Answers to your tech questions
Computer forums for help with removing malicious software (malware) and improving computer security

Welcome ( Log In | Register )
Easy as 1,2,3!

3 Pages V  < 1 2 3 >  
 Closed TopicStart new topic
> [Resolved] Can't remove Packed.Monder
railbob
post Sep 22 2009, 06:41 PM
Post #16


New Member
*

Group: Authentic Member
Posts: 16
Joined: 17-September 09
Member No.: 87,958
Operating System: Windows XP
Yes indeed. I'll run it again now.
Go to the top of the page
 
+Quote Post
railbob
post Sep 22 2009, 07:44 PM
Post #17


New Member
*

Group: Authentic Member
Posts: 16
Joined: 17-September 09
Member No.: 87,958
Operating System: Windows XP
Here is the new log. I renamed the file name when saving by the way, let me know if that was the wrong thing to do.

ComboFix 09-09-22.02 - Robert 09/22/2009 19:51.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1357 [GMT -5:00]
Running from: c:\documents and settings\Robert\Desktop\combo-fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-20 18:21 . 2009-09-20 18:30 -------- d-----w- C:\UBCD4Win
2009-09-18 14:49 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 14:49 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-17 14:09 . 2009-09-17 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-17 13:58 . 2009-09-17 13:58 -------- d-----w- c:\program files\Trend Micro
2009-09-17 01:54 . 2009-09-17 01:54 4 ----a-w- C:\KLSA.DAT
2009-09-17 01:28 . 2009-09-17 19:49 -------- d-----w- c:\program files\SpywareDetector
2009-09-17 01:27 . 2009-09-17 01:28 -------- d-----w- C:\SDFix
2009-09-17 00:07 . 2009-09-17 00:16 -------- d-----w- C:\$AVG8.VAULT$
2009-09-17 00:05 . 2009-09-17 00:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-17 00:05 . 2009-09-17 00:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-17 00:05 . 2009-09-17 00:05 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-17 00:05 . 2009-09-17 00:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-17 00:04 . 2009-09-22 09:55 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-17 00:04 . 2009-09-17 00:04 -------- d-----w- c:\program files\AVG
2009-09-16 23:54 . 2009-09-16 23:54 -------- d-----w- c:\documents and settings\Robert\Application Data\AVG8
2009-09-16 23:03 . 2009-09-16 23:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-10 03:35 . 2009-09-10 04:00 -------- d-----w- c:\program files\Oldgames
2009-09-09 19:13 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 21:39 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-09-08 21:39 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-09-08 06:47 . 2009-09-08 06:47 61440 --sh--w- c:\windows\system32\Client.exe
2009-09-02 20:39 . 2009-09-02 20:39 -------- d-----w- c:\documents and settings\Robert\.thumbnails
2009-09-02 20:32 . 2009-09-15 22:24 -------- d-----w- c:\documents and settings\Robert\Application Data\gtk-2.0
2009-09-01 21:50 . 2009-09-01 21:50 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\Yahoo
2009-08-31 16:16 . 2009-08-31 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 16:14 . 2008-06-15 02:27 -------- d-----w- c:\documents and settings\Robert\Application Data\DNA
2009-09-21 10:44 . 2008-06-07 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\x3watch
2009-09-21 10:43 . 2008-06-15 02:27 -------- d-----w- c:\program files\DNA
2009-09-18 14:49 . 2008-12-03 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 14:28 . 2008-05-31 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-17 14:04 . 2008-12-02 17:25 -------- d-----w- c:\program files\Common Files\BitDefender
2009-09-16 04:43 . 2009-01-15 16:16 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-10 18:12 . 2009-09-10 18:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-09-10 12:57 . 2009-02-16 13:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 04:45 . 2008-05-30 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 20:31 . 2008-11-06 21:42 -------- d-----w- c:\program files\Telltale Games
2009-09-04 20:16 . 2008-06-15 02:27 -------- d-----w- c:\documents and settings\Robert\Application Data\BitTorrent
2009-09-01 21:49 . 2008-06-14 04:43 -------- d-----w- c:\program files\Yahoo!
2009-08-31 14:16 . 2008-06-15 02:52 -------- d-----w- c:\program files\Miranda IM
2009-08-31 14:12 . 2009-08-18 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-31 14:11 . 2009-02-03 04:30 -------- d-----w- c:\documents and settings\Robert\Application Data\Dropbox
2009-08-31 13:30 . 2009-08-18 14:58 -------- d-----w- c:\documents and settings\Robert\Application Data\skypePM
2009-08-28 13:45 . 2009-02-03 04:30 -------- d-----w- c:\program files\Dropbox
