Windows XP webpage hijack

**Btankful** · 29.08.2010 17:36

Computer Name: STARSEED
Event Code: 11
Message: Failed extract of third-party root list from auto update cab at:
http://<http://www.download.(+++++)....throotstl.cab>
with error: A required certificate is not within its validity period when verifying against the
current system clock or the timestamp in the signed file. (+++++) = windows update(one word)

{Ok. The reason I can't post some of the RSIT INFO file is the website won't accept (windows update) as one word, no space; where I have (+++++)} Strange. I'll try Record Number: 55 and the rest that way. I used Preview Post to see what would be accepted.}

**Btankful** · 29.08.2010 17:40

Record Number: 55
Source Name: crypt32
Time Written: 20100711161500.000000-300
Event Type: error
User:

Computer Name: STARSEED
Event Code: 11
Message: Failed extract of third-party root list from auto update cab at:
<http://www.download.(+++++).com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying against the
current system clock or the timestamp in the signed file.

(+++++) = windows update (one word, no space after windows)

Record Number: 54
Source Name: crypt32
Time Written: 20100711161459.000000-300
Event Type: error
User:

Computer Name: STARSEED
Event Code: 4113
Message: AntiVir has detected 'HTML/Crypted.Gen'
in the file
C:\Documents and Settings\Peter\Local Settings\Application Data\Mozilla\Firefox\Profiles\ayd69ifp.default\Cache\9C59797 3d01

Record Number: 50
Source Name: Avira AntiVir
Time Written: 20100711000510.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\Syste m32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 28 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=1c02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.W SH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"LenovoTestLogFile"=d:\test\wintest\preload.log
"LenovoTestPath"=d:\test\wintest\
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF----------------- Whew ! It worked!

**Btankful** · 29.08.2010 17:54

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-29 10:51:39
Windows 5.1.2600 Service Pack 3
Running: vxrm1xz8.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\kwlyypob.sys

---- System - GMER 1.0.15 ----

SSDT BA75A72C ZwCreateThread
SSDT BA75A718 ZwOpenProcess
SSDT BA75A71D ZwOpenThread

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1132] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01E8000A
.text C:\WINDOWS\System32\svchost.exe[1132] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F6000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2116] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\explorer.exe[2720] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[2720] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\explorer.exe[2720] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3724] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0139000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3724] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3724] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0138000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3724] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)

---- EOF - GMER 1.0.15 ----

**Btankful** · 29.08.2010 17:58

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x895BBEC5]<<
kernel: MBR read successfully
user & kernel MBR OK

**Btankful** · 29.08.2010 18:37

SpyBot has detected Virtumonde Virus twice now. It said it was showing up as "ahoyulezelagar" in one of the HijackThis entries. Spybot removed it.

**Jintan** · 30.08.2010 03:14

I got your message about the term "windowsupdate" brings on problems when you use it. As long as you keep me informed when you have altered that part of a log it's okay to make the changes needed.

That mbr.exe -t log suggests a hidden rootkit is there, so let's scan for (and remove) that.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Click here and download Kaspersky's TDSSKiller to your desktop, then unzip that and place a copy of the TDSSKiller.exe file on your desktop. Then click that to open the scanner.

In the display that opens click Start scan. Once that completes, follow any prompts to act on anything it located, including as reboot if requested.

When the scan completes it will create a log file on your C drive.

Similar in name to this:

C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt

Your copy will be different - some of those numbers will reflect the date/time it was just run by you there.

Copy/paste those contents back here please.

-----------

Download ComboFix.exe from here to your desktop, then click that to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

**Btankful** · 30.08.2010 16:23

Thank you. I ran everything again (AntiVir, Ad-Aware, Spybot and even VundoFix, and Malwarebyte) and VundoFix and Spybot were clean with no Virtumonde. AntiVir and Malwarebytes found nothing. However, this time, Ad-Aware found a Trojan.Win32.Generic!BT Engine and wiped it. It was in the Temporary folder (XP activation).

