WiredWX Hobby Weather ToolsLog in

 


isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

2 posters

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar
    Viewpoint Media Player
    Viewpoint Manager

Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
I didn't see View Point Manager, but removed Ask Toolbar and View Point Media Player. (computer seems much faster)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-17 09:40:32
Windows 5.1.2600 Service Pack 3
Running: hp924d7t.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgtyqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xB1C1C0A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xB1C1C110]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
I will be back later today. Smile...

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    FileLook::
    c:\windows\system32\drivers\isapnp.sys

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
ComboFix 10-04-15.05 - Owner 04/17/2010 19:57:07.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.661 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-15 00:13 . 2010-04-15 00:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-15 00:07 . 2010-04-15 00:07 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-04-15 00:05 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-15 00:05 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-15 00:05 . 2010-04-15 00:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-14 21:41 . 2010-04-14 21:41 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 19:36 . 2010-04-14 19:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 18:44 . 2010-04-14 20:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 18:39 . 2010-04-13 18:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-04-12 23:57 . 2010-04-12 23:57 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-04-12 20:38 . 2010-04-12 20:38 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-12 18:48 . 2010-04-12 18:48 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-12 05:43 . 2010-04-12 05:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-12 01:27 . 2010-04-12 01:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-12 01:16 . 2010-04-13 16:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 21:27 . 2010-03-30 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\pdf995
2010-03-30 21:22 . 2010-04-12 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-30 21:22 . 2007-08-24 18:13 142 ----a-w- c:\windows\wpd99.drv
2010-03-30 21:22 . 2010-03-30 21:22 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-03-30 21:22 . 2010-03-30 21:22 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-03-26 17:49 . 2010-03-26 17:49 -------- d-----w- C:\shop3
2010-03-22 19:27 . 2010-03-22 19:27 3743944 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockCA.exe
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\3ivx
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\Flip Video
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 16:35 . 2009-04-20 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-17 16:29 . 2009-05-05 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-17 16:12 . 2009-07-12 02:50 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-04-16 23:53 . 2009-05-05 23:20 7132192 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-16 23:53 . 2009-05-05 23:20 56800 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-16 23:53 . 2009-05-05 23:20 5420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-16 23:53 . 2009-05-05 23:20 1269792 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-16 20:49 . 2009-06-13 23:49 -------- d-----w- c:\program files\iWin Games
2010-04-16 04:56 . 2009-08-28 23:53 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-16 04:55 . 2009-08-28 23:55 110592 ----a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-04-16 04:55 . 2009-08-28 23:53 3096576 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2010-04-15 23:57 . 2008-10-10 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-15 00:15 . 2008-10-10 19:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-14 23:01 . 2010-01-04 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2010-04-14 21:46 . 2010-04-14 21:46 37248 ----a-w- c:\windows\system32\drivers\OLD76.tmp
2010-04-14 21:45 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD73.tmp
2010-04-14 21:44 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD70.tmp
2010-04-14 21:42 . 2010-04-14 21:42 37248 ----a-w- c:\windows\system32\drivers\OLD6C.tmp
2010-04-14 21:40 . 2010-04-14 21:40 37248 ----a-w- c:\windows\system32\drivers\OLD65.tmp
2010-04-14 21:39 . 2010-04-14 21:39 37248 ----a-w- c:\windows\system32\drivers\OLD61.tmp
2010-04-14 21:36 . 2010-04-14 21:36 37248 ----a-w- c:\windows\system32\drivers\OLD5A.tmp
2010-04-14 21:34 . 2010-04-14 21:34 37248 ----a-w- c:\windows\system32\drivers\OLD56.tmp
2010-04-14 21:33 . 2010-04-14 21:33 37248 ----a-w- c:\windows\system32\drivers\OLD52.tmp
2010-04-14 21:30 . 2010-04-14 21:30 37248 ----a-w- c:\windows\system32\drivers\OLD4B.tmp
2010-04-14 21:27 . 2010-04-14 21:27 37248 ----a-w- c:\windows\system32\drivers\OLD47.tmp
2010-04-14 21:23 . 2010-04-14 21:23 37248 ----a-w- c:\windows\system32\drivers\OLD40.tmp