2009-08-18 14:58 . 2009-08-18 14:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-17 13:44 . 2009-08-04 00:28 -------- d-----w- c:\program files\Turbine
2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 02:15 . 2009-08-04 02:15 129 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\fusioncache.dat
2009-08-04 00:24 . 2009-06-09 00:26 -------- d-----w- c:\program files\LucasArts
2009-08-04 00:24 . 2008-05-30 22:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 23:52 . 2009-08-03 23:52 -------- d-----w- c:\program files\SystemRequirementsLab
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-23 02:42 . 2009-07-23 02:42 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-23 02:42 . 2009-07-23 02:42 47360 ----a-w- c:\documents and settings\Robert\Application Data\pcouffin.sys
2009-07-17 19:01 . 2004-08-12 13:17 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-12 13:34 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-12 13:33 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-12 13:32 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-12 13:28 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-12 13:27 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-12 13:21 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-12 13:20 301568 ----a-w- c:\windows\system32\kerberos.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_13.35.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-12 13:26 . 2009-09-21 18:58 81490 c:\windows\system32\perfc009.dat
+ 2008-05-30 22:02 . 2009-09-21 10:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 22:02 . 2009-09-17 13:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-30 22:02 . 2009-09-21 10:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-30 22:02 . 2009-09-17 13:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-16 23:03 . 2009-09-21 10:42 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-09-16 23:03 . 2009-09-17 13:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2008-05-30 22:02 . 2009-09-21 10:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-05-30 22:02 . 2009-09-17 13:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-12 13:26 . 2009-09-21 18:58 469012 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 14:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"x3watch"="c:\program files\X3watch\x3watch.exe" [2008-06-01 299008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-11 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2007832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Robert\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-12-1 575488]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-17 00:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/16/2009 7:05 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/16/2009 7:05 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/16/2009 7:04 PM 297752]
S2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/13/2009 7:58 AM 16]
S2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [5/1/2007 11:15 AM 157264]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 4:04 PM 99200]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 20:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1708537768-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b9,c7,a5,43,80,b0,71,51,49,37,17,1d,66,59,fc,91,04,35,32,00,87,03,9f,
28,8d,6a,33,54,75,5b,64,06,f3,c6,f5,01,05,de,f9,c1,75,8b,ca,92,17,63,1f,51,\
"??"=hex:cc,16,87,b7,4c,11,61,04,14,e5,9f,5f,0b,31,72,00

[HKEY_USERS\S-1-5-21-796845957-1708537768-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d4,c1,52,b4,04,14,1c,aa,a0,6b,ae,76,06,9e,d5,95,56,5b,57,d7,1f,
03,f9,ea,41,a3,a6,6b,f2,d1,fa,89,7a,fb,70,0f,55,ae,ba,21,47,9e,de,02,76,66,\
"rkeysecu"=hex:69,ac,fe,25,0d,2d,72,23,3c,5f,e1,0e,1c,1f,bf,51
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(15540)
c:\windows\system32\WININET.dll
tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\IdePort1\rxyeixui\rxyeixui\tdlwsp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-23 20:18
ComboFix-quarantined-files.txt 2009-09-23 01:18
ComboFix2.txt 2009-09-21 20:18
ComboFix3.txt 2009-09-21 19:37
ComboFix4.txt 2009-09-17 13:45

Pre-Run: 18,338,250,752 bytes free
Post-Run: 18,373,689,344 bytes free

217 --- E O F --- 2009-09-10 04:48
Go to the top of the page
 
+Quote Post
CatByte
post Sep 22 2009, 08:25 PM
Post #18


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
Hi,

you have a new rootkit variant on board which is proving a little difficult to remove, so I'd like to try a couple of things if you don't mind.