While I am running Kaspersky and Combofix with AntiVir disabled, here is the Ad-Aware log:

Logfile created: 8/30/2010 07:13:24
Ad-Aware version: 8.3.1
Extended engine: 3
Extended engine version: 3.1.2770
User performing scan: Peter

*********************** Definitions database information ***********************
Lavasoft definition file: 150.67
Genotype definition file version: 2010/08/19 13:54:54
Extended engine definition file: 6811.0

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 98502
Objects detected: 36

Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 4
Folders.........: 0
LSPs............: 0
Cookies.........: 32
Browser hijacks.: 0
MRU objects.....: 0

Removed items:
Description: *tacoda* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409123 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *real* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408817 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409139 Family ID: 0
Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409017 Family ID: 0
Description: *unicast* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409281 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409017 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408910 Family ID: 0
Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409259 Family ID: 0
Description: *apmebf* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409163 Family ID: 0
Description: *mediaplex* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408991 Family ID: 0
Description: *adbrite* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409218 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409172 Family ID: 0
Description: *trafficmp* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408787 Family ID: 0
Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408826 Family ID: 0
Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408927 Family ID: 0
Description: *real* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409139 Family ID: 0
Description: zedo* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408736 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409130 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408902 Family ID: 0
Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408869 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408875 Family ID: 0
Description: *adserver* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408737 Family ID: 0
Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408921 Family ID: 0
Description: *adtech* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409018 Family ID: 0
Description: *adserve* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 409020 Family ID: 0
Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Failed Item ID: 408819 Family ID: 0

Quarantined items:
Description: c:\documents and settings\peter\desktop\temporary\xp activation\activation_crack.zip::activation_crack/windows 2003 & xp & lh anti product activation crack 2.0.1.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5:
Description: c:\documents and settings\peter\desktop\temporary\xp activation\activation_crack.zip::activation_crack/windows 2003 & xp & lh anti product activation crack 2.0.1.zip::windows 2003 & xp & lh anti product activation crack 2.0.1.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5:
Description: c:\documents and settings\peter\desktop\temporary\xp activation\activation_crack\activation_crack\windows 2003 & xp & lh anti product activation crack 2.0.1.zip::windows 2003 & xp & lh anti product activation crack 2.0.1.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5:
Description: c:\system volume information\_restore{f8136b96-1d4c-4145-839f-7b8f940a9052}\rp414\a0052922.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 63cbaa563b6690ad3af4d3ac22d7fe12

Scan and cleaning complete: Finished correctly after 5315 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\,D:\
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Mon Aug 30 02:51:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Mon Aug 30 08:51:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Mon Aug 30 14:51:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Mon Aug 30 20:51:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Mon Aug 30 02:51:00 2010
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: true
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: false
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true

****************************** System information ******************************
Computer name: STARSEED
Processor name: Intel(R) Atom(TM) CPU N270 @ 1.60GHz
Processor identifier: x86 Family 6 Model 28 Stepping 2
Processor speed: ~1596MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 7170, number of processors 2, processor features: [MMX,SSE,SSE2]
Physical memory available: 1419436032 bytes
Physical memory total: 2137370624 bytes
Virtual memory available: 1885691904 bytes
Virtual memory total: 2147352576 bytes
Memory load: 33%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 616 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 704 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 728 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 772 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 784 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 968 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1052 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1164 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1264 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1344 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1592 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1708 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1836 name: C:\Program Files\Avira\AntiVir Desktop\sched.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1916 name: C:\WINDOWS\Explorer.EXE owner: Peter domain: STARSEED
PID: 2028 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 380 name: C:\Program Files\Avira\AntiVir Desktop\avguard.exe owner: SYSTEM domain: NT AUTHORITY
PID: 512 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 516 name: C:\Program Files\Avira\AntiVir Desktop\avshadow.exe owner: SYSTEM domain: NT AUTHORITY
PID: 636 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 992 name: C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1492 name: C:\WINDOWS\system32\hkcmd.exe owner: Peter domain: STARSEED
PID: 1512 name: C:\WINDOWS\system32\igfxpers.exe owner: Peter domain: STARSEED
PID: 1540 name: C:\WINDOWS\system32\igfxsrvc.exe owner: Peter domain: STARSEED
PID: 1568 name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe owner: Peter domain: STARSEED
PID: 1696 name: C:\Program Files\Lenovo\Energy Management\utility.exe owner: Peter domain: STARSEED
PID: 1872 name: C:\Program Files\Lenovo\Energy Management\Energy Management.exe owner: Peter domain: STARSEED
PID: 1888 name: C:\WINDOWS\RTHDCPL.EXE owner: Peter domain: STARSEED
PID: 228 name: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe owner: Peter domain: STARSEED
PID: 1088 name: C:\WINDOWS\system32\ctfmon.exe owner: Peter domain: STARSEED
PID: 700 name: C:\Program Files\ColorPage-SF600\DigiScan.exe owner: Peter domain: STARSEED
PID: 2460 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2488 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2732 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3792 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Peter domain: STARSEED
PID: 2584 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Peter domain: STARSEED
PID: 1136 name: C:\WINDOWS\system32\wscntfy.exe owner: Peter domain: STARSEED