2010-04-14 21:22 . 2010-04-14 21:22 37248 ----a-w- c:\windows\system32\drivers\OLD3B.tmp
2010-04-14 21:20 . 2010-04-14 21:20 37248 ----a-w- c:\windows\system32\drivers\OLD33.tmp
2010-04-14 21:18 . 2010-04-14 21:18 37248 ----a-w- c:\windows\system32\drivers\OLD2E.tmp
2010-04-14 21:16 . 2010-04-14 21:16 37248 ----a-w- c:\windows\system32\drivers\OLD22.tmp
2010-04-14 21:14 . 2010-04-14 21:14 37248 ----a-w- c:\windows\system32\drivers\OLD1B.tmp
2010-04-14 18:44 . 2010-04-14 21:41 37248 ----a-w- c:\windows\system32\drivers\OLD69.tmp
2010-04-14 18:44 . 2010-04-14 21:17 37248 ----a-w- c:\windows\system32\drivers\OLD27.tmp
2010-04-12 23:59 . 2009-05-05 18:57 -------- d-----w- c:\program files\Java
2010-04-12 23:56 . 2009-12-01 11:31 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 18:48 . 2010-04-12 18:48 96512 ----a-w- c:\windows\system32\drivers\tskC.tmp
2010-04-12 00:52 . 2010-03-18 21:13 -------- d-----w- c:\program files\DeductionPro 2009
2010-04-12 00:33 . 2009-02-22 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\TaxCut
2010-04-10 19:26 . 2009-03-02 07:44 -------- d-----w- c:\program files\Safari
2010-04-10 19:24 . 2008-10-21 05:50 -------- d-----w- c:\program files\Common Files\Apple
2010-04-09 06:47 . 2008-10-09 20:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 18:18 . 2009-12-02 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Any Audio Converter
2010-04-01 20:31 . 2009-05-31 17:30 116300 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 21:22 . 2009-02-22 22:15 -------- d-----w- c:\program files\PDF995
2010-03-19 17:24 . 2009-06-08 16:16 -------- d-----w- c:\program files\iWin.com
2010-03-18 21:15 . 2010-03-18 21:14 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-18 21:13 . 2008-10-08 03:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 21:12 . 2010-03-18 21:11 -------- d-----w- c:\program files\HRBlock2009
2010-03-18 21:06 . 2009-02-22 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-03-13 02:14 . 2010-03-13 02:14 20 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0001.dat.exe
2010-03-12 18:50 . 2010-03-12 18:50 114330 ----a-w- c:\documents and settings\All Users\SPLD.tmp
2010-03-12 18:37 . 2010-03-12 18:37 115562 ----a-w- c:\documents and settings\All Users\SPL3ED3.tmp
2010-03-10 06:15 . 2003-07-16 20:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 19:26 . 2009-09-27 01:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Any DVD Converter Professional
2010-03-04 11:00 . 2010-03-04 11:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-28 00:26 . 2010-02-28 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-02-28 00:15 . 2008-10-08 04:35 147584 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 00:15 . 2010-02-28 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2010-02-28 00:15 . 2010-02-28 00:14 -------- d-----w- c:\program files\Musicnotes
2010-02-28 00:07 . 2008-10-09 20:00 -------- d-----w- c:\program files\Games
2010-02-27 23:49 . 2008-10-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-02-25 06:24 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 18:13 . 2008-10-13 19:24 -------- d-----w- c:\program files\WS_FTP
2010-02-24 13:11 . 2003-07-16 20:34 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 03:10 . 2010-02-21 03:10 13664 ----a-w- c:\documents and settings\All Users\SPL6B4.tmp
2010-02-17 16:10 . 2003-07-16 20:39 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2003-07-16 20:23 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 20:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-12-02 01:57 . 2009-12-02 01:57 15203738 ----a-w- c:\program files\any-audio-converter.exe
2009-12-02 01:49 . 2009-12-02 01:49 15386889 ----a-w- c:\program files\avc-free.exe
2009-06-05 17:40 . 2009-06-05 17:40 38709280 ----a-w- c:\program files\kav8.0.0.506en.exe
2009-05-22 20:15 . 2009-05-22 20:15 434832 ----a-w- c:\program files\switchsetup.exe
2009-05-14 18:15 . 2009-05-14 18:15 140800 ----a-w- c:\program files\ODMediaConsoleSetup.exe
2009-03-02 07:43 . 2009-03-02 07:43 26699048 ----a-w- c:\program files\SafariSetup.exe
2009-02-03 11:59 . 2009-02-03 11:59 1226 ----a-w- c:\program files\setup.reg
2008-11-14 09:52 . 2008-11-14 09:52 41937 ----a-w- c:\program files\release_notes_kav8.0cf2_en.html
2008-11-13 17:23 . 2008-11-13 17:23 40375808 ----a-w- c:\program files\kav.en.msi
2008-11-04 18:53 . 2008-11-04 18:53 5166072 ----a-w- c:\program files\msgrplus.exe
2008-10-28 17:25 . 2008-10-28 17:25 283843 ----a-w- c:\program files\youmurdererbb_tt.zip
2008-10-21 05:49 . 2008-10-21 05:49 67167528 ----a-w- c:\program files\iTunes801Setup.exe
2008-10-17 20:37 . 2008-10-15 20:40 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-10-09 20:01 . 2008-10-09 20:01 0 ----a-w- c:\program files\temp01
2008-10-09 00:27 . 2008-10-09 00:27 50689960 ----a-w- c:\program files\avg_free_stf_en_8_173a1373.exe
2008-10-09 00:22 . 2008-10-09 00:22 19153264 ----a-w- c:\program files\aaw2008.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\isapnp.sys ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 37248
Created time: 2010-04-14 21:41
Modified time: 2010-04-14 21:41
MD5: A1CB15AB32964320AD96FAB749D30BD4
SHA1: D8E29A451EA55547EB05B92941270F8507EEAEAD