Download Rootkit Unhooker and save it to your desktop

Double click the icon to extract the files to it's own folder which by default will be C:\RkUnhooker

Locate the C:\RkUnhooker folder, open the folder and double click the purple spider icon to run the tool

Click the "report" tab
click "scan"
Check all the boxes
Select drive to scan - C:\
Press OK - the scan will take quite some time to complete so please be patient - don't have it fix anything...I just need the report for now
When complete go to File > save report > save it to your desktop
Copy/paste the report in your next reply


NEXT

find and delete C:\windows\ntbtlog.txt
Restart your computer.
Just before the windows loading screen starts hit F8 as if going into safe mode.
From the advanced boot menu choose enable boot logging then hit enter.
Your computer will start up as usual, except it will create a log of its bootup processes for one time only.

Please post the contents of the new file:

C:\windows\ntbtlog.txt
Go to the top of the page
 
+Quote Post
railbob
post Sep 24 2009, 08:56 AM
Post #19


New Member
*

Group: Authentic Member
Posts: 16
Joined: 17-September 09
Member No.: 87,958
Operating System: Windows XP
Ok, here are reports.


RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.505
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
==============================================
>Shadow
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x8AA7F7F8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 496
EPROCESS Address: 0x8A777308

Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Process Id: 684
EPROCESS Address: 0x8A71E478

Process: C:\WINDOWS\system32\ctfmon.exe
Process Id: 700
EPROCESS Address: 0x8A74FBC8

Process: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
Process Id: 744
EPROCESS Address: 0x8A513800

Process: C:\WINDOWS\system32\smss.exe
Process Id: 792
EPROCESS Address: 0x8A7C49A8

Process: C:\Program Files\Bonjour\mDNSResponder.exe
Process Id: 808
EPROCESS Address: 0x8A4A7DA0

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 856
EPROCESS Address: 0x8A534C08

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 888
EPROCESS Address: 0x8A91E810

Process: C:\WINDOWS\system32\services.exe
Process Id: 936
EPROCESS Address: 0x8A5F1318

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 948
EPROCESS Address: 0x8A90A900

Process: C:\Program Files\iTunes\iTunesHelper.exe
Process Id: 1000
EPROCESS Address: 0x8A626620

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 1116
EPROCESS Address: 0x8A497430

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1136
EPROCESS Address: 0x8A4D35F8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1256
EPROCESS Address: 0x8A48D818

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1324
EPROCESS Address: 0x8A4947B8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1356
EPROCESS Address: 0x8A492958

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1432
EPROCESS Address: 0x8A484720

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1576
EPROCESS Address: 0x8A48AB90

Process: C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
Process Id: 1604
EPROCESS Address: 0x8A4EB7A0

Process: C:\WINDOWS\system32\alg.exe
Process Id: 1632
EPROCESS Address: 0x89B2C738

Process: C:\WINDOWS\system32\WLTRAY.EXE
Process Id: 1680
EPROCESS Address: 0x8A54F588

Process: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Process Id: 1692
EPROCESS Address: 0x8A4AC838

Process: C:\Program Files\X3watch\x3watch.exe
Process Id: 1752
EPROCESS Address: 0x8A4AC5B8

Process: C:\WINDOWS\system32\BCMWLTRY.EXE
Process Id: 1772
EPROCESS Address: 0x8A54C4D8

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 1816
EPROCESS Address: 0x8A87B9C8

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 1928
EPROCESS Address: 0x8A4CC3C0

