANGE : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_QUOTA : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_QUOTA : 826DEAC8 12:03:16:078 2508 Driver "atapi" infected by TDSS rootkit! 12:03:16:140 2508 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1 12:03:16:140 2508 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 12:03:16:140 2508 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 12:03:16:140 2508 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 12:03:17:109 2508 vfvi6 12:03:17:890 2508 !dsvbh1 12:03:27:203 2508 dsvbh2 12:03:27:203 2508 fdfb2 12:03:27:203 2508 Backup copy found, using it.. 12:03:27:250 2508 will be cured on next reboot 12:03:27:250 2508 Reboot required for cure complete.. 12:03:27:250 2508 Cure on reboot scheduled successfully 12:03:27:250 2508 12:03:27:250 2508 Completed 12:03:27:250 2508 12:03:27:250 2508 Results: 12:03:27:250 2508 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 12:03:27:250 2508 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 12:03:27:250 2508 File objects infected / cured / cured on reboot: 1 / 0 / 1 12:03:27:250 2508 12:03:27:250 2508 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 12:03:27:250 2508 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 12:03:27:250 2508 UnloadDriverW: NtUnloadDriver error 1 12:03:27:250 2508 KLMD(ARK) unloaded successfully
  12. Sample sent, still getting popups. I am also still unable to start Windows Firewall (unsure if this is related to other issues).
  13. ComboFix log: ComboFix 10-04-12.04 - User 04/13/2010 0:34.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.314 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} file zipped: c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat file zipped: c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe file zipped: c:\windows\Fonts\On6WEm.com . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe c:\windows\Fonts\On6WEm.com c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 ))))))))))))))))))))))))))))))) . 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-13 00:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x826DEAC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf865af28 \Driver\ACPI -> ACPI.sys @ 0xf85adcb8 \Driver\atapi -> atapi.sys @ 0xf8565852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0 PacketIndicateHandler -> NDIS.sys @ 0xf847ea21 SendHandler -> NDIS.sys @ 0xf845c87b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(732) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1268) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\mscan\Msoffice\panel.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-04-13 01:07:40 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-13 08:07 ComboFix2.txt 2010-04-13 06:53 ComboFix3.txt 2010-04-12 07:41 Pre-Run: 12,701,638,656 bytes free Post-Run: 12,670,218,240 bytes free - - End Of File - - C1013AC9FC1045731FAB51DCA312454A HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:16:08 AM, on 4/13/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\MSCAN\Msoffice\panel.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\Avast\ashWebSv.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6990 bytes
  14. File has already been analysed: MD5: 1cc9fd3ba73aaa6020eb1a23640a49c6 First received: 2010.04.12 22:36:48 UTC Date: 2010.04.13 01:37:17 UTC [<1D] Results: 5/40 Permalink: analisis/609e408839986a721d5039d1a8f5d35954c67bcea16bd171a1ed7f59038dd99a-1271122637
  15. ComboFix log: ComboFix 10-04-12.04 - User 04/12/2010 23:24:01.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.224 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 ))))))))))))))))))))))))))))))) . 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 05:30 . 2010-04-12 21:58 112 ----a-w- c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat 2010-04-13 05:30 . 2010-04-13 05:30 71170 ----a-w- c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe 2010-04-13 05:30 . 2010-04-13 05:30 71170 ----a-w- c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe 2010-04-13 05:16 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-12 21:55 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 21:55 . 2010-04-12 21:55 41472 ----a-w- c:\windows\Fonts\On6WEm.com 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . <pre> c:\program files\Common Files\Real\Update_OB\realsched .exe c:\program files\iTunes\iTunesHelper .exe c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2010-04-12 41476] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-12 41476] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-12 41476] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . Contents of the 'Scheduled Tasks' folder 2010-04-12 c:\windows\Tasks\At1.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At10.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At11.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At12.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At13.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At14.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At15.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At16.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At17.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At18.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At19.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At2.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At20.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At21.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At22.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At23.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At24.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At3.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At4.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At5.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At6.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At7.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At8.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At9.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-12 23:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\TEMP\flaB.tmp 11873910 bytes scan completed successfully hidden files: 1 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x826D8AC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf865af28 \Driver\ACPI -> ACPI.sys @ 0xf85adcb8 \Driver\atapi -> atapi.sys @ 0xf8565852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0 PacketIndicateHandler -> NDIS.sys @ 0xf847ea21 SendHandler -> NDIS.sys @ 0xf845c87b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(716) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(856) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-04-12 23:53:52 ComboFix-quarantined-files.txt 2010-04-13 06:53 ComboFix2.txt 2010-04-12 07:41 Pre-Run: 12,227,772,416 bytes free Post-Run: 12,685,619,200 bytes free - - End Of File - - F78102C23AD23CD2FA86BB53103C8E15