Jump to content

lingering infection


Recommended Posts

I was only able to make the redirects start twice over about 15 minutes of trying with different browsers / search engines. when the redirects started they didnt stop until i closed the browser (once in each)

redirects started in chrome and firefox. after they start showing up every search result turns into an addpage when clicked on until the browser is closed

Link to post
Share on other sites

Delete your copy of ComboFix and download a new fresh one. Then:

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

MBR::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-08-11.02 - Devlish 08/11/2010 14:51:30.6.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1806 [GMT -4:00]

Running from: c:\documents and settings\Devlish\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Devlish\Desktop\CFScript.txt.txt

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))

.

2010-08-08 19:08 . 2010-07-07 01:58 53248 ----a-w- c:\windows\system32\aticalrt.dll

2010-08-08 19:08 . 2010-07-07 01:58 53248 ----a-w- c:\windows\system32\aticalcl.dll

2010-08-08 19:08 . 2010-07-07 01:57 4337664 ----a-w- c:\windows\system32\aticaldd.dll

2010-08-08 19:08 . 2010-07-07 01:53 15499264 ----a-w- c:\windows\system32\atioglxx.dll

2010-08-08 19:08 . 2010-07-07 01:29 143360 ----a-w- c:\windows\system32\atiapfxx.exe

2010-08-08 19:08 . 2010-07-07 01:24 184320 ----a-w- c:\windows\system32\atiadlxx.dll

2010-08-08 19:08 . 2010-07-07 01:15 65024 ----a-w- c:\windows\system32\atimpc32.dll

2010-08-08 19:08 . 2009-05-11 21:35 118784 ----a-w- c:\windows\system32\atibtmon.exe

2010-08-08 19:08 . 2010-08-08 19:09 -------- d-----w- c:\program files\ATI

2010-08-06 06:19 . 2010-08-06 06:19 503808 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5ee28c56-n\msvcp71.dll

2010-08-06 06:19 . 2010-08-06 06:19 499712 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5ee28c56-n\jmc.dll

2010-08-06 06:19 . 2010-08-06 06:19 348160 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5ee28c56-n\msvcr71.dll

2010-08-06 06:19 . 2010-08-06 06:19 61440 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1b9d670e-n\decora-sse.dll

2010-08-06 06:19 . 2010-08-06 06:19 12800 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1b9d670e-n\decora-d3d.dll

2010-07-29 20:43 . 2008-04-14 09:42 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-07-29 20:36 . 2008-04-14 09:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe

2010-07-29 20:35 . 2008-04-14 09:42 1384479 ----a-w- c:\windows\system32\msvbvm60.dll

2010-07-27 18:28 . 2010-07-27 18:28 388096 ----a-r- c:\documents and settings\Devlish\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-27 18:28 . 2010-07-27 18:28 -------- d-----w- c:\program files\Trend Micro

2010-07-27 12:21 . 2010-07-27 12:21 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-26 23:24 . 2010-07-27 00:41 -------- d-----w- c:\program files\World of Warcraft

2010-07-26 00:05 . 2010-07-26 00:05 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-26 00:05 . 2010-07-26 00:05 -------- d-----w- c:\program files\Java

2010-07-24 00:41 . 2010-07-24 00:41 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-07-24 00:37 . 2010-07-24 00:37 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

2010-07-24 00:37 . 2010-07-24 00:37 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-07-24 00:37 . 2010-07-24 00:37 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe

2010-07-24 00:34 . 2010-07-24 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-23 23:18 . 2010-07-23 23:18 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll

2010-07-23 23:18 . 2010-07-23 23:18 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll

2010-07-23 23:18 . 2010-07-23 23:18 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll

2010-07-23 23:18 . 2010-07-23 23:18 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll

2010-07-23 23:18 . 2010-07-23 23:18 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll

2010-07-23 23:17 . 2010-07-23 23:17 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll

2010-07-23 23:17 . 2010-07-23 23:17 397328 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\oeas.dll

2010-07-23 23:17 . 2010-07-23 23:17 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys

2010-07-23 23:17 . 2010-07-23 23:17 19472 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\kloehk.dll

2010-07-23 23:02 . 2010-07-23 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2010-07-23 17:53 . 2010-07-23 17:53 54016 ----a-w- c:\windows\system32\drivers\xkix.sys

2010-07-22 22:43 . 2010-07-22 22:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-07-22 22:38 . 2010-07-22 22:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-07-22 22:38 . 2010-07-22 22:39 -------- d-----w- c:\program files\Google

2010-07-22 21:43 . 2010-07-22 21:43 -------- d-----w- c:\program files\FileASSASSIN

2010-07-22 20:49 . 2010-07-22 20:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2010-07-22 20:45 . 2010-07-22 20:45 1025992 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe

2010-07-22 19:37 . 2010-08-03 15:58 13104 ----a-w- c:\documents and settings\Devlish\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-22 19:36 . 2010-07-22 19:36 -------- d-----w- c:\documents and settings\Devlish\Local Settings\Application Data\Sunbelt Software

2010-07-21 21:52 . 2010-07-21 21:52 503808 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f75f42e-n\msvcp71.dll

2010-07-21 21:52 . 2010-07-21 21:52 499712 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f75f42e-n\jmc.dll

2010-07-21 21:52 . 2010-07-21 21:52 348160 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f75f42e-n\msvcr71.dll

2010-07-21 21:52 . 2010-07-21 21:52 61440 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2d409bec-n\decora-sse.dll

2010-07-21 21:52 . 2010-07-21 21:52 12800 ----a-w- c:\documents and settings\Devlish\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2d409bec-n\decora-d3d.dll

2010-07-21 21:32 . 2010-07-28 19:37 -------- d-----w- c:\documents and settings\Devlish\Local Settings\Application Data\Temp

2010-07-21 21:32 . 2010-07-22 22:39 -------- d-----w- c:\documents and settings\Devlish\Local Settings\Application Data\Google

2010-07-21 19:51 . 2010-07-21 19:51 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2010-07-21 19:51 . 2010-07-21 19:51 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2010-07-21 19:50 . 2010-07-21 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-21 19:13 . 2010-07-21 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-21 19:13 . 2010-07-21 19:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-21 18:08 . 2010-07-23 18:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-07-21 14:56 . 2010-07-21 14:56 -------- d-s---w- c:\documents and settings\LocalService\UserData

2010-07-21 14:04 . 2008-04-14 04:06 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys

2010-07-21 00:29 . 2010-07-21 00:29 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-07-14 17:28 . 2010-07-14 17:28 -------- d-----w- c:\documents and settings\Devlish\Local Settings\Application Data\Fallout3

2010-07-14 17:23 . 2008-09-16 22:20 121064 ------r- c:\documents and settings\All Users\Application Data\Fallout3\setup.exe

2010-07-14 17:23 . 2010-07-14 17:23 -------- d-----w- c:\program files\Bethesda Softworks

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-11 13:28 . 2010-07-23 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2010-08-08 19:08 . 2008-02-05 13:43 -------- d-----w- c:\program files\ATI Technologies

2010-08-06 12:43 . 2009-08-04 20:57 -------- d-----w- c:\program files\Trillian

2010-07-29 19:59 . 2010-07-23 23:06 97549 ----a-w- c:\windows\system32\drivers\klick.dat

2010-07-29 19:59 . 2010-07-23 23:06 113933 ----a-w- c:\windows\system32\drivers\klin.dat

2010-07-27 18:43 . 2008-07-26 16:04 -------- d-----w- c:\program files\DivX

2010-07-27 00:41 . 2008-03-25 22:07 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2010-07-25 23:49 . 2008-04-01 18:36 -------- d-----w- c:\documents and settings\Devlish\Application Data\Orbit

2010-07-25 23:49 . 2008-02-07 01:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-07-25 23:47 . 2008-09-01 06:16 -------- d-----w- c:\program files\Common Files\Java

2010-07-24 05:25 . 2010-07-24 00:38 -------- d-----w- c:\documents and settings\Devlish\Application Data\DivX