Process: C:\Program Files\QuickTime\QTTask.exe
Process Id: 1976
EPROCESS Address: 0x8A5DE620

Process: C:\Program Files\iPod\bin\iPodService.exe
Process Id: 2024
EPROCESS Address: 0x89BFB7A0

Process: C:\Program Files\AVG\AVG8\avgtray.exe
Process Id: 2084
EPROCESS Address: 0x8A902BF8

Process: C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
Process Id: 2108
EPROCESS Address: 0x8A495620

Process: C:\WINDOWS\system32\searchindexer.exe
Process Id: 2776
EPROCESS Address: 0x8A61CDA0

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
Process Id: 2920
EPROCESS Address: 0x8A4D9488

Process: C:\Program Files\AVG\AVG8\avgrsx.exe
Process Id: 4316
EPROCESS Address: 0x8A758020

Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
Process Id: 8400
EPROCESS Address: 0x892C7148

Process: C:\WINDOWS\system32\searchfilterhost.exe
Process Id: 14548
EPROCESS Address: 0x8913C868

Process: C:\WINDOWS\explorer.exe
Process Id: 15540
EPROCESS Address: 0x890E9020

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 15640
EPROCESS Address: 0x890CD328

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 15820
EPROCESS Address: 0x891A95C8

Process: C:\WINDOWS\system32\searchprotocolhost.exe
Process Id: 17124
EPROCESS Address: 0x894BD708

Process: C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
Process Id: 17624
EPROCESS Address: 0x88B40938

Process: C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
Process Id: 17684
EPROCESS Address: 0x88AA77D0

Process: C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
Process Id: 17692
EPROCESS Address: 0x88A965A8

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 18388
EPROCESS Address: 0x88AA5330

Process: C:\RkUnhooker\3jtGfWt2q6.exe
Process Id: 17092
EPROCESS Address: 0x89055C90

==============================================
>Drivers
Driver: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA9F000
Size: 2756608 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2150400 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2150400 bytes

Driver: RAW
Address: 0x804D7000
Size: 2150400 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2150400 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFD40000
Size: 1753088 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xBA0A1000
Size: 1638400 bytes

Driver: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xB1AFC000
Size: 1171456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xB9F52000
Size: 1126400 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
Address: 0xB19A7000
Size: 1011712 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
Address: 0xB18F1000
Size: 745472 bytes

Driver: Ntfs.sys
Address: 0xBA635000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB16F1000
Size: 458752 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB9CB0000
Size: 385024 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB1815000
Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xAEB35000
Size: 335872 bytes

Driver: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xB1600000
Size: 331776 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Address: 0xB9EB5000
Size: 331776 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000
Size: 286720 bytes

Driver: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA18000
Size: 282624 bytes

Driver: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000
Size: 274432 bytes

Driver: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA5D000
Size: 270336 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xAED3F000
Size: 266240 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
Address: 0xB1A9E000
Size: 237568 bytes

Driver: C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
Address: 0xB9C7C000
Size: 212992 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB9D6B000
Size: 196608 bytes

Driver: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xB9E86000
Size: 192512 bytes

Driver: ACPI.sys
Address: 0xBA779000
Size: 188416 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xAF093000
Size: 184320 bytes

Driver: NDIS.sys
Address: 0xBA608000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xABD11000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB1761000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xBA065000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB17AE000
Size: 163840 bytes

Driver: dmio.sys
Address: 0xBA723000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB17D6000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB1AD8000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB9F2E000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB9E63000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB178C000
Size: 139264 bytes

Driver: ACPI_HAL
Address: 0x806E4000
Size: 134400 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000
Size: 134400 bytes

Driver: fltmgr.sys
Address: 0xBA6EB000
Size: 131072 bytes

Driver: ftdisk.sys
Address: 0xBA749000
Size: 126976 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mcdbus.sys
Address: 0xB9D4E000
Size: 118784 bytes

