Jump to content

Malwarebytes

Is my computer clean?

- - - - -
Started by cgrammie2, May 29 2010 11:30 PM

101 replies to this topic

#21
cgrammie2
Posted 10 June 2010 - 08:36 AM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 3 2010, 11:40 AM, said:

Thanks for update! ;)

Don't worry!


Hello again - I am back now and trying to download combofix as instructed above but McAfee has prevented the download twice. This is the message I receive:

McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Artemis!356606F6A226 (Trojan), Artemis!356606F6A226 (Trojan)
Location: C:\Documents and Settings\Linda Cross\Local Settings\Temporary Internet Files\Content.IE5\RKI0RCF4\ComboFix[1].exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.


Please let me know how to proceed from here. Thank you!

#22
Maniac
Posted 10 June 2010 - 08:37 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please disable your McAfee and try again with ComboFix.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#23
cgrammie2
Posted 10 June 2010 - 09:51 AM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 10 2010, 06:37 AM, said:

Please disable your McAfee and try again with ComboFix.

I have disabled McAfee and renamed ComboFix to Combo-Fix (which has been saved to my desktop). I am now proceeding with disabling my other anti-virus and anti-malware programs. I am trying to disable Spybot Teatimer - I have unchecked the "Resident TeamTimer" (Protection of overall system settings) active." box. I clicked on the "System Startup" icon to uncheck the "TeaTimer" box - there is no TeaTimer box listed here and no prompts to "OK". Should I be doing something else at this point?

My instructions then instruct me to:

"Please download ResetTeaTimer.zip and save to your Desktop. Extract(unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entried set by TeaTimer and keep it from restoring them upon reactivation." Where do I download ResetTeaTimer.zip from to save to my desktop? Do I do this step before or after running Combo-Fix? I have exited out of Spybot but have not restarted my computer yet. Would it be simpler to just uninstall Spybot and reinstall later?

I have the free version of Malwarebytes - how do I disable it? Uninstall and reinstall later?
I am uncertain about these things because I don't have much experience. Thank you for your help!

#24
Maniac
Posted 10 June 2010 - 10:10 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
1. Will be much easier if you uninstall SpyBot for now.
2. Free version of MBAM is without Real-Time protection, so you don't need to disable it.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#25
cgrammie2
Posted 15 June 2010 - 01:07 AM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 10 2010, 08:10 AM, said:

1. Will be much easier if you uninstall SpyBot for now.
2. Free version of MBAM is without Real-Time protection, so you don't need to disable it.

Hello - finally able to run combofix - sorry for the delay - had serious family emergency. Here is the combofix log. Please let me know my next step. Thank you for your help!
----------------------------------------------------------------------------------------------------------

ComboFix 10-06-14.02 - Linda Cross 06/14/2010 22:28:58.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -7:00]
Running from: c:\documents and settings\Linda Cross\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Linda Cross\GoToAssistDownloadHelper.exe
c:\windows\system\IMPLODE.DLL
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\klgd.bmp
c:\windows\system32\qks.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMAbwqvrnmbpx
-------\Service_PRAGMAbwqvrnmbpx