((((((((((((((((((((((((((((( SnapShot@2010-04-16_20.53.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 16:13 . 2010-04-17 16:13 16384 c:\windows\Temp\Perflib_Perfdata_24c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"IPInSightLAN 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-14 113664]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2009-2-17 331776]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [1/21/2010 12:12 PM 78104]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [8/7/2009 1:01 PM 98984]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KGTYQPOB
*Deregistered* - IPVNMon
*Deregistered* - kgtyqpob
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{54802705-6404-494B-8E69-3EC5B0EF9994}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(660)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-17 20:09:44
ComboFix-quarantined-files.txt 2010-04-18 03:09
ComboFix2.txt 2010-04-16 21:10

Pre-Run: 279,855,607,808 bytes free
Post-Run: 279,810,387,968 bytes free

- - End Of File - - C3DF4C43869B78239D06D54DF55EBA36

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
Submit a file for analysis.

  1. Please visit this website: Jotti's Malware Scanner
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\drivers\isapnp.sys
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
I'm sorry I wasn't sure what to copy, but here goes:

2010-04-18 Found nothing 2010-04-16 Found nothing
2010-04-18 Found nothing 2010-04-18 Win32:Alureon-FZ
2010-04-18 Win32:Alureon-FZ 2010-04-18 Found nothing
2010-04-18 Found nothing 2010-04-18 Found nothing
2010-04-16 Found nothing 2010-04-18 Found nothing
2010-04-18 Found nothing 2010-04-18 Found nothing
2010-04-18 Found nothing 2010-04-16 Found nothing
2010-04-18 Found nothing 2010-04-18 Found nothing
2010-04-18 Found nothing 2010-04-16 Found nothing
2010-04-17 Found nothing 2010-04-18 Found nothing

Filename: isapnp.sys
Status: Scan finished. 2 out of 20 scanners reported malware.

