-
Linabbs's blog- ZA采用升級安裝或者導入舊版ZA的配置文件到新版導致程序列表假死的Bug。
- 裝了ZA,如何使你的開機速度快點
- 如何設置查看局域網內被設入internet區機器的共享資源
- ZA也可以做到低資源占用!
- 關于za for vista(在VISTA下用ZA的人過來看看)
- CheckPoint Integrity Desktop v6.5.063.207 KeyGen
- 戰術攻防之近距離搏擊篇(ARP)攻擊
- 還在使用老版ZA的朋友們注意:ZoneAlarm防火墻產品有多個本地權限提升存在漏洞
- Knowledge Base / KB Extended (KE) 內容列表及說明
- 關于《利用ZA專家規則,允許/禁止端口》的一點補充和說明
Feb
2
Virus Redirecting can’t update antivirus/download
Filed Under Virus |
So I seem to have a similar problem to many people on here. I try to search for something on google or yahoo and it redirects me to a page saying "did you mean this?" and it especially happens if I search for anything anti-virus related. Unfortunately for me I can’t download ANY anti-virus programs or even run the ones I have on my computer. I have tried to download Combofix and rename it and run it but it doesn’t work. I did get Kaspersky Online to scan my computer and it came up with 6 infected obejects…
C:\as3_ins\im_web_client\iss2.tar.gz - Trojan-downloader.win32.banload.xmu
C:\as3_ins\im_web_client\iss2.tar.gz - Trojan-downloader.win32.banload.xen
C:\as3_ins\im_web_client\iss2.tar.gz - Trojan-downloader.win32.banload.xmy
C:\as3_ins\im_web_client\iss2.tar.gz - Trojan-downloader.win32.banload.xmt
C:\as3_ins\im_web_client\webplr05.tar.gz - Trojan-downloader.win32.banload.xen
C:\as3_ins\im_web_client\webplr05.tar.gz - Trojan-downloader.win32.banload.xmy
I am on my laptop and not on my other computer so I had to just copy this by reading it. =P
If anyone can help that would be much appreciated!
Thanks!
Ian
Welcome to linabbs Ian 
If you have a flash drive, download ComboFix by sUBs from here, saving it to the flash drive with a different name. kitty.exe or something.
Transfer it to the desktop of the affected computer, then run it as described below.
Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.
Close all open programs and windows
Double click ComboFix.exe and follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
If that fails, download RootRepeal to the Desktop. <—- shouldn’t be blocked on the affected machine Extract the compressed file to it’s own folder.
Open the folder and doubleclick on RootRepeal.exe to run it.
Click on the Report tab, and then click on: Scan
A window opens asking what to include in the scan.
Check the following boxes then click OK:Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on, if not C)
Click OK once again.
The tool will begin scanning and may take a while to complete, so please be patient.
When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
Post the contents of the report in a reply here.
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/19 14:19
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================
Drivers
——————-
Name: 00000039
Image Path: \Driver\00000039
Address: 0×00000000 Size: 0 File Visible: No
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB3FEB000 Size: 98304 File Visible: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE42000 Size: 8192 File Visible: No
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB02A9000 Size: 45056 File Visible: No
Status: -
Name: TDSSpaxt.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSpaxt.sys
Address: 0xB422B000 Size: 73728 File Visible: -
Status: Hidden from Windows API!
Hidden/Locked Files
——————-
Path: C:\Documents and Settings\Ian\ntuser.dat.LOG
Status: Size mismatch (API: 1331200, Raw: 1097728)
Path: C:\RECYCLER\S-1-5-21-484763869-573735546-725345543-1005\mbam-setup.exe
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-484763869-573735546-725345543-1005\Kitty.exe.exe
Status: Locked to the Windows API!
Path: C:\RECYCLER\S-1-5-21-484763869-573735546-725345543-1005\Dc4.lnk:Zone.Identifier
Status: Invisible to the Windows API!