((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-15 03:09 . 2009-10-22 20:54 37392 ----a-w- c:\windows\system32\drivers\99274762.sys
2010-06-15 03:09 . 2009-10-10 06:31 315408 ----a-w- c:\windows\system32\drivers\9927476.sys
2010-06-15 03:09 . 2009-09-26 00:59 128016 ----a-w- c:\windows\system32\drivers\99274761.sys
2010-06-08 22:39 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-02 23:04 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 23:04 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 07:14 . 2010-06-02 05:23 7168 ----a-w- c:\windows\system32\drivers\utqxodiy.sys
2010-05-28 07:35 . 2010-05-28 07:35 -------- d-----w- C:\ea
2010-05-24 22:27 . 2010-05-24 22:27 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS
2010-05-24 19:59 . 2010-05-24 22:30 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-22 12:50 . 2010-06-15 05:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-20 01:55 . 2010-05-20 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-05-20 01:55 . 2010-05-20 01:55 7000064 ---ha-w- C:\SZKGFS.dat
2010-05-20 01:53 . 2010-05-20 01:53 -------- d-----w- c:\program files\Common Files\iS3
2010-05-20 01:53 . 2010-05-20 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 05:50 . 2009-10-06 03:46 -------- d-----w- c:\program files\McAfee
2010-06-15 05:20 . 2007-12-09 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-12 13:09 . 2007-10-02 20:17 -------- d-----w- c:\program files\My Kazaa Gold
2010-06-02 23:04 . 2010-04-29 03:23 -------- d-----w- c:\documents and settings\Linda Cross\Application Data\Malwarebytes
2010-06-02 23:04 . 2010-04-30 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 23:04 . 2010-04-29 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-02 04:51 . 2009-10-06 05:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-20 17:09 . 2010-05-15 19:13 -------- d-----w- c:\program files\RegWork
2010-05-20 13:28 . 2010-05-20 12:47 7304 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-20 01:56 . 2010-05-20 01:57 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-05-19 18:36 . 2010-05-17 00:40 112 ----a-w- c:\documents and settings\All Users\Application Data\JOJr2m.dat
2010-05-13 12:57 . 2009-12-21 14:13 -------- d-----w- c:\program files\VoiceScribe
2010-05-12 18:21 . 2009-10-20 21:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 17:15 . 2009-10-06 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-12 16:28 . 2010-05-12 16:28 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-12 16:28 . 2003-04-30 15:31 -------- d-----w- c:\program files\McAfee.com
2010-05-12 13:40 . 2010-05-12 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-12 05:27 . 2003-05-12 01:18 105656 -c--a-w- c:\documents and settings\Linda Cross\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-11 06:01 . 2008-05-10 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-06 10:41 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-08-29 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 22:18 . 2003-12-31 00:10 -------- d-----w- c:\program files\Watchtower
2010-04-29 13:00 . 2010-04-29 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Bomgar-SCC-4BD91594
2010-04-29 02:51 . 2010-04-29 02:51 10752 ----a-w- C:\exefix_xp.com
2010-04-28 00:10 . 2004-03-25 01:45 -------- d-----w- c:\program files\Lexmark X1100 Series
2010-04-27 23:47 . 2010-04-27 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-25 23:39 . 2010-04-16 23:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-21 17:15 . 2010-04-21 17:15 75264 ----a-w- c:\windows\system32\bfbe.sys
2010-04-20 05:30 . 2002-08-29 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 06:29 . 2010-04-17 06:29 49152 ----a-r- c:\documents and settings\Linda Cross\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe
2010-04-16 23:43 . 2010-04-16 23:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-16 23:25 . 2009-10-20 21:09 -------- d-----w- c:\program files\Windows Defender
.
<pre>
c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Lexmark X1100 Series\lxbkbmgr .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
c:\program files\Windows Defender\msascui .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\Linda Cross\Start Menu\Programs\Startup\
setup_9.0.0.722_12.06.2010_23-38[1].lnk - c:\documents and settings\Linda Cross\Desktop\Virus Removal Tool\setup_9.0.0.722_12.06.2010_23-38[1]\startup.exe [2010-6-14 72208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\360Share\\Gui\\360Share.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 99274762;99274762 Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\99274762.sys [6/14/2010 8:09 PM 37392]
R1 99274761;99274761;c:\windows\SYSTEM32\DRIVERS\99274761.sys [6/14/2010 8:09 PM 128016]
R1 bfbe;bfbe;c:\windows\SYSTEM32\bfbe.sys [4/21/2010 10:15 AM 75264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/12/2010 9:33 AM 203280]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 MpKsla3c22b50;MpKsla3c22b50;\??\c:\windows\system32\MpEngineStore\MpKsla3c22b50.sys --> c:\windows\system32\MpEngineStore\MpKsla3c22b50.sys [?]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 utqxodiy;AVZ Kernel Driver;c:\windows\SYSTEM32\DRIVERS\utqxodiy.sys [6/1/2010 12:14 AM 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{33E00BF6-D344-4362-838B-2F9790234042}]
qfoneu71.dll [N/A]
.
Contents of the 'Scheduled Tasks' folder
c:\windows\Tasks\At101.job

2010-06-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 19:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 19:22]

2010-06-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-06-14 c:\windows\Tasks\User_Feed_Synchronization-{0BF8426D-E159-4E88-8E75-FD433358A530}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://phoenix.cox.net/cci/home
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: alpineaccess.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 22:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,13,62,e7,0a,32,1f,4d,90,78,a8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,13,62,e7,0a,32,1f,4d,90,78,a8,\

[HKEY_USERS\S-1-5-21-1241913026-665132261-2367862541-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2010-06-14 23:00:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-15 06:00
ComboFix2.txt 2010-04-29 05:12

Pre-Run: 41,579,347,968 bytes free
Post-Run: 41,625,673,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

- - End Of File - - FA0EA906B45D96D267D4806D5E264A5C

#26
Maniac
Posted 15 June 2010 - 02:22 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please go to www.virustotal.com and upload the following files:
c:\windows\Tasks\At101.job
C:\windows\system32\qfoneu71.dll

Please post the resaults in your next reply.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#27
cgrammie2
Posted 15 June 2010 - 06:41 PM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 15 2010, 12:22 PM, said:

Please go to www.virustotal.com and upload the following files:
c:\windows\Tasks\At101.job
C:\windows\system32\qfoneu71.dll

Please post the resaults in your next reply.

