I don't know guys I can't quite explain it.
When I turned on everything this morning, things felt off. webpages were loading slower and just outright stalling, my wave volume would just drop all of a sudden or the entire Windows Audio would just disable, and theres a "svchost.exe" that is eating away allot of mem usage (went up to 200,000 K+ once) and seems to be the reason for the webpage stalling but when I kill it in task manager though things seem to go back to normal for a bit.
I ran both updated versions of Malwarebytes and Spybot S&D, all while being offline I ran Malwarebytes twice and Spybot S&D once. and I did get various virus results. I've got the 2 logs from Malwarebytes, here they both are:
hxxp://pastebin.com/2awahdsL
hxxp://pastebin.com/mCQjj1mU
Also, Spybot S&D came up wity a registery change under "Babylon.Toolbar".
Anyways here is the DDS.txt log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.6.2
Run by Ben at 22:12:10 on 2012-11-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.632 [GMT -8:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
uSearch Page = hxxp://www.bing.com/?pc=AVBR
uSearchAssistant = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
mSearchAssistant = about:blank
BHO: Octh Class: {000123B4-9B42-4900-B3F7-F4B073EFC214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Open FVD Suite Toolbar: {2B171655-A69C-5c18-B693-6CB5DC269D44} - c:\program files\fvd suite\addons\ie\FVDToolbar.dll
BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: aTube Toolbar: {bfc39e47-d643-4dc2-aa1d-61377501c844} - c:\program files\atube\atubeX.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: FVD Suite Toolbar: {2B171655-A69C-5c18-B693-6CB5DC269D41} - c:\program files\fvd suite\addons\ie\FVDToolbar.dll
TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
TB: aTube Toolbar: {bfc39e47-d643-4dc2-aa1d-61377501c844} - c:\program files\atube\atubeX.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3B54DEAB-C6D4-48a8-8C32-A70558643400} - c:\program files\finalvideodownloader\fvdRunner.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1352766940312
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{07882D2D-546F-45CE-9137-ADB2A096475A} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 Spyware Info | Spyware Info | spyware software | spyware program | protection spyware
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ben\application data\mozilla\firefox\profiles\7bl1swlj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\ben\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ben\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\ben\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2012-3-10 22312]
S2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S4 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S4 MsgPlusService;Messenger Plus! Service;c:\program files\yuna software\messenger plus! for skype\MsgPlusForSkypeService.exe [2012-2-23 119808]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-7 160944]
S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
.
=============== File Associations ===============
.
ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
.
=============== Created Last 30 ================
.
2012-11-12 15:08:14 -------- d-----w- c:\documents and settings\ben\application data\Malwarebytes
2012-11-12 15:08:05 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-11-12 15:08:03 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-12 15:08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-12 03:59:35 -------- d-----w- c:\documents and settings\all users\application data\Messenger Plus!
2012-11-12 03:58:51 -------- d-----w- c:\program files\Microsoft
2012-10-19 01:22:32 -------- d-----w- c:\program files\lx_cats
2012-10-19 01:21:05 40960 ----a-w- c:\windows\system32\lxcyvs.dll
2012-10-19 01:21:04 344064 ----a-w- c:\windows\system32\lxcycoin.dll
2012-10-19 01:21:04 117760 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxcypp5c.dll
2012-10-19 01:19:21 -------- d-----w- C:\drivers
.
==================== Find3M ====================
.
2012-11-07 15:12:58 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-07 15:12:58 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-17 04:25:05 9883648 ----a-w- c:\documents and settings\ben\ntuser.tmp
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29:19 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:06 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-20 21:27:43 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-20 21:27:40 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-20 21:27:40 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-20 21:27:40 143872 ----a-w- c:\windows\system32\javacpl.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD200BB-75AUA1 rev.18.20D18 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-1b
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8621D4B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8622493c]; MOV EAX, [0x86224ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk1\DR1[0x86333AB8]
3 CLASSPNP[0xF764FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005d[0x863369E8]
5 ACPI[0xF75A6620] -> nt!IofCallDriver[0x804E37D5] -> [0x8638C940]
\Driver\atapi[0x862B5AD8] -> IRP_MJ_CREATE -> 0x8621D4B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8621D2E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:13:42.71 ================
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks for the help in looking into this guys.