Additional Info:
File size: 37248 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: a1cb15ab32964320ad96fab749d30bd4
SHA1: d8e29a451ea55547eb05b92941270f8507eeaead
Packer (Kaspersky): PE_Patch

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    isapnp.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:02 on 18/04/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "isapnp.sys"
C:\WINDOWS\ServicePackFiles\i386\isapnp.sys ------ 37248 bytes [04:21 08/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\dllcache\isapnp.sys --a--c 37248 bytes [03:12 08/10/2008] [21:48 14/04/2010] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\drivers\isapnp.sys --a--- 37248 bytes [21:41 14/04/2010] [21:41 14/04/2010] A1CB15AB32964320AD96FAB749D30BD4
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\isapnp.sys --a--- 35840 bytes [03:12 08/10/2008] [20:30 16/07/2003] E504F706CCB699C2596E9A3DA1596E87

-=End Of File=-

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    FCopy::
    C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\isapnp.sys | C:\WINDOWS\system32\drivers\isapnp.sys

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
ComboFix 10-04-15.05 - Owner 04/18/2010 11:21:30.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.684 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\isapnp.sys --> c:\windows\system32\drivers\isapnp.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-15 00:13 . 2010-04-15 00:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-15 00:07 . 2010-04-15 00:07 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-04-15 00:05 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-15 00:05 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-15 00:05 . 2010-04-15 00:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-14 21:41 . 2010-04-14 21:48 37248 -c--a-w- c:\windows\system32\dllcache\isapnp.sys
2010-04-14 21:41 . 2010-04-14 21:48 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 19:36 . 2010-04-14 19:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 18:44 . 2010-04-14 20:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 18:39 . 2010-04-13 18:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-04-12 23:57 . 2010-04-12 23:57 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-04-12 20:38 . 2010-04-12 20:38 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-12 18:48 . 2010-04-12 18:48 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-12 05:43 . 2010-04-12 05:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-12 01:27 . 2010-04-12 01:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-12 01:16 . 2010-04-13 16:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 21:27 . 2010-03-30 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\pdf995
2010-03-30 21:22 . 2010-04-12 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-30 21:22 . 2007-08-24 18:13 142 ----a-w- c:\windows\wpd99.drv
2010-03-30 21:22 . 2010-03-30 21:22 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-03-30 21:22 . 2010-03-30 21:22 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-03-26 17:49 . 2010-03-26 17:49 -------- d-----w- C:\shop3
2010-03-22 19:27 . 2010-03-22 19:27 3743944 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockCA.exe
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\3ivx
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\Flip Video
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 12:13 . 2009-05-05 23:20 7271968 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-18 12:13 . 2009-05-05 23:20 57892 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-17 16:35 . 2009-04-20 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-17 16:29 . 2009-05-05 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-17 16:12 . 2009-07-12 02:50 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-04-16 23:53 . 2009-05-05 23:20 5420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-16 23:53 . 2009-05-05 23:20 1269792 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-16 20:49 . 2009-06-13 23:49 -------- d-----w- c:\program files\iWin Games