Hello - I am currently at what looks like the home page for www.virustotal.com - I am trying to type in the files you instructed me to upload in what appears to be search box but none of my typing appears in the box. What am I missing?

Thanks!

#28
cgrammie2
Posted 15 June 2010 - 10:53 PM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 15 2010, 12:22 PM, said:

Please go to www.virustotal.com and upload the following files:
c:\windows\Tasks\At101.job
C:\windows\system32\qfoneu71.dll

Please post the resaults in your next reply.

Hello again - I replied to this earlier this evening but I can't find it posted here - so here we go again - at the virustotal.com home page I was unable to even type in the file names to be uploaded as you instructed earlier. I repeatedly tried to type these file names in what appeared to be a "search" box with no success. What am I missing here?

Thanks for your help!

#29
Maniac
Posted 16 June 2010 - 09:14 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
You should use Choose... button to locate and upload the files one by one.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#30
cgrammie2
Posted 16 June 2010 - 10:05 AM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 16 2010, 07:14 AM, said:

You should use Choose... button to locate and upload the files one by one.

This is copy of wording on the screen at www.virustotal.com - there is no choose button - and I can't type in anything. Sorry this is not working for me.

-------------------------------------------
Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
AnalysisHash SearchStatisticsEmail/UploaderAbout VT

Service load [Updating...]
Shows the current service load level. The higher the load the longer you will have to wait for your result. Upload a file
Warning!
VirusTotal is supporting a high workload at this moment.
The scanning process of your sample can take over 15 minutes.We suggest you to use the email interface in these situations. Follow the instructions on the "Email" page to do so.
If you wish you still can submit your sample via this interface.




Options
Send it over SSL
You can use an encrypted channel if you are behind a proxy with antivirus support.

If you wish, you can also send files using your email client.

#31
Maniac
Posted 16 June 2010 - 12:28 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
Open Notepad and copy and paste the text in the code box below into it:

KillAll::

File::
c:\windows\Tasks\At101.job

RenV::
c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Lexmark X1100 Series\lxbkbmgr .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
c:\program files\Windows Defender\msascui .exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-1241913026-665132261-2367862541-1006\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

Posted Image

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#32
cgrammie2
Posted 17 June 2010 - 09:06 AM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 16 2010, 10:28 AM, said:

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

File::
c:\windows\Tasks\At101.job

RenV::
c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Lexmark X1100 Series\lxbkbmgr .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
c:\program files\Windows Defender\msascui .exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-1241913026-665132261-2367862541-1006\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

Posted Image

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Here is the new combofix log - thanks for your help!
------------------------------------------------------------------

ComboFix 10-06-16.03 - Linda Cross 06/17/2010 6:22.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.618 [GMT -7:00]
Running from: c:\documents and settings\Linda Cross\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Linda Cross\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Tasks\At101.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com
c:\windows\Tasks\At101.job