When I turned on everything this morning, things felt off. webpages were loading slower and just outright stalling, my wave volume would just drop all of a sudden or the entire Windows Audio would just disable, and theres a "svchost.exe" that is eating away allot of mem usage (went up to 200,000 K+ once) and seems to be the reason for the webpage stalling but when I kill it in task manager though things seem to go back to normal for a bit.
I ran both updated versions of Malwarebytes and Spybot S&D, all while being offline I ran Malwarebytes twice and Spybot S&D once. and I did get various virus results. I've got the 2 logs from Malwarebytes, here they both are:
hxxp://pastebin.com/2awahdsL
hxxp://pastebin.com/mCQjj1mU
Also, Spybot S&D came up wity a registery change under "Babylon.Toolbar".
Anyways here is the DDS.txt log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.6.2
Run by Ben at 22:12:10 on 2012-11-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.632 [GMT -8:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
uSearch Page = hxxp://www.bing.com/?pc=AVBR
uSearchAssistant = hxxp://www.plusnetwork.com/?sp=ctbar&q={searchTerms}&dp=MessengerPlus
mSearchAssistant = about:blank
BHO: Octh Class: {000123B4-9B42-4900-B3F7-F4B073EFC214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Open FVD Suite Toolbar: {2B171655-A69C-5c18-B693-6CB5DC269D44} - c:\program files\fvd suite\addons\ie\FVDToolbar.dll
BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: aTube Toolbar: {bfc39e47-d643-4dc2-aa1d-61377501c844} - c:\program files\atube\atubeX.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: FVD Suite Toolbar: {2B171655-A69C-5c18-B693-6CB5DC269D41} - c:\program files\fvd suite\addons\ie\FVDToolbar.dll
TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
TB: aTube Toolbar: {bfc39e47-d643-4dc2-aa1d-61377501c844} - c:\program files\atube\atubeX.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3B54DEAB-C6D4-48a8-8C32-A70558643400} - c:\program files\finalvideodownloader\fvdRunner.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1352766940312
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{07882D2D-546F-45CE-9137-ADB2A096475A} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 Spyware Info | Spyware Info | spyware software | spyware program | protection spyware
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ben\application data\mozilla\firefox\profiles\7bl1swlj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\ben\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ben\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\ben\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2012-3-10 22312]
S2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S4 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S4 MsgPlusService;Messenger Plus! Service;c:\program files\yuna software\messenger plus! for skype\MsgPlusForSkypeService.exe [2012-2-23 119808]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-7 160944]
S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
.
=============== File Associations ===============
.
ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
.
=============== Created Last 30 ================
.
2012-11-12 15:08:14 -------- d-----w- c:\documents and settings\ben\application data\Malwarebytes
2012-11-12 15:08:05 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-11-12 15:08:03 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-12 15:08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-12 03:59:35 -------- d-----w- c:\documents and settings\all users\application data\Messenger Plus!
2012-11-12 03:58:51 -------- d-----w- c:\program files\Microsoft
2012-10-19 01:22:32 -------- d-----w- c:\program files\lx_cats
2012-10-19 01:21:05 40960 ----a-w- c:\windows\system32\lxcyvs.dll
2012-10-19 01:21:04 344064 ----a-w- c:\windows\system32\lxcycoin.dll
2012-10-19 01:21:04 117760 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxcypp5c.dll
2012-10-19 01:19:21 -------- d-----w- C:\drivers
.
==================== Find3M ====================
.
2012-11-07 15:12:58 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-07 15:12:58 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-17 04:25:05 9883648 ----a-w- c:\documents and settings\ben\ntuser.tmp
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29:19 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:06 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-20 21:27:43 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-20 21:27:40 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-20 21:27:40 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-20 21:27:40 143872 ----a-w- c:\windows\system32\javacpl.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD200BB-75AUA1 rev.18.20D18 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-1b
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8621D4B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8622493c]; MOV EAX, [0x86224ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk1\DR1[0x86333AB8]
3 CLASSPNP[0xF764FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005d[0x863369E8]
5 ACPI[0xF75A6620] -> nt!IofCallDriver[0x804E37D5] -> [0x8638C940]
\Driver\atapi[0x862B5AD8] -> IRP_MJ_CREATE -> 0x8621D4B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8621D2E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:13:42.71 ================
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks for the help in looking into this guys.