Computer infected pretty badly with Malware

2 posters

WiredWX Hobby Weather Tools :: Archive :: Technical Support

Computer infected pretty badly with Malware26th October 2009, 10:10 pm

Hello, I acquired an infection which took over most of my computer. I disconnected from the internet and from a different computer, began researching how to disinfect it, but it looks to be too deep for me, can one of you experts assist?

Re: Computer infected pretty badly with Malware27th October 2009, 12:08 am

Please download the current version of HijackThis from HERE

Double click and run the installer.
It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
After installing, you should get the user agreement, press accept and Hijack This will run.
Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Re: Computer infected pretty badly with Malware27th October 2009, 12:29 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:15 PM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\SttService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware VDM\Client\bin\wsnm.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\TEMP\LGFB26.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\price\LOCALS~1\Temp\y2o3swj.exe
C:\DOCUME~1\price\LOCALS~1\Temp\wow64main.exe
C:\DOCUME~1\price\LOCALS~1\Temp\3519986172.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\DOCUME~1\price\LOCALS~1\Temp\wscsvc32.exe
E:\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.plm.automation.siemens.com/en_us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconf/
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 www.osguard-pro.com
O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [Eqiwek] rundll32.exe "C:\WINDOWS\evebamom.dll",Startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\price\LOCALS~1\Temp\y2o3swj.exe
O4 - HKCU\..\Run: [wow64main.exe] C:\DOCUME~1\price\LOCALS~1\Temp\wow64main.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\price\LOCALS~1\Temp\3519986172.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244484778015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244484770390
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = net.plm.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6B288D1-1097-4AEB-A55C-5B845832FF70}: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O20 - AppInit_DLLs: ratirupu.dll
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - Unknown owner - c:\program files\mobile automation\rstate.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Stt Services (SttService) - Unknown owner - C:\WINDOWS\SttService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VMware VDM Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware VDM\Client\bin\wsnm.exe

--
End of file - 11025 bytes

Re: Computer infected pretty badly with Malware27th October 2009, 7:46 pm

Hello.

Open HijackThis
Choose "Do a system scan only"
Check the boxes in front of these lines:

O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 www.osguard-pro.com
O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [Eqiwek] rundll32.exe "C:\WINDOWS\evebamom.dll",Startup
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\price\LOCALS~1\Temp\y2o3swj.exe
O4 - HKCU\..\Run: [wow64main.exe] C:\DOCUME~1\price\LOCALS~1\Temp\wow64main.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\price\LOCALS~1\Temp\3519986172.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: ratirupu.dll
Press "Fix Checked"
Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Re: Computer infected pretty badly with Malware28th October 2009, 4:16 pm

Mbam log

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/27/2009 10:53:33 PM
mbam-log-2009-10-27 (22-53-33).txt

Scan type: Quick Scan
Objects scanned: 126843
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\price\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

--------------------------
In addition, I got some dialog popups on startup:

1st popup
Header: rundll32.exe - Bad Image
Info: The application or DLL C:\DOCUME~1\NETWOR~1\ntuser.dll is not a valid Windows image. Please check this against your installation diskette.

2nd popup
Header: RUNDLL
Info: Error loading C:\DOCUME~1\NETWOR~1\ntuser.dll

%1 is not a valid Win32 application.

Re: Computer infected pretty badly with Malware28th October 2009, 9:21 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

Re: Computer infected pretty badly with Malware28th October 2009, 9:46 pm

Due to the malware, I disconnected the infected computer from the internet and have been corresponding with you on a separate machine. To get mbam, I downloaded it, installed it, updated it, and ran it all from a jump drive. Is this acceptable?

Re: Computer infected pretty badly with Malware29th October 2009, 12:23 am

Don't think that will work, we'll have to use this.

Hello.

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Re: Computer infected pretty badly with Malware22nd November 2009, 6:53 pm