Path: C:\RECYCLER\S-1-5-21-484763869-573735546-725345543-1005\Dc4.lnk:Zone.Identifier
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\TDSScfum.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\TDSSfxmp.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\TDSSnrsr.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\TDSSofxh.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\TDSSosvd.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\TDSSriqp.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\TDSStkdv.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\TDSSpaxt.sys
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Ian\Local Settings\Temp\TDSSac25.tmp
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Ian\Local Settings\Temp\TDSSac35.tmp
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Ian\Local Settings\Temp\jusched.log
Status: Size mismatch (API: 4648, Raw: 4404)
Path: C:\Documents and Settings\Ian\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Ian\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Jaimee\Local Settings\History\History.IE5\index.dat
Status: Allocation size mismatch (API: 24576, Raw: 20480)
SSDT
——————-
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xba6dbc04
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xba6dbd48
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xba6dc0c0
#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xba6dbae2
#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xba6dc18a
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xba6dc022
#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xba6dc212
Stealth Objects
——————-
Object: Hidden Module [Name: TDSScfum.dll]
Process: winlogon.exe (PID: 712) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: services.exe (PID: 764) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: lsass.exe (PID: 776) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSSofxh.dll]
Process: svchost.exe (PID: 944) Address: 0×00990000 Size: 81920
Object: Hidden Module [Name: TDSScfum.dll]
Process: svchost.exe (PID: 944) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: svchost.exe (PID: 1152) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: spoolsv.exe (PID: 1532) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: Explorer.EXE (PID: 1828) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: iTunesHelper.exe (PID: 248) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: jusched.exe (PID: 256) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: RUNDLL32.EXE (PID: 304) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: ctfmon.exe (PID: 332) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: WMPNSCFG.exe (PID: 360) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: LightScribeControlPanel.exe (PID: 368) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: RocketDock.exe (PID: 384) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: AppleMobileDeviceService.exe (PID: 648) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: svchost.exe (PID: 1956) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: jqs.exe (PID: 1340) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: runservice.exe (PID: 1996) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: LSSrvc.exe (PID: 220) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: NBService.exe (PID: 400) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: nTuneService.exe (PID: 520) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: nvsvc32.exe (PID: 576) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: IoctlSvc.exe (PID: 2024) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: HPZipm12.exe (PID: 1696) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: PnkBstrA.exe (PID: 848) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: PnkBstrB.exe (PID: 1120) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: svchost.exe (PID: 1368) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: iPodService.exe (PID: 2524) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: wscntfy.exe (PID: 3000) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: RootRepeal.exe (PID: 3580) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: GoogleUpdate.exe (PID: 3824) Address: 0×10000000 Size: 126976
Object: Hidden Module [Name: TDSScfum.dll]
Process: dwwin.exe (PID: 3844) Address: 0×10000000 Size: 126976
Object: Hidden Code [ETHREAD: 0×89a4a020]
Process: System Address: 0xb422dd66 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0×8a980eb0 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0×899650e8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_CREATE]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_CLOSE]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_READ]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_WRITE]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_SET_INFORMATION]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_CLEANUP]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: UdfsЅఄ浗灩MofResource, IRP_MJ_PNP]
Process: System Address: 0×89a4c7a8 Size: -
Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0×8a39a0e8 Size: -
Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0×8a39a0e8 Size: -
Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×8a39a0e8 Size: -
Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×8a39a0e8 Size: -
Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0×8a39a0e8 Size: -
Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0×8a39a0e8 Size: -
Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0×8a39a0e8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0×8a543ca8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0×8a9800e8 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0×8a9cb9c0 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0×8a9cbc78 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0×89e58328 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0×89e58328 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×89e58328 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×89e58328 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0×89e58328 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0×89e58328 Size: -
Object: Hidden Code [Driver: SI3132, IRP_MJ_CREATE]
Process: System Address: 0×8a9cb450 Size: -
Object: Hidden Code [Driver: SI3132, IRP_MJ_CLOSE]
Process: System Address: 0×8a9cb450 Size: -
Object: Hidden Code [Driver: SI3132, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×8a9cb450 Size: -
Object: Hidden Code [Driver: SI3132, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×8a9cb450 Size: -
Object: Hidden Code [Driver: SI3132, IRP_MJ_POWER]
Process: System Address: 0×8a9cb450 Size: -
Object: Hidden Code [Driver: SI3132, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0×8a9cb450 Size: -
Object: Hidden Code [Driver: SI3132, IRP_MJ_PNP]
Process: System Address: 0×8a9cb450 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0×89a35bc0 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0×89a323c8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_CREATE]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_CLOSE]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_READ]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_WRITE]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_SET_INFORMATION]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_CLEANUP]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: Npfsȅః灐�Beep.SYSȃణ浍瑓, IRP_MJ_SET_SECURITY]
Process: System Address: 0×89e5dca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_READ]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_WRITE]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_SET_INFORMATION]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_CLEANUP]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: sys, IRP_MJ_SET_SECURITY]
Process: System Address: 0×89aaaca8 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_CREATE]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_CLOSE]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_READ]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_SET_INFORMATION]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_SHUTDOWN]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_CLEANUP]
Process: System Address: 0×89e5beb0 Size: -
Object: Hidden Code [Driver: mouh, IRP_MJ_PNP]
Process: SysHidden Services
——————-
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSpaxt.sys
Open RootRepeal again and select the Drivers tab, then click Scan.
Locate and select the following driver in the list.
C:\WINDOWS\system32\drivers\TDSSpaxt.sys
Right click the entry and select in the following order;
Dump File
Force Delete
Restart the computer and run another Driver scan with RootRepeal.
If the file is still present, right click and select in the following order;
Dump File
Wipe File
Reboot once more and rescan.
When the file no longer appears in a Driver scan, try running ComboFix again as described above.
ComboFix 09-01-19.05 - Ian 2009-01-20 0:56:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1562 [GMT -8:00]
Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\smdat32m.sys
c:\windows\system32\Drivers\TDSSpaxt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSStkdv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
——-\Legacy_TDSSSERV.SYS
——-\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.
2009-01-19 12:37 . 2009-01-19 12:37 <DIR> d——– c:\documents and settings\Jaimee\Application Data\Nero
2009-01-14 16:39 . 2009-01-14 16:39 <DIR> d——– c:\documents and settings\Anna\Application Data\Nero
2009-01-14 15:32 . 2009-01-14 15:32 <DIR> d——– c:\documents and settings\Administrator\Application Data\Lavasoft
2009-01-14 15:31 . 2009-01-14 15:31 <DIR> d——– c:\documents and settings\Administrator
2009-01-14 14:07 . 2009-01-14 14:34 <DIR> d——– c:\program files\EMCO Malware Destroyer
2009-01-14 13:53 . 2009-01-14 13:53 <DIR> d——– c:\documents and settings\All Users\Application Data\Avg7
2009-01-13 23:18 . 2009-01-13 23:18 <DIR> d——– c:\documents and settings\All Users\Application Data\LightScribe
2009-01-13 20:17 . 2009-01-20 00:47 2,204 –a—— c:\windows\system32\TDSSfxmp.dll
2009-01-13 18:16 . 2009-01-13 18:16 <DIR> d——– c:\program files\Common Files\LightScribe
2009-01-13 18:15 . 2009-01-13 18:15 <DIR> d——– c:\program files\NeroInstall.bak
2009-01-13 18:14 . 2009-01-13 18:14 <DIR> d——– c:\documents and settings\Ian\Application Data\Nero
2009-01-13 18:12 . 2009-01-13 18:14 <DIR> d——– c:\program files\Common Files\Nero