2010-04-16 04:56 . 2009-08-28 23:53 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-16 04:55 . 2009-08-28 23:55 110592 ----a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-04-16 04:55 . 2009-08-28 23:53 3096576 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2010-04-15 23:57 . 2008-10-10 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-15 00:15 . 2008-10-10 19:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-14 23:01 . 2010-01-04 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2010-04-14 21:46 . 2010-04-14 21:46 37248 ----a-w- c:\windows\system32\drivers\OLD76.tmp
2010-04-14 21:45 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD73.tmp
2010-04-14 21:44 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD70.tmp
2010-04-14 21:42 . 2010-04-14 21:42 37248 ----a-w- c:\windows\system32\drivers\OLD6C.tmp
2010-04-14 21:40 . 2010-04-14 21:40 37248 ----a-w- c:\windows\system32\drivers\OLD65.tmp
2010-04-14 21:39 . 2010-04-14 21:39 37248 ----a-w- c:\windows\system32\drivers\OLD61.tmp
2010-04-14 21:36 . 2010-04-14 21:36 37248 ----a-w- c:\windows\system32\drivers\OLD5A.tmp
2010-04-14 21:34 . 2010-04-14 21:34 37248 ----a-w- c:\windows\system32\drivers\OLD56.tmp
2010-04-14 21:33 . 2010-04-14 21:33 37248 ----a-w- c:\windows\system32\drivers\OLD52.tmp
2010-04-14 21:30 . 2010-04-14 21:30 37248 ----a-w- c:\windows\system32\drivers\OLD4B.tmp
2010-04-14 21:27 . 2010-04-14 21:27 37248 ----a-w- c:\windows\system32\drivers\OLD47.tmp
2010-04-14 21:23 . 2010-04-14 21:23 37248 ----a-w- c:\windows\system32\drivers\OLD40.tmp
2010-04-14 21:22 . 2010-04-14 21:22 37248 ----a-w- c:\windows\system32\drivers\OLD3B.tmp
2010-04-14 21:20 . 2010-04-14 21:20 37248 ----a-w- c:\windows\system32\drivers\OLD33.tmp
2010-04-14 21:18 . 2010-04-14 21:18 37248 ----a-w- c:\windows\system32\drivers\OLD2E.tmp
2010-04-14 21:16 . 2010-04-14 21:16 37248 ----a-w- c:\windows\system32\drivers\OLD22.tmp
2010-04-14 21:14 . 2010-04-14 21:14 37248 ----a-w- c:\windows\system32\drivers\OLD1B.tmp
2010-04-14 18:44 . 2010-04-14 21:41 37248 ----a-w- c:\windows\system32\drivers\OLD69.tmp
2010-04-14 18:44 . 2010-04-14 21:17 37248 ----a-w- c:\windows\system32\drivers\OLD27.tmp
2010-04-12 23:59 . 2009-05-05 18:57 -------- d-----w- c:\program files\Java
2010-04-12 23:56 . 2009-12-01 11:31 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 18:48 . 2010-04-12 18:48 96512 ----a-w- c:\windows\system32\drivers\tskC.tmp
2010-04-12 00:52 . 2010-03-18 21:13 -------- d-----w- c:\program files\DeductionPro 2009
2010-04-12 00:33 . 2009-02-22 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\TaxCut
2010-04-10 19:26 . 2009-03-02 07:44 -------- d-----w- c:\program files\Safari
2010-04-10 19:24 . 2008-10-21 05:50 -------- d-----w- c:\program files\Common Files\Apple
2010-04-09 06:47 . 2008-10-09 20:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 18:18 . 2009-12-02 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Any Audio Converter
2010-04-01 20:31 . 2009-05-31 17:30 116300 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 21:22 . 2009-02-22 22:15 -------- d-----w- c:\program files\PDF995
2010-03-19 17:24 . 2009-06-08 16:16 -------- d-----w- c:\program files\iWin.com
2010-03-18 21:15 . 2010-03-18 21:14 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-18 21:13 . 2008-10-08 03:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 21:12 . 2010-03-18 21:11 -------- d-----w- c:\program files\HRBlock2009
2010-03-18 21:06 . 2009-02-22 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-03-13 02:14 . 2010-03-13 02:14 20 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0001.dat.exe
2010-03-12 18:50 . 2010-03-12 18:50 114330 ----a-w- c:\documents and settings\All Users\SPLD.tmp
2010-03-12 18:37 . 2010-03-12 18:37 115562 ----a-w- c:\documents and settings\All Users\SPL3ED3.tmp
2010-03-10 06:15 . 2003-07-16 20:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 19:26 . 2009-09-27 01:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Any DVD Converter Professional
2010-03-04 11:00 . 2010-03-04 11:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-28 00:26 . 2010-02-28 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-02-28 00:15 . 2008-10-08 04:35 147584 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 00:15 . 2010-02-28 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2010-02-28 00:15 . 2010-02-28 00:14 -------- d-----w- c:\program files\Musicnotes