ComboFix 09-11-21.03 - price 11/22/2009 9:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2963 [GMT -8:00]
Running from: e:\debug malware\Software\ComboFix\Combo-Fix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {0DAA9119-FD08-45C7-A0D4-435C2125DC25}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {63AEB1F9-3232-41B0-85E9-57A26F039C34}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E6508629-3691-4CDC-A98C-DBB1C46CE0E8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {EE66AC07-84E2-41D3-A1F6-CAA0156912A4}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07F71C9E-8DE4-4226-B23A-C065A56821F8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {0BEAD907-62D3-45B6-91D7-1B7B378434FD}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {495CC023-7AA3-4062-9163-DAFC95BCCB95}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {6789DEB4-4214-4AE8-A310-E2DED4AE8079}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {9DFB6C67-B09B-451B-96C8-8F03241927EE}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D5C7FEBD-12D0-4782-8AD7-6B290082768C}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {DE57F669-2848-4BDC-83C0-C5C7E3AF3D7B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {63AEB1F9-3232-41B0-85E9-57A26F039C34}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {71A20E43-2C24-456C-AF94-9682743CB5C4}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome.manifest
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome\content\_cfg.js
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome\content\overlay.xul
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\install.rdf
c:\documents and settings\price\ntuser.dll
c:\documents and settings\price\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\price\Start Menu\Programs\Startup\scandisk.lnk
c:\recycler\S-1-5-21-1024183140-2997838336-3344170229-500
c:\recycler\S-1-5-21-1154051771-3337579795-2169959840-500
c:\recycler\S-1-5-21-1687308215-1492714699-3125069277-500
c:\recycler\S-1-5-21-1715567821-1637723038-725345543-1004
c:\recycler\S-1-5-21-1715567821-1637723038-725345543-500
c:\recycler\S-1-5-21-1808509001-2669391744-3598713614-1015
c:\recycler\S-1-5-21-1916751870-1504642916-2163861243-500
c:\recycler\S-1-5-21-2210005112-3894602836-3136207814-500
c:\recycler\S-1-5-21-2641836117-3391798788-1020401150-1003
c:\recycler\S-1-5-21-2641836117-3391798788-1020401150-500
c:\recycler\S-1-5-21-2820340151-974736829-3225031353-500
c:\recycler\S-1-5-21-3029029702-2035401049-268590511-1015
c:\recycler\S-1-5-21-381596900-2956720227-2096382093-500
c:\recycler\S-1-5-21-4176429844-1514365582-2073545320-500
c:\recycler\S-1-5-21-546876832-141316095-377355887-500
c:\recycler\S-1-5-21-859959763-3936455684-3026372322-1015
c:\windows\evebamom.dll
c:\windows\irc.txt
c:\windows\system32\BtwSrv.dll
c:\windows\system32\Cache
c:\windows\system32\fuyewabe.dll
c:\windows\system32\Install.txt
c:\windows\system32\kekilule.exe
c:\windows\system32\lsm32.sys
c:\windows\system32\pawebehe.exe
c:\windows\system32\pepilose.exe
c:\windows\system32\ratirupu.dll
c:\windows\system32\wulukimi.exe