.
((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-15 03:09 . 2009-10-22 20:54 37392 ----a-w- c:\windows\system32\drivers\99274762.sys
2010-06-15 03:09 . 2009-10-10 06:31 315408 ----a-w- c:\windows\system32\drivers\9927476.sys
2010-06-15 03:09 . 2009-09-26 00:59 128016 ----a-w- c:\windows\system32\drivers\99274761.sys
2010-06-08 22:39 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-02 23:04 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 23:04 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 07:14 . 2010-06-02 05:23 7168 ----a-w- c:\windows\system32\drivers\utqxodiy.sys
2010-05-28 07:35 . 2010-05-28 07:35 -------- d-----w- C:\ea
2010-05-24 22:27 . 2010-05-24 22:27 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS
2010-05-24 19:59 . 2010-05-24 22:30 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-22 12:50 . 2010-06-15 05:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-20 01:55 . 2010-05-20 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-05-20 01:55 . 2010-05-20 01:55 7000064 ---ha-w- C:\SZKGFS.dat
2010-05-20 01:53 . 2010-05-20 01:53 -------- d-----w- c:\program files\Common Files\iS3
2010-05-20 01:53 . 2010-05-20 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 13:22 . 2009-10-20 21:09 -------- d-----w- c:\program files\Windows Defender
2010-06-17 13:22 . 2004-03-25 01:45 -------- d-----w- c:\program files\Lexmark X1100 Series
2010-06-17 12:18 . 2009-10-06 03:46 -------- d-----w- c:\program files\McAfee
2010-06-17 00:50 . 2009-10-06 05:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-06-15 05:20 . 2007-12-09 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-12 13:09 . 2007-10-02 20:17 -------- d-----w- c:\program files\My Kazaa Gold
2010-06-02 23:04 . 2010-04-29 03:23 -------- d-----w- c:\documents and settings\Linda Cross\Application Data\Malwarebytes
2010-06-02 23:04 . 2010-04-30 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 23:04 . 2010-04-29 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-20 17:09 . 2010-05-15 19:13 -------- d-----w- c:\program files\RegWork
2010-05-20 13:28 . 2010-05-20 12:47 7304 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-19 18:36 . 2010-05-17 00:40 112 ----a-w- c:\documents and settings\All Users\Application Data\JOJr2m.dat
2010-05-13 12:57 . 2009-12-21 14:13 -------- d-----w- c:\program files\VoiceScribe
2010-05-12 18:21 . 2009-10-20 21:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 17:15 . 2009-10-06 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-12 16:28 . 2010-05-12 16:28 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-12 16:28 . 2003-04-30 15:31 -------- d-----w- c:\program files\McAfee.com
2010-05-12 13:40 . 2010-05-12 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-12 05:27 . 2003-05-12 01:18 105656 -c--a-w- c:\documents and settings\Linda Cross\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-11 06:01 . 2008-05-10 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-06 10:41 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-08-29 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 22:18 . 2003-12-31 00:10 -------- d-----w- c:\program files\Watchtower
2010-04-29 13:00 . 2010-04-29 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Bomgar-SCC-4BD91594
2010-04-29 02:51 . 2010-04-29 02:51 10752 ----a-w- C:\exefix_xp.com
2010-04-27 23:47 . 2010-04-27 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-25 23:39 . 2010-04-16 23:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-21 17:15 . 2010-04-21 17:15 75264 ----a-w- c:\windows\system32\bfbe.sys
2010-04-20 05:30 . 2002-08-29 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 23:43 . 2010-04-16 23:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\Linda Cross\Start Menu\Programs\Startup\
setup_9.0.0.722_12.06.2010_23-38[1].lnk - c:\documents and settings\Linda Cross\Desktop\Virus Removal Tool\setup_9.0.0.722_12.06.2010_23-38[1]\startup.exe [2010-6-14 72208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\360Share\\Gui\\360Share.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 99274762;99274762 Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\99274762.sys [6/14/2010 8:09 PM 37392]
R1 99274761;99274761;c:\windows\SYSTEM32\DRIVERS\99274761.sys [6/14/2010 8:09 PM 128016]
R1 bfbe;bfbe;c:\windows\SYSTEM32\bfbe.sys [4/21/2010 10:15 AM 75264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/12/2010 9:33 AM 203280]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 MpKsla3c22b50;MpKsla3c22b50;\??\c:\windows\system32\MpEngineStore\MpKsla3c22b50.sys --> c:\windows\system32\MpEngineStore\MpKsla3c22b50.sys [?]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 utqxodiy;AVZ Kernel Driver;c:\windows\SYSTEM32\DRIVERS\utqxodiy.sys [6/1/2010 12:14 AM 7168]
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 19:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 19:22]

2010-06-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-06-17 c:\windows\Tasks\User_Feed_Synchronization-{0BF8426D-E159-4E88-8E75-FD433358A530}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://phoenix.cox.net/cci/home
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: alpineaccess.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{33E00BF6-D344-4362-838B-2F9790234042} - qfoneu71.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 06:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000000D12799D3B6FDF5B1A

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1241913026-665132261-2367862541-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3016)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-06-17 06:57:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-17 13:57
ComboFix2.txt 2010-06-15 06:00
ComboFix3.txt 2010-04-29 05:12

Pre-Run: 41,340,379,136 bytes free
Post-Run: 41,395,646,464 bytes free

- - End Of File - - 382E4B91A7D91FC420F2A6BE66315549

#33
Maniac
Posted 17 June 2010 - 12:22 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
How are things running now?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#34
cgrammie2
Posted 17 June 2010 - 02:32 PM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 17 2010, 10:22 AM, said:

How are things running now?

things are mostly running fine - just seem to still be getting redirects when doing google searches. does this still indicate a virus problem?