2009-01-13 18:12 . 2009-01-13 18:12 <DIR> d——– c:\documents and settings\All Users\Application Data\Nero
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 08:56 ——— d—–w c:\program files\Google
2009-01-16 21:58 ——— d—–w c:\program files\Bethesda Softworks
2009-01-15 20:46 ——— d–h–w c:\program files\InstallShield Installation Information
2009-01-14 22:35 ——— d—–w c:\program files\Spybot - Search & Destroy
2009-01-14 22:35 ——— d—–w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-14 21:46 ——— d—–w c:\program files\Steam
2009-01-14 02:12 ——— d—–w c:\program files\Nero
2009-01-13 22:20 ——— d—–w c:\program files\Common Files\Ahead
2009-01-04 21:51 ——— d—–w c:\documents and settings\Ian\Application Data\Image Zone Express
2008-12-22 21:08 ——— d—–w c:\documents and settings\Ian\Application Data\LimeWire
2008-12-18 20:09 ——— d—–w c:\program files\AIM6
2008-12-18 20:06 ——— d—–w c:\documents and settings\All Users\Application Data\acccore
2008-12-18 20:05 ——— d—–w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-17 23:31 61,160 —-a-w c:\documents and settings\Ian\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 10:57 333,952 —-a-w c:\windows\system32\drivers\srv.sys
2008-12-10 21:25 ——— d—–w c:\program files\Java
2008-12-10 02:11 ——— d—–w c:\documents and settings\All Users\Application Data\2DBoy
2007-11-18 09:25 22,328 -c–a-w c:\documents and settings\Ian\Application Data\PnkBstrK.sys
2006-04-01 23:17 1 -c–a-w c:\documents and settings\Ian\SI.bin
2008-08-30 02:42 32,768 –sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-10 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-10 2221352]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
c:\documents and settings\Ian\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.VP40"= vp4vfw.dll
"vidc.VP50"= vp5vfw.dll
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Ian\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a—— 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
–a–c— 2005-12-10 06:57 133016 c:\program files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
–a–c— 2006-07-14 12:36 107008 c:\program files\eFax Messenger 4.2\J2GDllCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
–a—— 2007-03-06 09:21 116224 c:\program files\eFax Messenger 4.3\J2GDllCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
–a–c— 2005-05-11 23:12 49152 c:\program files\Hp\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
–a—— 2007-03-05 13:57 1103480 c:\program files\Download Manager\DLM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
–a—— 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
——— 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
–a—— 2008-10-07 12:33 13574144 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
–a—— 2007-09-04 19:25 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a—— 2008-10-07 12:33 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a—— 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
–a—— 2008-10-13 22:15 1410296 c:\program files\Steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a–c— 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
–a—— 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
——— 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
–a–c— 2005-12-08 11:06 16384 c:\windows\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
–a—— 2008-10-07 12:33 1630208 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
–a—— 2005-05-03 18:38 64512 c:\windows\system32\P17.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\EMCO Malware Destroyer\\MalwareDestroyer.exe"=
"c:\\Program Files\\Steam\\SteamApps\\punkrockerseattle\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\punkrockerseattle\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\SteamApps\\punkrockerseattle\\half-life 2\\hl2.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\SteamApps\\punkrockerseattle\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\academic\\iss2\\iss.exe"=
"c:\\Program Files\\Steam\\SteamApps\\punkrockerseattle\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"21525:TCP"= 21525:TCP:BitComet 21525 TCP
"21525:UDP"= 21525:UDP:BitComet 21525 UDP
R4 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2007-02-22 30864]
R4 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2007-09-14 8440]
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-06-02 2560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-24 24652]
S3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2004-07-30 56576]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the ‘Scheduled Tasks’ folder
2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
Notify-AtiExtEvent - (no file)
MSConfigStartUp-AGEIA PhysX SysTray - c:\program files\AGEIA Technologies\TrayIcon.exe
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe
MSConfigStartUp-CaAvTray - c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
MSConfigStartUp-CaISSDT - c:\program files\CA\eTrust Internet Security Suite\caissdt.exe
MSConfigStartUp-CAVRID - c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EA Link\Core.exe
MSConfigStartUp-NeroCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-PlaxoUpdate - c:\program files\Plaxo\2.12.1.1\PlaxoHelper.exe
MSConfigStartUp-SemanticInsight - c:\program files\RXToolBar\Semantic Insight\SemanticInsight.exe
.