Driver: Mup.sys
Address: 0xBA5EE000
Size: 106496 bytes

Driver: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xB17FC000
Size: 102400 bytes

Driver: atapi.sys
Address: 0xBA70B000
Size: 98304 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB15C0000
Size: 98304 bytes

Driver: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xB9D36000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xBA6C2000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB9E4C000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xAEFB6000
Size: 86016 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Address: 0xB9F06000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xB9F1A000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xBA08D000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB186E000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000
Size: 73728 bytes

Driver: sr.sys
Address: 0xBA6D9000
Size: 73728 bytes

Driver: pci.sys
Address: 0xBA768000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9E3B000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Address: 0xBA998000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB9E2B000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA9E8000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBA9A8000
Size: 65536 bytes

Driver: ohci1394.sys
Address: 0xBA8B8000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBAAF8000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBAA88000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA9F8000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB16A1000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBAAA8000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA8C8000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Address: 0xBA9B8000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA908000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBA9C8000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBAA08000
Size: 53248 bytes

Driver: VolSnap.sys
Address: 0xBA8E8000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\Drivers\pcouffin.sys
Address: 0xBAA48000
Size: 49152 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBAA28000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBAB18000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA9D8000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xBA8D8000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBAA18000
Size: 45056 bytes

Driver: isapnp.sys
Address: 0xBA8A8000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBAA98000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBAA58000
Size: 40960 bytes

Driver: disk.sys
Address: 0xBA8F8000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA988000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBAA38000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBAB08000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBAAE8000
Size: 36864 bytes

Driver: C:\DOCUME~1\Robert\LOCALS~1\Temp\catchme.sys
Address: 0xBABD8000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBAC58000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBAB78000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBAC20000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBAB60000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB28000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xBAB80000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBAC30000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBAC28000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xBABC0000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBAC18000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBAB68000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBAB70000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xBAB30000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBAC40000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAC48000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBAC38000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xBAC50000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBACC0000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xBADA0000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xAED2B000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA241000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xAF47C000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000
Size: 12288 bytes

Driver: compbatt.sys
Address: 0xBACBC000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB9D2E000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xBA5B6000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA5AE000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB18ED000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xBAD9C000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBAE3C000
Size: 8192 bytes

Driver: dmload.sys
Address: 0xBADAC000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE6E000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBADEA000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBAE42000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xBADD2000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBAE44000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBADD6000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBADD4000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBADAA000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAF71000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBAEC7000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBAFDA000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xBAE70000
Size: 4096 bytes

==============================================
>Stealth
==============================================
>Files

Suspect File: C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\NR8SE243\GetOneMessage[1].txt Status: Hidden


Suspect File: C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\SEFWK55V\77079[1].xml Status: Hidden


Suspect File: C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\W28BSN0M\GetJobList[2].txt Status: Hidden

==============================================
>Hooks

ntkrnlpa.exe-->IofCallDriver, Type: Address change at address 0x80555780 hook handler located in [catchme.sys]
[15540]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
[15640]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump at address 0x7E42B3C6 hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump at address 0x7E42D0A3 hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E42820F hook handler located in [ieframe.dll]
[15640]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump at address 0x7E42D5F3 hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump at address 0x7E42D0A3 hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll]
[15820]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump at address 0x7E42B3C6 hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump at address 0x7E42D0A3 hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E42820F hook handler located in [ieframe.dll]
[18388]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump at address 0x7E42D5F3 hook handler located in [ieframe.dll]
[2776]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump at address 0x7C810E27 hook handler located in [mssrch.dll]
[2776]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2C hook handler located in [unknown_code_page]
[2776]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2D hook handler located in [unknown_code_page]