2010-07-24 00:38 . 2010-07-24 00:38 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-07-24 00:38 . 2010-07-24 00:38 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-07-24 00:38 . 2010-07-24 00:38 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-07-24 00:38 . 2010-07-24 00:38 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-07-24 00:38 . 2010-07-24 00:38 84054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe

2010-07-24 00:38 . 2010-07-24 00:38 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe

2010-07-24 00:38 . 2010-07-24 00:38 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe

2010-07-24 00:38 . 2010-07-24 00:38 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe

2010-07-24 00:34 . 2010-07-24 00:38 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-07-24 00:34 . 2010-07-24 00:38 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-07-23 23:17 . 2010-07-23 23:17 133648 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll

2010-07-23 23:17 . 2010-07-23 23:17 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll

2010-07-23 23:17 . 2010-07-23 23:17 397328 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\oeas.dll

2010-07-23 23:17 . 2010-07-23 23:17 133720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll

2010-07-23 23:17 . 2010-07-23 23:17 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll

2010-07-23 23:17 . 2010-07-23 23:17 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll

2010-07-23 23:17 . 2010-07-23 23:17 17936 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\kloehk.dll

2010-07-23 23:17 . 2010-07-23 23:17 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys

2010-07-23 23:05 . 2010-07-23 23:05 -------- d-----w- c:\program files\Kaspersky Lab

2010-07-23 23:03 . 2009-11-21 21:06 -------- d-----w- c:\program files\Lavasoft

2010-07-23 23:03 . 2009-11-21 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-07-22 21:55 . 2010-03-23 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-22 18:59 . 2010-03-31 12:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-21 21:07 . 2010-02-09 22:08 -------- d-----w- c:\documents and settings\Devlish\Application Data\Qunuze

2010-07-20 19:29 . 2009-09-03 12:36 -------- d-----w- c:\documents and settings\Devlish\Application Data\Irocka

2010-07-16 11:35 . 2009-06-27 17:12 -------- d-----w- c:\documents and settings\Devlish\Application Data\Edtuag

2010-07-14 17:23 . 2010-04-22 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Fallout3

2010-07-14 17:23 . 2008-02-05 13:34 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-07 19:19 . 2010-07-07 11:49 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2010-07-07 11:49 . 2010-07-07 11:48 -------- d-----w- c:\documents and settings\Devlish\Application Data\Logitech

2010-07-07 11:49 . 2010-07-07 11:49 -------- d-----w- c:\documents and settings\Devlish\Application Data\Leadertech

2010-07-07 11:49 . 2010-07-07 11:49 53248 ----a-r- c:\documents and settings\Devlish\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe

2010-07-07 11:49 . 2010-07-07 11:48 -------- d-----w- c:\program files\Common Files\LogiShrd

2010-07-07 11:49 . 2010-07-07 11:49 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

2010-07-07 11:48 . 2010-07-07 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd

2010-07-07 11:48 . 2008-05-28 14:47 -------- d-----w- c:\program files\Logitech

2010-07-07 11:48 . 2010-07-07 11:48 -------- d-----w- c:\documents and settings\Devlish\Application Data\Logishrd

2010-07-07 02:27 . 2007-06-15 01:58 5069312 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2010-07-07 01:50 . 2008-02-05 13:43 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2010-07-07 01:48 . 2008-02-05 13:43 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll

2010-07-07 01:47 . 2007-06-15 01:59 299520 ----a-w- c:\windows\system32\ati2dvag.dll

2010-07-07 01:41 . 2007-06-15 01:41 3869952 ----a-w- c:\windows\system32\ati3duag.dll

2010-07-07 01:33 . 2007-06-15 01:52 208896 ----a-w- c:\windows\system32\atipdlxx.dll

2010-07-07 01:32 . 2007-03-23 20:23 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2010-07-07 01:32 . 2007-06-15 01:51 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2010-07-07 01:32 . 2007-06-15 01:51 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2010-07-07 01:32 . 2007-06-15 01:51 159744 ----a-w- c:\windows\system32\ati2evxx.dll