——- Supplementary Scan ——-
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\sic4mdaa.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 01:00:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
——————— LOCKED REGISTRY KEYS ———————
[HKEY_USERS\S-1-5-21-484763869-573735546-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:73,30,45,cc,80,2a,7a,96,17,ab,8e,8e,c8,f8,eb,bf,2b,5a,ed,08,84,55, 26,
18,22,75,03,96,df,f6,9a,01,3c,05,92,28,19,65,40,a5,be,34,81,16,80,60,7b,5c, \
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,a e,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8 b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,4 8,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B3E62936FE1487AF4E0CC9BD2A26433C]
"1"=hex:df,c7,3a,96,ab,66,13,d2,35,84,aa,2e,3b,c4,59,82
"2"=hex:a5,2d,b1,39,25,57,b6,7c,bd,55,f5,f4,85,30,c7,12
"3"=hex:2f,8f,ed,3f,e5,08,9c,0a,81,ae,1f,4c,5c,91,00,bf,06,63,96,90,0d,0c,a c,
2f,b0,0f,f2,5a,53,2c,15,79,c9,60,ec,a6,d8,ae,43,10,8e,0b,a5,70,16,20,b2,12, \
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,5 5,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae, \
"6"=hex:df,c7,3a,96,ab,66,13,d2,0e,90,72,68,c4,63,c8,bb,00,5d,70,3b,08,36,9 7,
bd,ee,04,c1,4a,7c,6f,fd,5f,f7,67,d1,43,f2,ef,e6,1c,89,7c,fa,9f,4c,d6,39,08, \
"7"=hex:93,41,de,56,34,94,a7,b2,13,ca,26,2f,35,a5,e0,53,1e,d5,e7,20,4a,dd,0 9,
c9,2d,37,7b,a2,3c,71,f4,5e,ed,02,2a,97,fd,fb,2c,72,12,5f,23,ff,c4,2a,48,c4, \
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,5 2,
64,c9,4f,a5,f8,51,27,e9,29,77,5c,86,6d,0a,20,f9,c7,d7,30,8a,47,ce,07,3e,13, \
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:0f,3a,fb,24,46,f7,bf,f1,f8,d3,5d,05,e8,50,d6,ef,2a,e4,a4,c1,a5,13, 32,
f4,5a,6f,e8,a1,de,72,3a,c0,17,79,66,cf,c7,0c,b0,9a,d4,94,d0,52,fe,51,07,58, \
"13"=hex:fa,3d,57,69,9e,ab,85,a4,ca,2e,fd,0e,c1,08,d7,70,b6,d6,e0,42,8c,23, 25,
3e,c7,69,b6,b4,cd,95,f9,3d,e3,01,6a,11,31,03,6d,b0
"14"=hex:d2,08,a4,82,f1,1a,a0,b4,f5,1f,60,13,49,13,4c,d5
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:92,30,3b,c0,d9,27,1e,2d,3f,dc,08,ab,2b,c8,0d,1b
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:87,aa,1d,80,fb,79,6f,d6,14,af,c4,30,aa,6b,dc,cd,8f,f7,63,00,35,d1, 83,
d7,d3,89,0c,aa,f8,73,ca,66,b7,c6,67,74,90,a2,0c,03,71,8a,e6,a1,5c,2c,82,5a, \
.
———————— Other Running Processes ————————
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-20 1:04:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 09:03:58
Pre-Run: 39,760,158,720 bytes free
Post-Run: 39,917,273,088 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
309 — E O F — 2009-01-14 21:27:48
Related Posts:
Comments
Leave a Reply
You must be logged in to post a comment.