Startup items:
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: IgfxTray
imagepath: C:\WINDOWS\system32\igfxtray.exe
Name: HotKeysCmds
imagepath: C:\WINDOWS\system32\hkcmd.exe
Name: Persistence
imagepath: C:\WINDOWS\system32\igfxpers.exe
Name: AzMixerSel
imagepath: C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
Name: SynTPEnh
imagepath: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Name: EnergyUtility
imagepath: C:\Program Files\Lenovo\Energy Management\utility.exe
Name: Energy Management
imagepath: C:\Program Files\Lenovo\Energy Management\Energy Management.exe
Name: RTHDCPL
imagepath: RTHDCPL.EXE
Name: Adobe Reader Speed Launcher
imagepath: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Name: Adobe ARM
imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Name: MSConfig
imagepath: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
Name: avgnt
imagepath: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DigiScan.lnk
imagepath: C:\Program Files\ColorPage-SF600\DigiScan.exe

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: AntiVirSchedulerService
displayname: Avira AntiVir Scheduler
Name: AntiVirService
displayname: Avira AntiVir Guard
Name: AudioSrv
displayname: Windows Audio
Name: BITS
displayname: Background Intelligent Transfer Service
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: helpsvc
displayname: Help and Support
Name: JavaQuickStarterService
displayname: Java Quick Starter
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: System_Repair_UpdateMonitor
displayname: System Repair Windows Update Monitor
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: W32Time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration

**Btankful** · 30.08.2010 16:38

Nice. You were right. Here is the TDSSKiller log:

2010/08/30 09:30:02.0515 TDSS rootkit removing tool 2.4.1.3 Aug 27 2010 08:53:42
2010/08/30 09:30:02.0515 ============================================================ ====================
2010/08/30 09:30:02.0515 SystemInfo:
2010/08/30 09:30:02.0515
2010/08/30 09:30:02.0515 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/30 09:30:02.0515 Product type: Workstation
2010/08/30 09:30:02.0515 ComputerName: STARSEED
2010/08/30 09:30:02.0515 UserName: Peter
2010/08/30 09:30:02.0515 Windows directory: C:\WINDOWS
2010/08/30 09:30:02.0515 System windows directory: C:\WINDOWS
2010/08/30 09:30:02.0515 Processor architecture: Intel x86
2010/08/30 09:30:02.0515 Number of processors: 2
2010/08/30 09:30:02.0515 Page size: 0x1000
2010/08/30 09:30:02.0515 Boot type: Normal boot
2010/08/30 09:30:02.0515 ============================================================ ====================
2010/08/30 09:30:03.0000 Initialize success
2010/08/30 09:30:08.0484 ============================================================ ====================
2010/08/30 09:30:08.0484 Scan started
2010/08/30 09:30:08.0484 Mode: Manual;
2010/08/30 09:30:08.0484 ============================================================ ====================
2010/08/30 09:30:09.0843 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/30 09:30:09.0953 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/08/30 09:30:10.0093 ACPIVPC (5508e9f55799c6551d54dfbc4a068b68) C:\WINDOWS\system32\DRIVERS\AcpiVpc.sys
2010/08/30 09:30:10.0484 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/30 09:30:10.0656 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/30 09:30:11.0984 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2010/08/30 09:30:12.0687 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/30 09:30:13.0703 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/30 09:30:13.0843 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/30 09:30:14.0296 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/30 09:30:14.0437 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/30 09:30:14.0593 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/08/30 09:30:14.0718 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/08/30 09:30:14.0875 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/08/30 09:30:15.0000 b57w2k (5175e788bcd1cb7345ab21f3e14369d2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/08/30 09:30:15.0171 BCM43XX (164a0ac9ef86ef4b9c5bc6081f9acbeb) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/08/30 09:30:15.0312 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/30 09:30:15.0421 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/30 09:30:15.0671 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/08/30 09:30:15.0984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/30 09:30:16.0218 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/30 09:30:16.0437 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/30 09:30:16.0921 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/08/30 09:30:17.0375 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/08/30 09:30:18.0500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/30 09:30:18.0796 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/30 09:30:19.0140 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/30 09:30:19.0234 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/30 09:30:19.0343 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/30 09:30:19.0734 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/30 09:30:20.0093 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/30 09:30:20.0343 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/30 09:30:20.0578 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/30 09:30:20.0781 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/30 09:30:21.0046 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/30 09:30:21.0125 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/30 09:30:21.0171 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/30 09:30:21.0265 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2010/08/30 09:30:21.0453 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/30 09:30:21.0718 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/30 09:30:21.0968 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/30 09:30:22.0437 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/30 09:30:23.0250 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/30 09:30:23.0609 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/08/30 09:30:24.0031 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/30 09:30:24.0671 IntcAzAudAddService (691dda8c43bd8e33a2567b694643c3f5) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/30 09:30:25.0531 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/30 09:30:25.0812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/30 09:30:25.0875 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/30 09:30:26.0062 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/30 09:30:26.0265 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/30 09:30:26.0500 IPSec (1d7955cdfcfb15408db389c0163fda43) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/30 09:30:26.0515 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 1d7955cdfcfb15408db389c0163fda43, Fake md5: 23c74d75e36e7158768dd63d92789a91
2010/08/30 09:30:26.0531 IPSec - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/30 09:30:26.0687 IP_FAX_NT (e2bae3682549664cee2a1cfb52f66e2e) C:\Program Files\VoIP Plug-In for Microsoft-Fax\IP_FAX_NT.SYS
2010/08/30 09:30:26.0953 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/30 09:30:27.0062 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/30 09:30:27.0265 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/30 09:30:27.0390 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/30 09:30:27.0562 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/30 09:30:27.0765 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/08/30 09:30:27.0921 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/08/30 09:30:28.0296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/30 09:30:28.0500 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/30 09:30:28.0718 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2010/08/30 09:30:29.0078 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/30 09:30:29.0234 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/30 09:30:29.0437 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/30 09:30:29.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/30 09:30:30.0062 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/30 09:30:30.0328 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/30 09:30:30.0562 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/30 09:30:30.0765 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/30 09:30:30.0937 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/30 09:30:31.0203 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/30 09:30:31.0390 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/08/30 09:30:31.0562 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/30 09:30:31.0796 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/08/30 09:30:32.0031 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/30 09:30:32.0250 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/08/30 09:30:32.0453 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/30 09:30:32.0640 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/30 09:30:32.0828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/30 09:30:33.0015 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/30 09:30:33.0203 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/30 09:30:33.0375 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/30 09:30:33.0640 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/30 09:30:33.0828 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/30 09:30:34.0031 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/30 09:30:34.0109 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/30 09:30:34.0203 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/30 09:30:34.0281 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/30 09:30:34.0484 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/30 09:30:34.0687 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/30 09:30:34.0875 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/30 09:30:34.0953 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/30 09:30:35.0062 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/30 09:30:35.0421 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/30 09:30:35.0578 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/08/30 09:30:37.0343 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/30 09:30:37.0515 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/30 09:30:37.0578 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/30 09:30:38.0921 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/30 09:30:39.0156 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/30 09:30:39.0328 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/30 09:30:39.0375 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/30 09:30:39.0546 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/30 09:30:39.0625 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/30 09:30:39.0828 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/30 09:30:40.0015 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/30 09:30:40.0156 RSUSBSTOR (4290417463801d31b7c6d1adb0f8bb4c) C:\WINDOWS\system32\Drivers\RTS5121.sys
2010/08/30 09:30:40.0328 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/08/30 09:30:40.0890 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/08/30 09:30:41.0062 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/30 09:30:41.0250 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/30 09:30:41.0453 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/08/30 09:30:41.0906 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/08/30 09:30:42.0406 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2010/08/30 09:30:42.0531 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/30 09:30:42.0671 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/30 09:30:42.0859 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/30 09:30:43.0031 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/08/30 09:30:43.0187 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/08/30 09:30:43.0375 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/30 09:30:43.0484 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/30 09:30:45.0281 SynTP (6bd4fd6c3ee76c247ecaf484cb590b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/08/30 09:30:45.0406 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/30 09:30:45.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/30 09:30:45.0812 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/30 09:30:45.0984 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/30 09:30:46.0156 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/30 09:30:46.0578 tvtumon (14b8d6bde06d621e2e469e42c7f34a4d) C:\WINDOWS\system32\DRIVERS\tvtumon.sys
2010/08/30 09:30:46.0765 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/30 09:30:47.0296 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/30 09:30:47.0500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/30 09:30:47.0890 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/30 09:30:47.0984 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/30 09:30:48.0125 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/30 09:30:48.0734 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/30 09:30:48.0890 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/30 09:30:48.0984 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/30 09:30:49.0203 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/08/30 09:30:49.0343 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/30 09:30:49.0750 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/30 09:30:49.0843 vsbus (f087045e02677d1ff6dd337a681002d3) C:\WINDOWS\system32\DRIVERS\vsb.sys
2010/08/30 09:30:49.0984 vserial (ab3d2264bab940d58bd5aae138446b13) C:\WINDOWS\system32\DRIVERS\vserial.sys
2010/08/30 09:30:50.0156 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/30 09:30:50.0515 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/30 09:30:50.0656 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
2010/08/30 09:30:51.0000 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/08/30 09:30:51.0171 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/08/30 09:30:51.0296 WSVD (5d0a08ebf9660e07865907fb1ab022b5) C:\WINDOWS\system32\drivers\WSVD.sys
2010/08/30 09:30:51.0437 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/30 09:30:51.0562 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/30 09:30:51.0656 ============================================================ ====================
2010/08/30 09:30:51.0656 Scan finished
2010/08/30 09:30:51.0656 ============================================================ ====================
2010/08/30 09:30:51.0687 Detected object count: 1
2010/08/30 09:31:48.0906 IPSec (1d7955cdfcfb15408db389c0163fda43) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/30 09:31:48.0921 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 1d7955cdfcfb15408db389c0163fda43, Fake md5: 23c74d75e36e7158768dd63d92789a91
2010/08/30 09:31:50.0140 Backup copy found, using it..
2010/08/30 09:31:50.0156 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured after reboot
2010/08/30 09:31:50.0156 Rootkit.Win32.TDSS.tdl3(IPSec) - User select action: Cure
2010/08/30 09:32:19.0875 Deinitialize success

**Btankful** · 30.08.2010 17:04

ComboFix 10-08-29.04 - Peter 08/30/2010 9:47.1.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1520 [GMT -5:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\ColorPage-SF600
c:\documents and settings\All Users\Start Menu\Programs\ColorPage-SF600 \DigiScan.lnk
c:\documents and settings\All Users\Start Menu\Programs\ColorPage-SF600 \UnInstall ColorPage-SF600.lnk
c:\documents and settings\Peter\Local Settings\Application Data\{3423F008-DA80-4004-949F-D0F9D03943C2}
c:\documents and settings\Peter\Local Settings\Application Data\{3423F008-DA80-4004-949F-D0F9D03943C2}\chrome.manifest
c:\documents and settings\Peter\Local Settings\Application Data\{3423F008-DA80-4004-949F-D0F9D03943C2}\chrome\content\_cfg.js
c:\documents and settings\Peter\Local Settings\Application Data\{3423F008-DA80-4004-949F-D0F9D03943C2}\chrome\content\overlay.xul
c:\documents and settings\Peter\Local Settings\Application Data\{3423F008-DA80-4004-949F-D0F9D03943C2}\install.rdf
c:\windows\s.bat

Infected copy of c:\windows\system32\midimap.dll was found and disinfected
Restored copy from - c:\windows\NiwradSoft Shell Pack\Backup\midimap.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
.

2010-08-30 07:51 . 2010-08-30 07:51 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-30 06:22 . 2010-08-30 06:22 -------- d-----w- c:\documents and settings\Peter\Local Settings\Application Data\Sunbelt Software
2010-08-30 06:21 . 2010-08-30 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-29 15:44 . 2010-08-29 15:44 77312 ----a-w- C:\mbr.exe
2010-08-28 23:27 . 2010-08-28 23:27 -------- d-----w- c:\program files\trend micro
2010-08-28 23:27 . 2010-08-28 23:27 -------- d-----w- C:\rsit
2010-08-26 08:31 . 2010-08-26 08:31 -------- d-----w- c:\documents and settings\Peter\Application Data\Avira
2010-08-26 08:29 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-26 08:29 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-26 08:29 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-26 08:29 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-26 08:29 . 2010-08-26 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-26 07:04 . 2010-08-26 07:04 -------- d-----w- C:\VundoFix Backups
2010-08-24 06:47 . 2010-08-24 07:18 54488 ----a-w- c:\windows\UninstCool.exe
2010-08-24 06:36 . 2010-08-24 06:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-08-22 16:42 . 2010-08-22 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-22 16:42 . 2010-08-22 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-21 13:59 . 2010-08-21 13:59 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-21 10:50 . 2010-08-21 10:49 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-08-21 10:47 . 2010-08-21 10:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-19 18:08 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-19 18:08 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-19 14:53 . 2010-08-19 14:53 -------- d-----w- c:\program files\Enigma Software Group
2010-08-19 14:52 . 2010-08-19 14:53 -------- d-----w- c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP
2010-08-19 14:52 . 2010-08-19 14:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-19 13:18 . 2010-08-19 13:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-19 13:15 . 2010-08-23 10:18 120 ----a-w- c:\windows\Rpiqirewap.dat
2010-08-19 13:15 . 2010-08-23 10:18 0 ----a-w- c:\windows\Ctacobelis.bin
2010-08-17 13:14 . 2010-08-17 13:14 -------- d-----w- c:\program files\QuickTime
2010-08-04 19:31 . 2010-08-04 19:31 -------- d-----w- C:\FOUND.005

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-30 14:33 . 2004-08-04 17:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-08-21 13:44 . 2010-08-21 10:53 3544 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-14 12:21 . 2010-07-14 12:21 -------- d-----w- c:\program files\Micro Flight
2010-07-14 11:45 . 2010-07-14 11:45 -------- d-----w- c:\program files\Vehicle Simulator
2010-07-14 10:55 . 2010-07-14 10:55 -------- d-----w- c:\program files\Wilco Publishing
2010-06-30 12:31 . 2004-08-04 17:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 17:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-05 01:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 17:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 17:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2006-07-28 15:03 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-14 07:41 . 2004-08-04 17:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

------- Sigcheck -------

[-] 2008-04-14 . A55B8899D2EA2E800061BCFD456E34DC . 547328 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . A55B8899D2EA2E800061BCFD456E34DC . 547328 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 247DFD6CBC939742D3EC7B53C120946F . 643072 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2008-04-14 . 247DFD6CBC939742D3EC7B53C120946F . 643072 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll
[7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll

[-] 2008-04-14 . 894B313C52589628BB996E175B581E3A . 578048 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . 894B313C52589628BB996E175B581E3A . 578048 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\user32.dll
[-] 2005-03-03 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-03 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-05 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[-] 2008-04-14 . DEDB237CA07F66F40C9BA321EF10E4A9 . 1540608 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . DEDB237CA07F66F40C9BA321EF10E4A9 . 1540608 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2008-04-14 . BD604DB0B7FF60CCC578DF54C5563E80 . 1312256 . . [5.1.2600.5512] . . c:\windows\system32\ole32.dll
[-] 2008-04-14 . BD604DB0B7FF60CCC578DF54C5563E80 . 1312256 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ole32.dll
[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\ole32.dll
[-] 2005-07-26 . A2F755E237FA2CDD748A80BFBE6657F3 . 1285632 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\ole32.dll
[-] 2005-04-29 . 5950E4F28FDA9D147576BF6798937397 . 1285120 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\ole32.dll
[-] 2005-04-28 . 7440D29F257B7E44329343F944F2142C . 1286144 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\ole32.dll
[7] 2004-08-05 . 4FE9D9FA62D020E35E0AC6D1AEEB96F0 . 1281536 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB894391$\ole32.dll