2010-07-07 01:31 . 2007-06-15 01:50 602112 ----a-w- c:\windows\system32\ati2evxx.exe

2010-07-07 01:29 . 2007-06-15 01:49 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2010-07-07 01:28 . 2007-06-15 01:31 2273920 ----a-w- c:\windows\system32\ativvaxx.dll

2010-07-07 01:27 . 2008-02-05 13:43 887724 ----a-w- c:\windows\system32\ativva6x.dat

2010-07-07 01:27 . 2008-02-05 13:43 3 ----a-w- c:\windows\system32\ativva5x.dat

2010-07-07 01:25 . 2007-06-15 01:18 573440 ----a-w- c:\windows\system32\atikvmag.dll

2010-07-07 01:24 . 2007-06-15 01:14 393216 ----a-w- c:\windows\system32\atiok3x2.dll

2010-07-07 01:23 . 2007-06-15 01:17 17408 ----a-w- c:\windows\system32\atitvo32.dll

2010-07-07 01:19 . 2007-06-15 01:11 704512 ----a-w- c:\windows\system32\ati2cqag.dll

2010-07-07 01:15 . 2007-12-21 02:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll

2010-07-07 01:15 . 2007-06-15 01:16 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2010-06-18 15:34 . 2010-06-18 15:34 -------- d-----w- c:\documents and settings\Devlish\Application Data\Moyea

2010-06-18 15:19 . 2010-06-18 15:19 766 ----a-r- c:\documents and settings\Devlish\Application Data\Microsoft\Installer\{7784A172-61F1-445E-8368-601607E0DD22}\_294823.exe

2010-06-18 15:19 . 2010-06-18 15:19 2238 ----a-r- c:\documents and settings\Devlish\Application Data\Microsoft\Installer\{7784A172-61F1-445E-8368-601607E0DD22}\_4ae13d6c.exe

2010-06-18 15:19 . 2010-06-18 15:19 1518 ----a-r- c:\documents and settings\Devlish\Application Data\Microsoft\Installer\{7784A172-61F1-445E-8368-601607E0DD22}\_69525f90.exe

2010-06-18 15:19 . 2010-06-18 15:19 1078 ----a-r- c:\documents and settings\Devlish\Application Data\Microsoft\Installer\{7784A172-61F1-445E-8368-601607E0DD22}\_2cd672ae.exe

2010-06-18 15:19 . 2010-06-18 15:19 1078 ----a-r- c:\documents and settings\Devlish\Application Data\Microsoft\Installer\{7784A172-61F1-445E-8368-601607E0DD22}\_18be6784.exe

2010-06-18 15:18 . 2010-06-18 15:18 -------- d-----w- c:\program files\MP3 Player Utilities 4.00

2010-06-15 17:50 . 2010-06-15 17:50 -------- d-----w- c:\program files\Multimedia Transcoding Tool

2010-06-15 17:49 . 2010-03-14 06:17 -------- d-----w- c:\documents and settings\Devlish\Application Data\Apple Computer

2010-06-15 17:47 . 2010-03-14 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-06-09 23:01 . 2010-07-24 00:38 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-06-09 23:01 . 2010-07-24 00:38 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-06-09 23:01 . 2008-02-28 12:35 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-06-09 23:01 . 2008-02-28 12:35 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-06-09 23:01 . 2008-02-28 12:35 45648 ----a-w- c:\windows\system32\drivers\PxHelp20.sys

2010-06-09 23:01 . 2008-02-28 12:35 133616 ------w- c:\windows\system32\pxafs.dll

2010-06-08 18:29 . 2010-06-08 18:29 45828 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll

2010-05-23 21:50 . 2010-06-25 02:17 73216 ----a-w- c:\documents and settings\Devlish\Application Data\Mozilla\Firefox\Profiles\sh4zei83.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-08-09_12.54.15 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-11 06:12 . 2010-08-11 11:12 2452 c:\windows\SoftwareDistribution\EventCache\{DAEFADDE-70D0-484C-932A-1364EDDA36F1}.bin