----- BITS: Possible infected sites -----

hxxp://uscymcli001.net.plm.eds.com
hxxp://sus134
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-21 15:46 . 2009-11-21 15:46 10752 ----a-w- c:\windows\DCEBoot.exe
2009-11-18 02:52 . 2009-11-21 15:13 120 ----a-w- c:\windows\Xluxeqicox.dat
2009-11-18 02:52 . 2009-11-21 09:28 0 ----a-w- c:\windows\Hlusuqahiv.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 18:08 . 2009-10-23 05:05 6174 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-18 03:01 . 2009-09-02 14:43 -------- d-----w- c:\program files\stt
2009-10-26 20:43 . 2009-10-16 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 04:31 . 2009-06-19 00:19 70920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\price\Application Data\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp Toolbar
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2009-10-16 04:21 . 2009-10-16 03:54 -------- d-----w- c:\program files\eqsydv
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\price\Application Data\Malwarebytes
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 03:56 . 2009-10-13 04:05 -------- d-----w- c:\program files\Cheat Engine
2009-10-14 02:41 . 2008-06-29 05:17 26945 ----a-w- c:\windows\system32\nvModes.dat
2009-09-10 21:54 . 2009-10-16 04:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-16 04:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 02:25 . 2009-09-09 02:25 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2008-06-12 12:53 . 2008-09-22 22:57 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-06-12 12:53 . 2008-09-22 22:57 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-06-12 12:53 . 2008-09-22 22:57 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-06-12 12:53 . 2008-09-22 22:57 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2008-06-12 12:53 . 2008-09-22 22:57 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 12:53 . 2008-09-22 22:57 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2007-07-09 21:30 . 2007-07-09 21:30 57344 ----a-w- c:\program files\internet explorer\plugins\PluginWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIECACST"="c:\program files\Siemens\CardOS API\bin\siecacst.exe" [2007-08-02 81920]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-06-04 5069648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-03-16 1028160]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2009-07-27 718120]
"Malwarebytes Anti-Malware (reboot)"="e:\debug malware\Software\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2007-10-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2003-11-05 110592]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2009-06-04 5069648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-06-29 05:49 122949 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\windows\system32\drivers\aacsas.sys [9/15/2008 9:12 AM 81035]
R0 adp94xx;adp94xx;c:\windows\system32\drivers\adp94xx.sys [9/15/2008 9:12 AM 360960]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [9/15/2008 9:12 AM 91707]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/15/2008 9:12 AM 119808]
R0 amdbusdr;amdbusdr;c:\windows\system32\drivers\AmdBusDr.sys [9/15/2008 9:12 AM 29696]
R0 arcm_x86;arcm_x86;c:\windows\system32\drivers\arcm_x86.sys [9/15/2008 9:12 AM 25888]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/15/2008 9:12 AM 6016]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [9/15/2008 9:12 AM 7680]
R0 FastSx;FastSx;c:\windows\system32\drivers\FastSx.sys [9/15/2008 9:12 AM 167424]
R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [9/15/2008 9:12 AM 65536]
R0 fttxr5_O;fttxr5_O;c:\windows\system32\drivers\fttxr5_O.sys [9/15/2008 9:12 AM 177152]
R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [9/15/2008 9:12 AM 160256]
R0 HpCISSm2;HpCISSm2;c:\windows\system32\drivers\HpCISSm2.sys [9/15/2008 9:12 AM 23040]
R0 Hpt366;Hpt366;c:\windows\system32\drivers\Hpt366.sys [9/15/2008 9:12 AM 22880]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [9/15/2008 9:12 AM 108150]
R0 hptiop;hptiop;c:\windows\system32\drivers\hptiop.sys [9/15/2008 9:12 AM 14496]
R0 hptmv;hptmv;c:\windows\system32\drivers\hptmv.sys [9/15/2008 9:12 AM 65024]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [9/15/2008 9:12 AM 26112]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [9/15/2008 9:12 AM 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [9/15/2008 9:12 AM 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [9/15/2008 9:12 AM 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [9/15/2008 9:12 AM 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [9/15/2008 9:12 AM 52480]
R0 MegaIDE;MegaIDE;c:\windows\system32\drivers\MegaIDE.sys [9/15/2008 9:12 AM 163277]
R0 MegaINTL;MegaINTL;c:\windows\system32\drivers\MegaINTL.sys [9/15/2008 9:12 AM 177536]
R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [9/15/2008 9:12 AM 34432]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [9/15/2008 9:12 AM 143360]
R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [9/15/2008 9:12 AM 212480]
R0 mvSata;mvSata;c:\windows\system32\drivers\mvsata.sys [9/15/2008 9:12 AM 43520]
R0 nfrd960;IBM ServeRAID 4M/4L/4Mx/4Lx/5i/6M/6i/7k Device Driver;c:\windows\system32\drivers\nfrd960.sys [9/15/2008 9:12 AM 74747]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/23/2006 1:19 PM 254208]
R0 Pnp649r;CMD IDE Raid Controller;c:\windows\system32\drivers\pnp649r.sys [9/15/2008 9:12 AM 66889]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [9/15/2008 9:12 AM 71720]
R0 raidsrc;raidsrc;c:\windows\system32\drivers\raidsrc.sys [9/15/2008 9:12 AM 45392]
R0 S150sx8;S150sx8;c:\windows\system32\drivers\S150sx8.sys [9/15/2008 9:12 AM 36864]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [9/15/2008 9:12 AM 110128]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [9/15/2008 9:12 AM 61952]
R0 SI3124;SiI-3124 SATALink Controller;c:\windows\system32\drivers\SI3124.sys [9/15/2008 9:12 AM 81960]
R0 SI3124r;SiI-3124 SATARaid Controller;c:\windows\system32\drivers\SI3124r.sys [9/15/2008 9:12 AM 100881]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\drivers\3124r5A2.sys [9/15/2008 9:12 AM 207152]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9/15/2008 9:12 AM 210736]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [9/15/2008 9:11 AM 46464]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [9/15/2008 9:11 AM 68864]
R0 sisraidx;sisraidx;c:\windows\system32\drivers\sisraidx.sys [9/15/2008 9:11 AM 47616]
R0 sptrak;sptrak;c:\windows\system32\drivers\sptrak.sys [9/15/2008 9:12 AM 41216]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [9/15/2008 9:12 AM 125952]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [9/15/2008 9:11 AM 29184]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/28/2006 5:57 AM 17968]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/11/2006 9:12 AM 87664]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 5:34 PM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 5:34 PM 36368]
R2 wsnm;VMware VDM Client Service;c:\program files\VMware\VMware VDM\Client\bin\wsnm.exe [5/8/2008 2:51 PM 131072]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/4/2009 7:15 AM 24521]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [11/14/2006 8:49 AM 398720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/25/2009 5:34 AM 338960]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [5/25/2009 5:34 AM 488768]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [5/8/2008 2:45 PM 21504]
S0 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys [9/15/2008 9:12 AM 100224]
S0 hptmv6;hptmv6;c:\windows\system32\drivers\hptmv6.sys [9/15/2008 9:12 AM 93696]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [9/15/2008 9:12 AM 9809]
S0 lsi_sas2;lsi_sas2;c:\windows\system32\drivers\lsi_sas2.sys [9/15/2008 9:12 AM 93184]
S0 rr172x;rr172x;c:\windows\system32\drivers\rr172x.sys [9/15/2008 9:12 AM 83200]
S0 rr174x;rr174x;c:\windows\system32\drivers\rr174x.sys [9/15/2008 9:12 AM 107296]
S0 rr232x;rr232x;c:\windows\system32\drivers\rr232x.sys [9/15/2008 9:12 AM 101888]
S0 rr2340;rr2340;c:\windows\system32\drivers\rr2340.sys [9/15/2008 9:12 AM 102400]
S2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" --> c:\program files\mobile automation\rstate.exe [?]
S2 SttService;Stt Services;c:\windows\SttService.exe [9/2/2009 6:43 AM 36923]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [3/16/2007 4:33 PM 81992]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/4/2009 7:15 AM 835584]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 4:00 AM 14336]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/4/2009 7:15 AM 155216]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [5/25/2009 5:30 AM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-18 c:\windows\Tasks\stt_inv_report_24.job
- c:\program files\stt\stt_report_controller.bat [2009-09-02 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Eqiwek - c:\windows\evebamom.dll
AddRemove-eMusic Promotion - c:\program files\Winamp\eMusic\Uninst-eMusic-promotion.exe
AddRemove-HijackThis - E:\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 10:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x80800000]<< >>UNKNOWN [0xF7657000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF72A1000]<< >>UNKNOWN [0x80A0D000]<< >>UNKNOWN [0xF7A4F000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf765bf28
\Driver\ACPI -> 0xf735ecb8
\Driver\atapi -> 0xf72a7852
\Driver\iaStor -> 0xf7214002
IoDeviceObjectType -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xf695ebb0
PacketIndicateHandler -> 0xf696ba21
SendHandler -> 0xf694987b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\odyEvent.dll