Service Pack 3 9 23 2009 16:22:07.375
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS
Loaded driver compbatt.sys
Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\system32\DRIVERS\wmiacpi.sys
Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\bcmwl5.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\rimmptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\rimsptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\rixdptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\Drivers\pcouffin.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\mcdbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\NWADIenum.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\sthda.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSX_DPV.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\Drivers\avgtdix.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Did not load driver \systemroot\system32\drivers\ivrcrpvrtqbwwxwh.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Did not load driver \SystemRoot\System32\Drivers\Parport.SYS
Did not load driver \SystemRoot\System32\Drivers\Serial.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Service Pack 3 9 24 2009 09:46:07.375
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS
Loaded driver compbatt.sys
Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\system32\DRIVERS\wmiacpi.sys
Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\bcmwl5.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\rimmptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\rimsptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\rixdptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\Drivers\pcouffin.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\mcdbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\NWADIenum.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\sthda.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSX_DPV.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\Drivers\avgtdix.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Did not load driver \systemroot\system32\drivers\ivrcrpvrtqbwwxwh.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Did not load driver \SystemRoot\System32\Drivers\Parport.SYS
Did not load driver \SystemRoot\System32\Drivers\Serial.SYS
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Go to the top of the page
 
+Quote Post
CatByte
post Sep 24 2009, 09:05 AM
Post #20


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
Hi,

Please do the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

CODE
sysrst::


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


The log will be really large. Please zip it up and attach it to your next post.

If it is too large to attach, please upload it to media fire and post the sharing link:

www.mediafire.com

NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



Go to the top of the page
 
+Quote Post
CatByte
post Sep 24 2009, 09:44 AM
Post #21


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
Can you please run this tool as well, thanks

Download this << file >> & extract TDSSKiller.exe onto your Desktop.

Then create this batch file to be placed next to TDSSKiller
----
Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

CODE
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0


Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run
Go to the top of the page
 
+Quote Post
railbob
post Sep 24 2009, 02:40 PM
Post #22


New Member
*

Group: Authentic Member
Posts: 16
Joined: 17-September 09
Member No.: 87,958
Operating System: Windows XP
Ok, I just zipped all the logs, but the Combofix log doesn't seem any bigger than normal.
Attached File(s)
Attached File  Logs_09_24_09.zip ( 7.99K ) Number of downloads: 25
 
Go to the top of the page
 
+Quote Post
CatByte
post Sep 24 2009, 02:49 PM
Post #23


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
Reboot your machine if you haven't already done so and please rerun GMER


(sorry to keep making you run so many scans, but as this is a new infection, we need to find out as much as we can - thanks so much for your co-operation in this)
Go to the top of the page
 
+Quote Post
CatByte
post Sep 25 2009, 02:20 PM
Post #24


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
Hi,

Please do the following after running the GMER program

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)





When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter



Next type FIXMBR



If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

Boot into safe mode and do a quick scan with MalwareBytes and let me know if it still detects tdlwsp.dll have mbam remove it and then reboot back into normal mode.
Go to the top of the page
 
+Quote Post
railbob
post Sep 25 2009, 04:11 PM
Post #25


New Member
*

Group: Authentic Member
Posts: 16
Joined: 17-September 09
Member No.: 87,958
Operating System: Windows XP
Before I follow these instructions, is there any chance this could make my hard disk inaccessible?

Go to the top of the page
 
+Quote Post
CatByte
post Sep 25 2009, 04:16 PM
Post #26


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
Hi,

There is always a risk doing anything that rips out malware, I cannot guarantee what will happen with your system, I do know however, you are infected at the deepest level with a new infection, I am not working on this alone, but have the assistance of the best experts and tool developers in the business.