2010-02-28 00:07 . 2008-10-09 20:00 -------- d-----w- c:\program files\Games
2010-02-27 23:49 . 2008-10-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-02-25 06:24 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 18:13 . 2008-10-13 19:24 -------- d-----w- c:\program files\WS_FTP
2010-02-24 13:11 . 2003-07-16 20:34 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 03:10 . 2010-02-21 03:10 13664 ----a-w- c:\documents and settings\All Users\SPL6B4.tmp
2010-02-17 16:10 . 2003-07-16 20:39 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2003-07-16 20:23 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 20:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-12-02 01:57 . 2009-12-02 01:57 15203738 ----a-w- c:\program files\any-audio-converter.exe
2009-12-02 01:49 . 2009-12-02 01:49 15386889 ----a-w- c:\program files\avc-free.exe
2009-06-05 17:40 . 2009-06-05 17:40 38709280 ----a-w- c:\program files\kav8.0.0.506en.exe
2009-05-22 20:15 . 2009-05-22 20:15 434832 ----a-w- c:\program files\switchsetup.exe
2009-05-14 18:15 . 2009-05-14 18:15 140800 ----a-w- c:\program files\ODMediaConsoleSetup.exe
2009-03-02 07:43 . 2009-03-02 07:43 26699048 ----a-w- c:\program files\SafariSetup.exe
2009-02-03 11:59 . 2009-02-03 11:59 1226 ----a-w- c:\program files\setup.reg
2008-11-14 09:52 . 2008-11-14 09:52 41937 ----a-w- c:\program files\release_notes_kav8.0cf2_en.html
2008-11-13 17:23 . 2008-11-13 17:23 40375808 ----a-w- c:\program files\kav.en.msi
2008-11-04 18:53 . 2008-11-04 18:53 5166072 ----a-w- c:\program files\msgrplus.exe
2008-10-28 17:25 . 2008-10-28 17:25 283843 ----a-w- c:\program files\youmurdererbb_tt.zip
2008-10-21 05:49 . 2008-10-21 05:49 67167528 ----a-w- c:\program files\iTunes801Setup.exe
2008-10-17 20:37 . 2008-10-15 20:40 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-10-09 20:01 . 2008-10-09 20:01 0 ----a-w- c:\program files\temp01
2008-10-09 00:27 . 2008-10-09 00:27 50689960 ----a-w- c:\program files\avg_free_stf_en_8_173a1373.exe
2008-10-09 00:22 . 2008-10-09 00:22 19153264 ----a-w- c:\program files\aaw2008.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-16_20.53.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 16:13 . 2010-04-17 16:13 16384 c:\windows\Temp\Perflib_Perfdata_24c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"IPInSightLAN 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-14 113664]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2009-2-17 331776]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [1/21/2010 12:12 PM 78104]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [8/7/2009 1:01 PM 98984]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KGTYQPOB
*Deregistered* - IPVNMon
*Deregistered* - kgtyqpob
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\User_Feed_Synchronization-{54802705-6404-494B-8E69-3EC5B0EF9994}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 11:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-18 11:32:56
ComboFix-quarantined-files.txt 2010-04-18 18:32
ComboFix2.txt 2010-04-18 03:09
ComboFix3.txt 2010-04-16 21:10

Pre-Run: 279,940,853,760 bytes free
Post-Run: 279,893,725,184 bytes free

- - End Of File - - 963BEAC3229492BA0EC1046FA47F6AC2

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
It said no threats found. My Kaspersky keeps showing threats founds, do I need to Fix that or something?

SETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b3640aec1b87bc42bac85b45477025df
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-18 08:47:21
# local_time=2010-04-18 01:47:21 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1026 16777214 0 2 29964774 29964774 0 0
# compatibility_mode=1280 16777191 100 0 29964355 29964355 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=239447
# found=0
# cleaned=0
# scan_time=7288

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
Does Kaspersky say where?

descriptionisapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here - Page 2 EmptyRe: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

more_horiz
It showed Active Threat as the one I came here with, then I clicked on it and it said Not found! Yay! I'm clean now?
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum