ComboFix 11-04-07.06 - Jeff 04/07/2011 22:50:45.2.4 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1583 [GMT -4:00] Running from: c:\documents and settings\Jeff\Desktop\CbFx.exe AV: ZoneAlarm Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Resident AV is active . . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected . ((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 ))))))))))))))))))))))))))))))) . . 2011-04-08 02:38 . 2011-04-08 02:38 23152 ----a-w- c:\windows\system32\drivers\tsk1C.tmp 2011-04-08 01:52 . 2011-04-08 01:52 -------- d-s---w- c:\windows\Cookies 2011-04-07 10:42 . 2011-04-07 10:42 23152 ----a-w- c:\windows\system32\drivers\tskF2.tmp 2011-04-06 05:49 . 2011-04-06 06:02 -------- d-----w- c:\documents and settings\Jeff\Application Data\jah 2011-04-06 05:48 . 2011-04-06 05:48 -------- d-----w- c:\program files\OpenLibraries 2011-04-06 05:48 . 2011-04-06 05:48 -------- d-----w- c:\program files\jahPlayer 2011-04-06 03:05 . 2009-09-02 16:44 65602 ----a-w- c:\windows\system32\cook3260.dll 2011-04-06 03:05 . 2009-09-02 16:44 102439 ----a-w- c:\windows\system32\sipr3260.dll 2011-04-06 03:05 . 2009-09-02 16:44 626688 ----a-w- c:\windows\system32\vp7vfw.dll 2011-04-06 03:05 . 2009-09-02 16:44 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll 2011-03-30 00:48 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-03-30 00:48 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-03-30 00:48 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-03-30 00:48 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-03-30 00:48 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-03-30 00:48 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-03-30 00:48 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll 2011-03-30 00:48 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll 2011-03-19 16:10 . 2011-03-19 16:11 -------- d-----w- c:\program files\CubePortable 2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll 2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-04-06 03:11 . 2010-08-16 01:52 47360 ----a-w- c:\documents and settings\Jeff\Application Data\pcouffin.sys 2011-03-18 17:53 . 2011-03-30 00:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2011-04-08_01.38.47 ))))))))))))))))))))))))))))))))))))))))) . + 2011-04-08 02:47 . 2011-04-08 02:47 16384 c:\windows\Temp\Perflib_Perfdata_2dc.dat + 2011-04-08 02:10 . 2011-04-08 02:10 79276 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0015.dat - 2011-04-07 08:34 . 2011-04-07 08:34 79884 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0014.dat + 2011-04-08 02:10 . 2011-04-08 02:10 79884 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0014.dat + 2011-04-08 02:10 . 2011-04-08 02:10 88443 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0013.dat - 2011-04-07 08:34 . 2011-04-07 08:34 89936 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat + 2011-04-08 02:10 . 2011-04-08 02:10 89936 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0012.dat + 2011-04-08 02:09 . 2011-04-08 02:09 22026 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0019.dat + 2011-04-08 02:09 . 2011-04-08 02:09 90112 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0018.dat + 2011-04-08 02:09 . 2011-04-08 02:09 90078 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0014.dat + 2011-04-06 00:32 . 2011-04-08 02:09 10837 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0016.dat + 2011-03-18 16:35 . 2011-04-08 02:09 79249 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0015.dat + 2011-02-17 16:43 . 2011-04-08 02:09 79876 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0014.dat - 2010-12-01 21:30 . 2011-04-06 00:32 88443 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0013.dat + 2010-12-01 21:30 . 2011-04-08 02:09 88443 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0013.dat + 2010-08-16 16:19 . 2011-04-08 02:09 89937 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0012.dat + 2011-03-30 02:52 . 2011-04-08 02:09 22188 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0019.dat - 2011-02-16 20:43 . 2011-04-04 17:53 90112 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat + 2011-02-16 20:43 . 2011-04-08 02:09 90112 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0018.dat + 2010-09-18 17:00 . 2011-04-08 02:09 90078 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0014.dat - 2010-09-18 17:00 . 2011-04-04 17:53 90078 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0014.dat + 2011-04-06 00:32 . 2011-04-08 02:10 10837 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0016.dat + 2011-03-18 16:35 . 2011-04-08 02:10 79249 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0015.dat + 2011-02-17 16:45 . 2011-04-08 02:10 79876 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0014.dat + 2010-12-01 21:30 . 2011-04-08 02:10 88443 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0013.dat - 2010-12-01 21:30 . 2011-04-06 00:32 88443 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0013.dat + 2010-08-16 16:19 . 2011-04-08 02:10 89937 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0012.dat + 2011-03-30 02:52 . 2011-04-08 02:09 22188 c:\windows\system32\ZoneLabs\avsys\bases\apu0019.dat - 2011-02-16 20:43 . 2011-04-04 17:53 90112 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat + 2011-02-16 20:43 . 2011-04-08 02:09 90112 c:\windows\system32\ZoneLabs\avsys\bases\apu0018.dat - 2010-09-18 17:00 . 2011-04-04 17:53 90078 c:\windows\system32\ZoneLabs\avsys\bases\apu0014.dat + 2010-09-18 17:00 . 2011-04-08 02:09 90078 c:\windows\system32\ZoneLabs\avsys\bases\apu0014.dat - 2010-08-11 06:49 . 2011-04-08 01:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2010-08-11 06:49 . 2011-04-08 02:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2010-08-11 06:49 . 2011-04-08 02:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2010-08-11 06:49 . 2011-04-08 01:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2011-04-08 02:46 . 2011-04-08 02:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2011-04-08 01:52 . 2011-04-08 01:22 16384 c:\windows\Cookies\index.dat + 2011-04-08 02:10 . 2011-04-08 02:10 6568 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\wmuf\wmuf0016.dat - 2010-08-16 16:04 . 2011-04-06 11:36 4212 c:\windows\system32\zllictbl.dat + 2010-08-16 16:04 . 2011-04-08 02:18 4212 c:\windows\system32\zllictbl.dat + 2011-04-08 02:03 . 2011-04-08 02:03 393216 c:\windows\Temp\sfdb.dat + 2011-04-08 02:03 . 2011-04-08 02:03 262144 c:\windows\Temp\iswift.dat - 2010-08-16 16:32 . 2011-04-06 02:27 185344 c:\windows\system32\ZoneLabs\zlqrtdb.dat + 2010-08-16 16:32 . 2011-04-08 02:50 185344 c:\windows\system32\ZoneLabs\zlqrtdb.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-20 128000] "FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808] "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-08-09 389352] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-23 2423752] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2007-03-22 16126464] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-20 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-20 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-20 138008] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-07-21 1038848] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-06-15 730600] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784] . c:\documents and settings\Jeff\Start Menu\Programs\Startup\ ButtonBoogie.lnk - c:\program files\PC Magazine Utilities\ButtonBoogie\ButtonBoogie.exe [2010-8-11 303104] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ ButtonBoogie.lnk - c:\program files\PC Magazine Utilities\ButtonBoogie\ButtonBoogie.exe [2010-8-11 303104] TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2010-8-11 114688] WallMaster.lnk - c:\program files\WallMaster\wallmast.exe [2010-8-11 288256] . c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672] officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= . R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/25/2009 6:24 PM 29808] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [6/15/2010 7:09 AM 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [6/15/2010 7:09 AM 493032] R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [8/16/2010 11:54 PM 1201640] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [8/11/2010 5:54 AM 38656] . Contents of the 'Scheduled Tasks' folder . 2010-11-11 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8281518752.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52] . 2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1450960922-839522115-1003Core.job - c:\documents and settings\Jeff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-11 09:08] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\94urjx0q.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym&rl=1 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-07 23:01 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: WDC_WD1600JS-00NCB1 rev.10.02E02 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-6 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A419EC5]<< c:\docume~1\Jeff\LOCALS~1\Temp\catchme.sys _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x83b5f872; SUB DWORD [EBP-0x4], 0x83b5f12e; PUSH EDI; CALL 0xffffffffffffdf33; } 1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk1\DR1[0x8A4DEAB8] 3 CLASSPNP[0xBA12905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000077[0x8A4E6C68] 5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A411D98] [0x8A409030] -> IRP_MJ_CREATE -> 0x8A419EC5 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: \Device\Ide\IdeDeviceP2T0L0-19 -> \??\IDE#DiskWDC_WD1600JS-00NCB1_____________________10.02E02#5&18fda9ce&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8A419AEA IoDeviceObjectType -> ParseProcedure -> 0x969b5160 \Device\Harddisk0\DR0 -> ParseProcedure -> 0x969b5160 user != kernel MBR !!! sectors 312581806 (+190): user != kernel Warning: possible TDL4 rootkit infection ! TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix. . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(784) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(840) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . Completion time: 2011-04-07 23:07:11 ComboFix-quarantined-files.txt 2011-04-08 03:07 ComboFix2.txt 2011-04-08 01:43 . Pre-Run: 26,305,232,896 bytes free Post-Run: 26,186,256,384 bytes free . - - End Of File - - 2D6184242000CB78E82361A51A4529F7