Make sure your data is backed up fully. Combofix installed Erunt - the registry backup, which we can access if necessary.
Go to the top of the page
 
+Quote Post
railbob
post Sep 26 2009, 08:18 PM
Post #27


New Member
*

Group: Authentic Member
Posts: 16
Joined: 17-September 09
Member No.: 87,958
Operating System: Windows XP
Ok, instructions followed. However, Malwarebytes is still detecting tdlwsp.dll even after removing and rebooting.
Go to the top of the page
 
+Quote Post
CatByte
post Sep 26 2009, 10:50 PM
Post #28


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
OK, thanks for your patience.

can you please run GMER again and we'll try something else
Go to the top of the page
 
+Quote Post
CatByte
post Sep 28 2009, 04:57 PM
Post #29


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
Hi,

One of the experts working on this infection would like to collect some information if you don't mind:

Could you please do the following:

Click Start>Run and type cmd then hit Enter to open a command window.
Highlight and copy the contents of the code box below, then right click in the command window and select Paste.

CODE
echo.>%systemroot%\list.txt
echo dir>%systemroot%\listit.txt
echo.>%systemroot%\system32\list.txt
echo dir>%systemroot%\system32\listit.txt
echo.>%systemroot%\system32\drivers\list.txt
echo dir>%systemroot%\system32\drivers\listit.txt
exit
cls


The commands pasted should complete quickly and the command window will close on it's own.

Download Process Monitor from Microsoft's Sysinternals from here.
Save the zip file to your desktop then extract it to it's own folder.
Open the folder and double click Procmon.exe to run it.
On the menu, click Filter>Enable Advanced Output
On the menu, click Options>Enable Boot Logging
You should receive a message that 'Process Monitor is configured to log activity during the next boot'.
Click OK then close Process Monitor

Please write down the following or print it out so that you have it available for use in the Recovery Console.
Reboot the machine and select Microsoft Windows Recovery Console from the startup menu (you have 2 seconds to select it).
When prompted, type 1 then hit Enter to logon to the C:\Windows operating system.
The italicized text below is the command prompt you will see, the bolded text is the commands you will type, hitting Enter after each line.

C:\Windows>batch listit.txt list.txt
C:\Windows>cd system32
C:\Windows\system32>batch listit.txt list.txt
C:\Windows>cd drivers
C:\Windows\system32\drivers>batch listit.txt list.txt
C:\Windows\system32\drivers>exit

** Be sure to leave a space between the words batch and listit.txt, and another space between the words listit.txt and list.txt **

After typing exit your machine will restart.
Allow it to boot into normal mode.
Once logged into normal mode, open Process Monitor again. (this is important to do right away - it causes Process Monitor to stop logging information)
You should receive a message that 'A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?'
Click Yes
Name it bootlog, leave the Save as type: Procmon Log (*.PML) and save it to your desktop.
Close Process Monitor

**If you configure boot logging and the system crashes early in the boot you can deactivate boot logging by choosing the Last Known Good option from the Windows boot menu (which you access by pressing F8 during the boot).**

Please upload the following files to my submission channel, or attach them to an email to me, for review.

bootlog.PML from your desktop
C:\Windows\list.txt
C:\Windows\system32\list.txt
C:\Windows\system32\drivers\list.txt
Go to the top of the page
 
+Quote Post
CatByte
post Sep 29 2009, 09:34 PM
Post #30


Classroom Administrator Assistant
Group Icon

Group: Classroom Teacher
Posts: 6,915
Joined: 18-November 04
From: Canada
Member No.: 18,614
Operating System: xp sp3
One more to run if you would please:

Please do the following:

Click Start>Run then type cmd and hit Enter to open a command window.
Copy the contents of the code box below then right click in the command window and select Paste.

CODE
cd %systemroot%\system32\drivers
findstr /i /m "8TDL3uZ 8INITu" *.sys >look.txt
for /f "tokens=*" %i in (look.txt) do (
dir %systemdrive%\%i /a h /s >log.txt
)
start notepad log.txt
del /q look.txt
exit
cls



When the commands complete notepad should open log.txt and the command window will close on it's own.


Please post the contents of log.txt, if any, here in your next reply.
Go to the top of the page
 
+Quote Post
« Next Oldest · Infections Removal · Next Newest »
 

3 Pages V  < 1 2 3 >
Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 
RSS Time is now: 20th November 2009 - 06:09 PM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2009  IPS, Inc.