- - - - - - - > 'explorer.exe'(3540)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\TEMP\XQA53D.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2009-11-22 10:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-22 18:49

Pre-Run: 147,931,267,072 bytes free
Post-Run: 147,994,546,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional 3gb Switch" /noexecute=optin /fastdetect /3gb

- - End Of File - - CCB95517B94ADA89529E086E9F1DBB70

Re: Computer infected pretty badly with Malware22nd November 2009, 7:32 pm

Hello.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Xluxeqicox.dat
c:\windows\Hlusuqahiv.bin

NetSvc::
BtwSrv
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Computer infected pretty badly with Malware22nd November 2009, 10:28 pm

ComboFix 09-11-22.02 - price 11/22/2009 13:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3033 [GMT -8:00]
Running from: e:\debug malware\Software\ComboFix\Combo-Fix.exe
Command switches used :: e:\debug malware\Software\ComboFix\CFscript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {0DAA9119-FD08-45C7-A0D4-435C2125DC25}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {63AEB1F9-3232-41B0-85E9-57A26F039C34}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E6508629-3691-4CDC-A98C-DBB1C46CE0E8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {EE66AC07-84E2-41D3-A1F6-CAA0156912A4}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07F71C9E-8DE4-4226-B23A-C065A56821F8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {0BEAD907-62D3-45B6-91D7-1B7B378434FD}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {495CC023-7AA3-4062-9163-DAFC95BCCB95}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {6789DEB4-4214-4AE8-A310-E2DED4AE8079}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {9DFB6C67-B09B-451B-96C8-8F03241927EE}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D5C7FEBD-12D0-4782-8AD7-6B290082768C}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {DE57F669-2848-4BDC-83C0-C5C7E3AF3D7B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {63AEB1F9-3232-41B0-85E9-57A26F039C34}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {71A20E43-2C24-456C-AF94-9682743CB5C4}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\Hlusuqahiv.bin"
"c:\windows\Xluxeqicox.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Hlusuqahiv.bin
c:\windows\Xluxeqicox.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-22 17:53 . 2009-11-22 18:49 -------- d-----w- C:\Combo-Fix
2009-11-21 15:46 . 2009-11-21 15:46 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 18:08 . 2009-10-23 05:05 6174 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-18 03:01 . 2009-09-02 14:43 -------- d-----w- c:\program files\stt
2009-10-26 20:43 . 2009-10-16 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 04:31 . 2009-06-19 00:19 70920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\price\Application Data\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp Toolbar
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2009-10-16 04:21 . 2009-10-16 03:54 -------- d-----w- c:\program files\eqsydv
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\price\Application Data\Malwarebytes
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 03:56 . 2009-10-13 04:05 -------- d-----w- c:\program files\Cheat Engine
2009-10-14 02:41 . 2008-06-29 05:17 26945 ----a-w- c:\windows\system32\nvModes.dat
2009-09-10 21:54 . 2009-10-16 04:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-16 04:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 02:25 . 2009-09-09 02:25 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2008-06-12 12:53 . 2008-09-22 22:57 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-06-12 12:53 . 2008-09-22 22:57 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-06-12 12:53 . 2008-09-22 22:57 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-06-12 12:53 . 2008-09-22 22:57 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2008-06-12 12:53 . 2008-09-22 22:57 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 12:53 . 2008-09-22 22:57 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2007-07-09 21:30 . 2007-07-09 21:30 57344 ----a-w- c:\program files\internet explorer\plugins\PluginWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIECACST"="c:\program files\Siemens\CardOS API\bin\siecacst.exe" [2007-08-02 81920]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-06-04 5069648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-03-16 1028160]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2009-07-27 718120]
"Malwarebytes Anti-Malware (reboot)"="e:\debug malware\Software\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2007-10-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2003-11-05 110592]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2009-06-04 5069648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-06-29 05:49 122949 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\windows\system32\drivers\aacsas.sys [9/15/2008 9:12 AM 81035]
R0 adp94xx;adp94xx;c:\windows\system32\drivers\adp94xx.sys [9/15/2008 9:12 AM 360960]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [9/15/2008 9:12 AM 91707]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/15/2008 9:12 AM 119808]
R0 amdbusdr;amdbusdr;c:\windows\system32\drivers\AmdBusDr.sys [9/15/2008 9:12 AM 29696]
R0 arcm_x86;arcm_x86;c:\windows\system32\drivers\arcm_x86.sys [9/15/2008 9:12 AM 25888]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/15/2008 9:12 AM 6016]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [9/15/2008 9:12 AM 7680]
R0 FastSx;FastSx;c:\windows\system32\drivers\FastSx.sys [9/15/2008 9:12 AM 167424]
R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [9/15/2008 9:12 AM 65536]
R0 fttxr5_O;fttxr5_O;c:\windows\system32\drivers\fttxr5_O.sys [9/15/2008 9:12 AM 177152]
R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [9/15/2008 9:12 AM 160256]