+ 2010-08-10 00:11 . 2010-08-10 05:11 2452 c:\windows\SoftwareDistribution\EventCache\{68FA3993-BC10-4154-B94E-7EA43F0DEDED}.bin

+ 2010-08-10 10:11 . 2010-08-10 20:11 2452 c:\windows\SoftwareDistribution\EventCache\{624CDC06-7D9D-47D3-928A-0839CEAFCD40}.bin

+ 2010-08-09 14:11 . 2010-08-09 19:11 2452 c:\windows\SoftwareDistribution\EventCache\{4ADFAE11-2DBB-4B86-913E-7F30B88AE6F6}.bin

+ 2010-08-10 20:11 . 2010-08-11 01:12 2452 c:\windows\SoftwareDistribution\EventCache\{12DFAE96-73D1-48E1-B3A8-FF625AEEA7A6}.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

2001-12-21 04:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Devlish^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Devlish\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]

2010-05-18 20:41 1311312 ----a-w- c:\program files\Logitech\SetPointP\SetPoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-07-21 21:32 136176 ----atw- c:\documents and settings\Devlish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]

2005-04-13 15:46 751104 ----a-w- c:\program files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]

2002-02-05 03:32 53248 ----a-w- c:\program files\REGSHAVE\Regshave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-09-19 10:14 16844800 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2006-11-10 17:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0330Mon.exe]

2007-04-30 06:03 32768 ----a-w- c:\windows\V0330Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]

2005-02-17 04:03 106496 ----a-w- c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]

2004-03-18 13:33 892928 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"wscsvc"=2 (0x2)

"RemoteRegistry"=2 (0x2)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

"helpsvc"=2 (0x2)

"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\wow-0.2.0.10083-to-0.2.0.10116-enUS-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.0.10116-to-0.2.0.10128-enUS-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.0.10128-to-0.2.0.10147-enUS-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.0.10147-to-0.2.0.10170-enUS-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.0.10170-to-0.2.0.10179-enUS-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.2.10257-enUS-ptr-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.2.10357-to-0.2.2.10371-enUS-ptr-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.2.10371-to-0.2.2.10392-enUS-ptr-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.2.10392-to-0.2.2.10433-enUS-ptr-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.2.2.10433-to-0.2.2.10468-enUS-ptr-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.3.0.10522-enUS-ptr-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.3.0.10522-to-0.3.0.10554-enUS-ptr-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.3.0.10554-to-0.3.0.10571-enUS-ptr-downloader.exe"=

"c:\\WOW PTR\\World of Warcraft Public Test\\WoW-0.3.0.10571-to-0.3.0.10596-enUS-ptr-downloader.exe"=

"c:\\Program Files\\Electronic Arts\\Armies of Exigo\\Exigo.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 CX88XBAR;KWorld PVR 883 Crossbar;c:\windows\system32\drivers\cx88xbar.sys [7/1/2008 9:42 AM 8960]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/22/2010 6:38 PM 136176]

S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [7/7/2010 7:49 AM 10448]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/21/2010 3:51 PM 30104]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/21/2010 3:51 PM 30104]

S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]

S3 V0330VID;WebCam Vista/Live! Cam Chat;c:\windows\system32\drivers\V0330Vid.sys [2/22/2009 6:35 AM 157696]

S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [6/21/2008 9:13 AM 158720]

S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [6/21/2008 9:13 AM 5248]

.

Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 22:38]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 22:38]

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-823518204-682003330-1003Core.job

- c:\documents and settings\Devlish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-21 21:32]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-823518204-682003330-1003UA.job

- c:\documents and settings\Devlish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-21 21:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.orbitdownloader.com

uInternet Settings,ProxyServer = http=127.0.0.1:5643

uInternet Settings,ProxyOverride = <local>

IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html

IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html

FF - ProfilePath - c:\documents and settings\Devlish\Application Data\Mozilla\Firefox\Profiles\sh4zei83.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://thottbot.com/

FF - component: c:\documents and settings\Devlish\Application Data\Mozilla\Firefox\Profiles\sh4zei83.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll

FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

FF - plugin: c:\documents and settings\Devlish\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-11 14:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x8AACDA17]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> atapi.sys @ 0xf74a0852

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7439bb0

PacketIndicateHandler -> NDIS.sys @ 0xf7446a21

SendHandler -> NDIS.sys @ 0xf742487b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2000478354-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-2000478354-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4%0*`%]

@Class="Shell"

[HKEY_USERS\S-1-5-21-2000478354-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4%0*`%\OpenWithList]

@Class="Shell"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\AlienGUIse\fastload.dll

.