[-] 2008-04-14 . C1D50243355A290CB3AA684FD8B38170 . 40448 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2008-04-14 . C1D50243355A290CB3AA684FD8B38170 . 40448 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2009-03-08 . F68C1BAC147227B86FFB36828FF8BEDF . 510816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[-] 2009-03-08 . F68C1BAC147227B86FFB36828FF8BEDF . 510816 . . [8.00.6001.18702] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\SoftwareDistribution\Download\263159e92061f273983 a0f9531635ce0\sp3qfe\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\SoftwareDistribution\Download\263159e92061f273983 a0f9531635ce0\sp3gdr\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ie7\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie8\iexplore.exe
[7] 2004-08-05 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-05-23 1146880]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2008-07-24 4462464]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2008-07-24 1283984]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DigiScan.lnk - c:\program files\ColorPage-SF600\DigiScan.exe [2009-9-17 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\stand ardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HW group\\HW VSP\\HW_VSP.exe"=
"c:\\Program Files\\VoIP Plug-In for Microsoft-Fax\\FaxServiceConfig.exe"=
"c:\\WINDOWS\\System32\\fxsclnt.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2010 3:29 AM 135336]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [11/4/2008 9:58 PM 430080]
R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [11/4/2008 9:58 PM 47680]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [11/4/2008 10:26 PM 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/4/2008 9:32 PM 157696]
S2 gupdate1c9e19657fdf558;Google Update Service (gupdate1c9e19657fdf558);c:\program files\Google\Update\GoogleUpdate.exe [5/31/2009 10:20 AM 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/20/2009 9:04 AM 1684736]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 IP_FAX_NT;IP_FAX_NT;c:\program files\VoIP Plug-In for Microsoft-Fax\ip_fax_nt.sys [9/11/2009 2:11 PM 44544]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [11/4/2008 9:58 PM 81192]
S4 FaxOverIPPlugin;FaxOverIPPlugin;c:\program files\VoIP Plug-In for Microsoft-Fax\FaxOverIPPlugin.exe [9/11/2009 2:11 PM 29936]
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 15:20]

2010-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 15:20]

2010-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: ketsujin.com\fighterace
Trusted Zone: ketsujin.com\primary
Trusted Zone: ketsujin.com\update
Trusted Zone: ketsujin.com\www
Trusted Zone: stormofaces.com\www
FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\ayd69ifp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Peter\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.d ll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
AddRemove-HijackThis - d:\installs\HJT\HijackThis.exe

************************************************************ **************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 09:54
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************ **************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\setupapi.dll
c:\windows\system32\psbase.dll

- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\msctfime.ime
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
************************************************************ **************
.
Completion time: 2010-08-30 09:58:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-30 14:58

Pre-Run: 49,315,905,536 bytes free
Post-Run: 49,582,735,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - EEE9FB1E58E4EDF09D7E572C1506AA80

**Jintan** · 31.08.2010 00:55

Shoot - one of those logs shows a illegal file used for altering Windows activation, among other things. And the zip file's name web searches right to a long list of torrent download sites.

Security forums like this one do not assist in issues where illegal software is present or in use, and any existing requests are brought to an end and closed. The best I might offer at this time is to reformat the drive, and reinstall Windows. I will need to close this request thread at this time.

Thema: Windows XP webpage hijack

Themen-Optionen

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Re: Windows XP webpage hijack

Aktive Benutzer

Aktive Benutzer

Ähnliche Themen

HTML/Infected.WebPage.Gen

The problem of tool Hijack ..windows vista

Was soll tun bei: 'HTML/Infected.WebPage.Gen'

HTML/Infected.Webpage.gen

Please help me get my webpage back!

Forumregeln