R0 HpCISSm2;HpCISSm2;c:\windows\system32\drivers\HpCISSm2.sys [9/15/2008 9:12 AM 23040]
R0 Hpt366;Hpt366;c:\windows\system32\drivers\Hpt366.sys [9/15/2008 9:12 AM 22880]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [9/15/2008 9:12 AM 108150]
R0 hptiop;hptiop;c:\windows\system32\drivers\hptiop.sys [9/15/2008 9:12 AM 14496]
R0 hptmv;hptmv;c:\windows\system32\drivers\hptmv.sys [9/15/2008 9:12 AM 65024]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [9/15/2008 9:12 AM 26112]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [9/15/2008 9:12 AM 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [9/15/2008 9:12 AM 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [9/15/2008 9:12 AM 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [9/15/2008 9:12 AM 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [9/15/2008 9:12 AM 52480]
R0 MegaIDE;MegaIDE;c:\windows\system32\drivers\MegaIDE.sys [9/15/2008 9:12 AM 163277]
R0 MegaINTL;MegaINTL;c:\windows\system32\drivers\MegaINTL.sys [9/15/2008 9:12 AM 177536]
R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [9/15/2008 9:12 AM 34432]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [9/15/2008 9:12 AM 143360]
R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [9/15/2008 9:12 AM 212480]
R0 mvSata;mvSata;c:\windows\system32\drivers\mvsata.sys [9/15/2008 9:12 AM 43520]
R0 nfrd960;IBM ServeRAID 4M/4L/4Mx/4Lx/5i/6M/6i/7k Device Driver;c:\windows\system32\drivers\nfrd960.sys [9/15/2008 9:12 AM 74747]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/23/2006 1:19 PM 254208]
R0 Pnp649r;CMD IDE Raid Controller;c:\windows\system32\drivers\pnp649r.sys [9/15/2008 9:12 AM 66889]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [9/15/2008 9:12 AM 71720]
R0 raidsrc;raidsrc;c:\windows\system32\drivers\raidsrc.sys [9/15/2008 9:12 AM 45392]
R0 S150sx8;S150sx8;c:\windows\system32\drivers\S150sx8.sys [9/15/2008 9:12 AM 36864]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [9/15/2008 9:12 AM 110128]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [9/15/2008 9:12 AM 61952]
R0 SI3124;SiI-3124 SATALink Controller;c:\windows\system32\drivers\SI3124.sys [9/15/2008 9:12 AM 81960]
R0 SI3124r;SiI-3124 SATARaid Controller;c:\windows\system32\drivers\SI3124r.sys [9/15/2008 9:12 AM 100881]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\drivers\3124r5A2.sys [9/15/2008 9:12 AM 207152]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9/15/2008 9:12 AM 210736]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [9/15/2008 9:11 AM 46464]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [9/15/2008 9:11 AM 68864]
R0 sisraidx;sisraidx;c:\windows\system32\drivers\sisraidx.sys [9/15/2008 9:11 AM 47616]
R0 sptrak;sptrak;c:\windows\system32\drivers\sptrak.sys [9/15/2008 9:12 AM 41216]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [9/15/2008 9:12 AM 125952]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [9/15/2008 9:11 AM 29184]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/28/2006 5:57 AM 17968]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/11/2006 9:12 AM 87664]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 5:34 PM 36368]
R2 wsnm;VMware VDM Client Service;c:\program files\VMware\VMware VDM\Client\bin\wsnm.exe [5/8/2008 2:51 PM 131072]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/4/2009 7:15 AM 24521]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [11/14/2006 8:49 AM 398720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/25/2009 5:34 AM 338960]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [5/8/2008 2:45 PM 21504]
S0 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys [9/15/2008 9:12 AM 100224]
S0 hptmv6;hptmv6;c:\windows\system32\drivers\hptmv6.sys [9/15/2008 9:12 AM 93696]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [9/15/2008 9:12 AM 9809]
S0 lsi_sas2;lsi_sas2;c:\windows\system32\drivers\lsi_sas2.sys [9/15/2008 9:12 AM 93184]
S0 rr172x;rr172x;c:\windows\system32\drivers\rr172x.sys [9/15/2008 9:12 AM 83200]
S0 rr174x;rr174x;c:\windows\system32\drivers\rr174x.sys [9/15/2008 9:12 AM 107296]
S0 rr232x;rr232x;c:\windows\system32\drivers\rr232x.sys [9/15/2008 9:12 AM 101888]
S0 rr2340;rr2340;c:\windows\system32\drivers\rr2340.sys [9/15/2008 9:12 AM 102400]
S2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" --> c:\program files\mobile automation\rstate.exe [?]
S2 SttService;Stt Services;c:\windows\SttService.exe [9/2/2009 6:43 AM 36923]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 5:34 PM 225808]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [3/16/2007 4:33 PM 81992]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/4/2009 7:15 AM 835584]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 4:00 AM 14336]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/4/2009 7:15 AM 155216]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [5/25/2009 5:34 AM 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [5/25/2009 5:30 AM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-18 c:\windows\Tasks\stt_inv_report_24.job
- c:\program files\stt\stt_report_controller.bat [2009-09-02 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 13:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x80800000]<< >>UNKNOWN [0xF7857000]<< >>UNKNOWN [0xF7657000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF72A1000]<< >>UNKNOWN [0x80A0D000]<< >>UNKNOWN [0xF7A4F000]<< >>UNKNOWN [0xF7707000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf765bf28
\Driver\ACPI -> 0xf735ecb8
\Driver\atapi -> 0xf72a7852
\Driver\iaStor -> 0xf7214002
IoDeviceObjectType -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xf695ebb0
PacketIndicateHandler -> 0xf696ba21
SendHandler -> 0xf694987b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\odyEvent.dll
.
Completion time: 2009-11-22 13:08
ComboFix-quarantined-files.txt 2009-11-22 21:08
ComboFix2.txt 2009-11-22 18:49

Pre-Run: 147,872,690,176 bytes free
Post-Run: 147,946,233,856 bytes free

- - End Of File - - 035A2CFDE98E02BC23692C8A1420441D

Re: Computer infected pretty badly with Malware23rd November 2009, 12:37 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Computer infected pretty badly with Malware CF_Cleanup

Computer infected pretty badly with Malware CF_Cleanup

This will also reset your restore points.

How is the machine running now?

Re: Computer infected pretty badly with Malware23rd November 2009, 1:57 am

The machine is running good. I will follow up on this post after some more interaction, meanwhile here is the output of the combofix log after I ran it as you outlined:

ComboFix 09-11-22.04 - price 11/22/2009 17:01.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2911 [GMT -8:00]
Running from: e:\debug malware\Software\ComboFix\Combo-Fix.exe
Command switches used :: /u
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {0DAA9119-FD08-45C7-A0D4-435C2125DC25}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {63AEB1F9-3232-41B0-85E9-57A26F039C34}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E6508629-3691-4CDC-A98C-DBB1C46CE0E8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {EE66AC07-84E2-41D3-A1F6-CAA0156912A4}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07F71C9E-8DE4-4226-B23A-C065A56821F8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {0BEAD907-62D3-45B6-91D7-1B7B378434FD}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {495CC023-7AA3-4062-9163-DAFC95BCCB95}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {6789DEB4-4214-4AE8-A310-E2DED4AE8079}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {9DFB6C67-B09B-451B-96C8-8F03241927EE}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D5C7FEBD-12D0-4782-8AD7-6B290082768C}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {DE57F669-2848-4BDC-83C0-C5C7E3AF3D7B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {63AEB1F9-3232-41B0-85E9-57A26F039C34}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {71A20E43-2C24-456C-AF94-9682743CB5C4}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-22 21:03 . 2009-11-22 21:08 -------- d-----w- C:\Combo-Fix11594C
2009-11-22 17:53 . 2009-11-22 18:49 -------- d-----w- C:\Combo-Fix
2009-11-21 15:46 . 2009-11-21 15:46 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 18:08 . 2009-10-23 05:05 6174 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-18 03:01 . 2009-09-02 14:43 -------- d-----w- c:\program files\stt
2009-10-26 20:43 . 2009-10-16 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 04:31 . 2009-06-19 00:19 70920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\price\Application Data\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp Toolbar
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2009-10-16 04:21 . 2009-10-16 03:54 -------- d-----w- c:\program files\eqsydv
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\price\Application Data\Malwarebytes
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 03:56 . 2009-10-13 04:05 -------- d-----w- c:\program files\Cheat Engine
2009-10-14 02:41 . 2008-06-29 05:17 26945 ----a-w- c:\windows\system32\nvModes.dat
2009-09-10 21:54 . 2009-10-16 04:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-16 04:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 02:25 . 2009-09-09 02:25 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2008-06-12 12:53 . 2008-09-22 22:57 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-06-12 12:53 . 2008-09-22 22:57 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-06-12 12:53 . 2008-09-22 22:57 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-06-12 12:53 . 2008-09-22 22:57 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2008-06-12 12:53 . 2008-09-22 22:57 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 12:53 . 2008-09-22 22:57 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2007-07-09 21:30 . 2007-07-09 21:30 57344 ----a-w- c:\program files\internet explorer\plugins\PluginWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIECACST"="c:\program files\Siemens\CardOS API\bin\siecacst.exe" [2007-08-02 81920]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-06-04 5069648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-03-16 1028160]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2009-07-27 718120]
"Malwarebytes Anti-Malware (reboot)"="e:\debug malware\Software\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2007-10-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2003-11-05 110592]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2009-06-04 5069648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-06-29 05:49 122949 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\windows\system32\drivers\aacsas.sys [9/15/2008 9:12 AM 81035]
R0 adp94xx;adp94xx;c:\windows\system32\drivers\adp94xx.sys [9/15/2008 9:12 AM 360960]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [9/15/2008 9:12 AM 91707]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/15/2008 9:12 AM 119808]
R0 amdbusdr;amdbusdr;c:\windows\system32\drivers\AmdBusDr.sys [9/15/2008 9:12 AM 29696]
R0 arcm_x86;arcm_x86;c:\windows\system32\drivers\arcm_x86.sys [9/15/2008 9:12 AM 25888]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/15/2008 9:12 AM 6016]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [9/15/2008 9:12 AM 7680]
R0 FastSx;FastSx;c:\windows\system32\drivers\FastSx.sys [9/15/2008 9:12 AM 167424]
R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [9/15/2008 9:12 AM 65536]
R0 fttxr5_O;fttxr5_O;c:\windows\system32\drivers\fttxr5_O.sys [9/15/2008 9:12 AM 177152]
R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [9/15/2008 9:12 AM 160256]