Completion time: 2010-08-11 14:59:41

ComboFix-quarantined-files.txt 2010-08-11 18:59

ComboFix2.txt 2010-08-06 13:15

Pre-Run: 225,798,160,384 bytes free

Post-Run: 225,782,312,960 bytes free

- - End Of File - - 6245933C40B261B25061ADA5A5353D6C

Link to post
Share on other sites

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x000000fc

Kernel Drivers (total 135):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA0B8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F23000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0C8000 VolSnap.sys

0xB9F0B000 atapi.sys

0xBA0D8000 disk.sys

0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9EEB000 fltmgr.sys

0xB9ED9000 sr.sys

0xBA0F8000 PxHelp20.sys

0xB9EC2000 KSecDD.sys

0xB9E35000 Ntfs.sys

0xB9E08000 NDIS.sys

0xB9DEE000 Mup.sys

0xBA108000 klbg.sys

0xBA198000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xB91CB000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB91B7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB918F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xBA430000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB916B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA438000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB99B8000 \SystemRoot\system32\DRIVERS\imapi.sys

0xB9DB6000 \SystemRoot\system32\drivers\pfc.sys

0xB99A8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xB9998000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB9148000 \SystemRoot\system32\DRIVERS\ks.sys

0xB912F000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys

0xB9101000 \SystemRoot\system32\drivers\cx88vid.sys

0xB9988000 \SystemRoot\system32\drivers\STREAM.SYS

0xB9978000 \SystemRoot\system32\DRIVERS\serial.sys

0xB9DAA000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB90ED000 \SystemRoot\system32\DRIVERS\parport.sys

0xB9968000 \SystemRoot\system32\DRIVERS\klim5.sys

0xBA7FF000 \SystemRoot\system32\DRIVERS\audstub.sys

0xB9958000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA548000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB90D6000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xB9948000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xB9938000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA480000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB90C5000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA1A8000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xBA490000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA4A0000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB9095000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA1B8000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA4B0000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xBA340000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA1C8000 \SystemRoot\system32\DRIVERS\VClone.sys

0xB907D000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS

0xBA610000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB901F000 \SystemRoot\system32\DRIVERS\update.sys

0xB9707000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA1D8000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xACF93000 \SystemRoot\system32\drivers\AtiHdAud.sys

0xACF6F000 \SystemRoot\system32\drivers\portcls.sys

0xBA208000 \SystemRoot\system32\drivers\drmk.sys

0xBA228000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA61E000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xACAE3000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xB8FF3000 \SystemRoot\system32\drivers\CX88XBAR.sys

0xABA42000 \SystemRoot\system32\DRIVERS\klif.sys

0xBA63E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA72A000 \SystemRoot\System32\Drivers\Null.SYS

0xBA642000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA3D0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA3D8000 \SystemRoot\System32\drivers\vga.sys

0xBA646000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA64A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA3E8000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA3F8000 \SystemRoot\System32\Drivers\Npfs.SYS

0xACADF000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xAB4DA000 \??\C:\WINDOWS\system32\drivers\kl1.sys

0xAB4C7000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xACAB3000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xBA268000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xAB446000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xAB41E000 \SystemRoot\system32\DRIVERS\netbt.sys

0xAB3F8000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xBA278000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xAB3D6000 \SystemRoot\System32\drivers\afd.sys

0xBA288000 \SystemRoot\system32\DRIVERS\netbios.sys

0xAB3AB000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xBA770000 \SystemRoot\System32\Drivers\PQNTDrv.SYS

0xAB33B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xBA298000 \SystemRoot\System32\Drivers\Fips.SYS

0xBA440000 \SystemRoot\System32\Drivers\ElbyCDIO.sys

0xACA93000 \SystemRoot\System32\Drivers\ASPI32.SYS

0xBA458000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xABA36000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xBA470000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys

0xBA2D8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS

0xAB202000 \SystemRoot\System32\Drivers\wdf01000.sys

0xABA2E000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xBA488000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys

0xBA2E8000 \SystemRoot\system32\DRIVERS\klmouflt.sys

0xBA2F8000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xAB1EA000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xBA660000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xBA5A0000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA3A0000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA685000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF060000 \SystemRoot\System32\ati2cqag.dll

0xBF10C000 \SystemRoot\System32\atikvmag.dll

0xBF1A9000 \SystemRoot\System32\atiok3x2.dll

0xBF20E000 \SystemRoot\System32\ati3duag.dll

0xBF5BF000 \SystemRoot\System32\ativvaxx.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xA8695000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA8364000 \SystemRoot\system32\drivers\wdmaud.sys

0xBA218000 \SystemRoot\system32\drivers\sysaudio.sys

0xA8159000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xBA63C000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xBA6C3000 \SystemRoot\System32\Drivers\LBeepKE.sys

0xA825E000 \SystemRoot\system32\DRIVERS\secdrv.sys

0xA7F77000 \SystemRoot\system32\DRIVERS\srv.sys

0xA7B4E000 \SystemRoot\System32\Drivers\HTTP.sys

0xBA428000 \??\C:\DOCUME~1\Devlish\LOCALS~1\Temp\mbr.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 28):

0 System Idle Process

4 System

1044 C:\WINDOWS\system32\smss.exe

1092 csrss.exe

1124 C:\WINDOWS\system32\winlogon.exe

1172 C:\WINDOWS\system32\services.exe

1188 C:\WINDOWS\system32\lsass.exe

1360 C:\WINDOWS\system32\ati2evxx.exe

1396 C:\WINDOWS\system32\svchost.exe

1496 svchost.exe

1624 C:\WINDOWS\system32\svchost.exe

1724 svchost.exe

1880 svchost.exe

2012 C:\WINDOWS\system32\ati2evxx.exe

188 C:\WINDOWS\system32\spoolsv.exe

536 C:\Program Files\AlienGUIse\wbload.exe

808 C:\WINDOWS\explorer.exe

996 C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

1004 C:\Program Files\Common Files\Java\Java Update\jusched.exe

1012 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe

1032 C:\WINDOWS\RTHDCPL.exe

1420 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe

1564 C:\Program Files\Java\jre6\bin\jqs.exe

1828 wdfmgr.exe

2252 C:\WINDOWS\system32\wuauclt.exe

3128 alg.exe

3764 C:\WINDOWS\system32\svchost.exe

1428 C:\Documents and Settings\Devlish\Desktop\MBRCheck (1).exe

\\.\C: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)

\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`007e0000 (NTFS)

PhysicalDrive3 Model Number: SAMSUNGHD501LJ, Rev: CR100-12

PhysicalDrive0 Model Number: Maxtor6Y160P0, Rev: YAR41BW0

PhysicalDrive1 Model Number: Maxtor6L200M0, Rev: BANC1G10

PhysicalDrive2 Model Number: Maxtor7B250S0, Rev: BANC1E00

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive3 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

152 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F

189 GB \\.\PhysicalDrive1 Legit MBR code detected

SHA1: 317A49A9E93F077F2D004734D2A7B6CA7E7B9495

233 GB \\.\PhysicalDrive2 Legit MBR code detected

SHA1: 317A49A9E93F077F2D004734D2A7B6CA7E7B9495

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Link to post
Share on other sites

Nice job! :)

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete Defogger, DDS, GMER, ResetTeaTimer, JavaRa, TDSSKiller, mbr and MBRCheck.

Step 4

Please download and install the latest version of Java from:

www.java.com/en

Step 5

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.