R0 HpCISSm2;HpCISSm2;c:\windows\system32\drivers\HpCISSm2.sys [9/15/2008 9:12 AM 23040]
R0 Hpt366;Hpt366;c:\windows\system32\drivers\Hpt366.sys [9/15/2008 9:12 AM 22880]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [9/15/2008 9:12 AM 108150]
R0 hptiop;hptiop;c:\windows\system32\drivers\hptiop.sys [9/15/2008 9:12 AM 14496]
R0 hptmv;hptmv;c:\windows\system32\drivers\hptmv.sys [9/15/2008 9:12 AM 65024]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [9/15/2008 9:12 AM 26112]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [9/15/2008 9:12 AM 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [9/15/2008 9:12 AM 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [9/15/2008 9:12 AM 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [9/15/2008 9:12 AM 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [9/15/2008 9:12 AM 52480]
R0 MegaIDE;MegaIDE;c:\windows\system32\drivers\MegaIDE.sys [9/15/2008 9:12 AM 163277]
R0 MegaINTL;MegaINTL;c:\windows\system32\drivers\MegaINTL.sys [9/15/2008 9:12 AM 177536]
R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [9/15/2008 9:12 AM 34432]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [9/15/2008 9:12 AM 143360]
R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [9/15/2008 9:12 AM 212480]
R0 mvSata;mvSata;c:\windows\system32\drivers\mvsata.sys [9/15/2008 9:12 AM 43520]
R0 nfrd960;IBM ServeRAID 4M/4L/4Mx/4Lx/5i/6M/6i/7k Device Driver;c:\windows\system32\drivers\nfrd960.sys [9/15/2008 9:12 AM 74747]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/23/2006 1:19 PM 254208]
R0 Pnp649r;CMD IDE Raid Controller;c:\windows\system32\drivers\pnp649r.sys [9/15/2008 9:12 AM 66889]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [9/15/2008 9:12 AM 71720]
R0 raidsrc;raidsrc;c:\windows\system32\drivers\raidsrc.sys [9/15/2008 9:12 AM 45392]
R0 S150sx8;S150sx8;c:\windows\system32\drivers\S150sx8.sys [9/15/2008 9:12 AM 36864]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [9/15/2008 9:12 AM 110128]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [9/15/2008 9:12 AM 61952]
R0 SI3124;SiI-3124 SATALink Controller;c:\windows\system32\drivers\SI3124.sys [9/15/2008 9:12 AM 81960]
R0 SI3124r;SiI-3124 SATARaid Controller;c:\windows\system32\drivers\SI3124r.sys [9/15/2008 9:12 AM 100881]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\drivers\3124r5A2.sys [9/15/2008 9:12 AM 207152]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9/15/2008 9:12 AM 210736]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [9/15/2008 9:11 AM 46464]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [9/15/2008 9:11 AM 68864]
R0 sisraidx;sisraidx;c:\windows\system32\drivers\sisraidx.sys [9/15/2008 9:11 AM 47616]
R0 sptrak;sptrak;c:\windows\system32\drivers\sptrak.sys [9/15/2008 9:12 AM 41216]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [9/15/2008 9:12 AM 125952]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [9/15/2008 9:11 AM 29184]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/28/2006 5:57 AM 17968]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/11/2006 9:12 AM 87664]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 5:34 PM 36368]
R2 wsnm;VMware VDM Client Service;c:\program files\VMware\VMware VDM\Client\bin\wsnm.exe [5/8/2008 2:51 PM 131072]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/4/2009 7:15 AM 24521]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [11/14/2006 8:49 AM 398720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/25/2009 5:34 AM 338960]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [5/8/2008 2:45 PM 21504]
S0 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys [9/15/2008 9:12 AM 100224]
S0 hptmv6;hptmv6;c:\windows\system32\drivers\hptmv6.sys [9/15/2008 9:12 AM 93696]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [9/15/2008 9:12 AM 9809]
S0 lsi_sas2;lsi_sas2;c:\windows\system32\drivers\lsi_sas2.sys [9/15/2008 9:12 AM 93184]
S0 rr172x;rr172x;c:\windows\system32\drivers\rr172x.sys [9/15/2008 9:12 AM 83200]
S0 rr174x;rr174x;c:\windows\system32\drivers\rr174x.sys [9/15/2008 9:12 AM 107296]
S0 rr232x;rr232x;c:\windows\system32\drivers\rr232x.sys [9/15/2008 9:12 AM 101888]
S0 rr2340;rr2340;c:\windows\system32\drivers\rr2340.sys [9/15/2008 9:12 AM 102400]
S2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" --> c:\program files\mobile automation\rstate.exe [?]
S2 SttService;Stt Services;c:\windows\SttService.exe [9/2/2009 6:43 AM 36923]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 5:34 PM 225808]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [3/16/2007 4:33 PM 81992]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/4/2009 7:15 AM 835584]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 4:00 AM 14336]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/4/2009 7:15 AM 155216]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [5/25/2009 5:34 AM 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [5/25/2009 5:30 AM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-18 c:\windows\Tasks\stt_inv_report_24.job
- c:\program files\stt\stt_report_controller.bat [2009-09-02 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 17:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x80800000]<< >>UNKNOWN [0xF7857000]<< >>UNKNOWN [0xF7657000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF72A1000]<< >>UNKNOWN [0x80A0D000]<< >>UNKNOWN [0xF7A4F000]<< >>UNKNOWN [0xF7707000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf765bf28
\Driver\ACPI -> 0xf735ecb8
\Driver\atapi -> 0xf72a7852
\Driver\iaStor -> 0xf7214002
IoDeviceObjectType -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xf695ebb0
PacketIndicateHandler -> 0xf696ba21
SendHandler -> 0xf694987b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\odyEvent.dll

- - - - - - - > 'explorer.exe'(1680)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-22 17:06
ComboFix-quarantined-files.txt 2009-11-23 01:06
ComboFix2.txt 2009-11-22 21:08
ComboFix3.txt 2009-11-22 18:49

Pre-Run: 147,959,373,824 bytes free
Post-Run: 147,942,064,128 bytes free

- - End Of File - - 044EA539826F2FAFE64E6EFE844D1DBA

Re: Computer infected pretty badly with Malware23rd November 2009, 8:36 pm

How is the machine now?

Computer infected pretty badly with Malware

descriptionComputer infected pretty badly with Malware26th October 2009, 10:10 pm

descriptionRe: Computer infected pretty badly with Malware27th October 2009, 12:08 am

descriptionRe: Computer infected pretty badly with Malware27th October 2009, 12:29 am

descriptionRe: Computer infected pretty badly with Malware27th October 2009, 7:46 pm

descriptionRe: Computer infected pretty badly with Malware28th October 2009, 4:16 pm

descriptionRe: Computer infected pretty badly with Malware28th October 2009, 9:21 pm

descriptionRe: Computer infected pretty badly with Malware28th October 2009, 9:46 pm

descriptionRe: Computer infected pretty badly with Malware29th October 2009, 12:23 am

descriptionRe: Computer infected pretty badly with Malware22nd November 2009, 6:53 pm

descriptionRe: Computer infected pretty badly with Malware22nd November 2009, 7:32 pm

descriptionRe: Computer infected pretty badly with Malware22nd November 2009, 10:28 pm

descriptionRe: Computer infected pretty badly with Malware23rd November 2009, 12:37 am

descriptionRe: Computer infected pretty badly with Malware23rd November 2009, 1:57 am

descriptionRe: Computer infected pretty badly with Malware23rd November 2009, 8:36 pm

descriptionRe: Computer infected pretty badly with Malware