#35
Maniac
Posted 17 June 2010 - 02:48 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please read the following through carefully so that you understand what to do.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#36
cgrammie2
Posted 17 June 2010 - 09:25 PM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 17 2010, 12:48 PM, said:

Please read the following through carefully so that you understand what to do.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

HELLO!

Just ran TDSSKiller - What's next? Here is the log:
------------------------------------------------------------------------------
19:14:00:890 2232 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
19:14:00:890 2232 ================================================================================
19:14:00:890 2232 SystemInfo:

19:14:00:890 2232 OS Version: 5.1.2600 ServicePack: 3.0
19:14:00:890 2232 Product type: Workstation
19:14:00:890 2232 ComputerName: GRAMMIE
19:14:00:890 2232 UserName: Linda Cross
19:14:00:890 2232 Windows directory: C:\WINDOWS
19:14:00:890 2232 Processor architecture: Intel x86
19:14:00:890 2232 Number of processors: 1
19:14:00:890 2232 Page size: 0x1000
19:14:00:906 2232 Boot type: Normal boot
19:14:00:906 2232 ================================================================================
19:14:01:515 2232 Initialize success
19:14:01:515 2232
19:14:01:515 2232 Scanning Services ...
19:14:01:968 2232 Raw services enum returned 362 services
19:14:01:984 2232
19:14:01:984 2232 Scanning Drivers ...
19:14:03:812 2232 99274761 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\99274761.sys
19:14:04:156 2232 99274762 (a305fad3719c5db0c13d1c2bfd08a04d) C:\WINDOWS\system32\DRIVERS\99274762.sys
19:14:04:562 2232 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
19:14:04:828 2232 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:14:05:093 2232 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:14:05:343 2232 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
19:14:05:578 2232 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
19:14:05:890 2232 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:14:06:046 2232 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
19:14:06:171 2232 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
19:14:06:578 2232 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
19:14:06:937 2232 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
19:14:07:281 2232 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
19:14:07:484 2232 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
19:14:07:781 2232 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
19:14:07:968 2232 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
19:14:08:109 2232 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
19:14:08:250 2232 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
19:14:08:578 2232 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
19:14:08:890 2232 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
19:14:09:062 2232 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
19:14:09:281 2232 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:14:09:421 2232 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:14:09:578 2232 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:14:09:687 2232 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:14:09:781 2232 bcm4sbxp (f5c0d3c93235a455cdd13c954adf1a80) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
19:14:10:000 2232 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
19:14:10:250 2232 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:14:10:343 2232 bfbe (84e3616024c57c8c49d5810c5e8df09d) C:\WINDOWS\system32\bfbe.sys
19:14:10:343 2232 Suspicious file (NoAccess): C:\WINDOWS\system32\bfbe.sys. md5: 84e3616024c57c8c49d5810c5e8df09d
19:14:10:500 2232 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
19:14:10:625 2232 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:14:10:781 2232 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
19:14:10:953 2232 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:14:11:093 2232 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:14:11:203 2232 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
19:14:11:343 2232 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys
19:14:11:468 2232 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:14:11:593 2232 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys
19:14:11:796 2232 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
19:14:11:968 2232 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
19:14:12:093 2232 CO_Mon (6be1d6403727bdd8a2b2568dbe6bfb8b) C:\WINDOWS\system32\Drivers\CO_Mon.sys
19:14:12:296 2232 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
19:14:12:437 2232 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
19:14:12:562 2232 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
19:14:12:750 2232 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:14:12:921 2232 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:14:13:093 2232 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:14:13:203 2232 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:14:13:312 2232 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:14:13:437 2232 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
19:14:13:562 2232 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:14:13:734 2232 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
19:14:13:937 2232 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
19:14:14:078 2232 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys
19:14:14:312 2232 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
19:14:14:468 2232 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:14:14:593 2232 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:14:14:718 2232 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:14:14:859 2232 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:14:14:984 2232 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:14:15:109 2232 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:14:15:234 2232 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:14:15:406 2232 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:14:15:546 2232 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:14:15:656 2232 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
19:14:15:843 2232 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:14:16:125 2232 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
19:14:16:281 2232 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
19:14:16:546 2232 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:14:16:812 2232 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
19:14:16:953 2232 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
19:14:17:093 2232 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
19:14:17:234 2232 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
19:14:17:453 2232 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
19:14:17:593 2232 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
19:14:17:718 2232 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
19:14:17:843 2232 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
19:14:17:984 2232 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
19:14:18:109 2232 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
19:14:18:265 2232 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:14:18:531 2232 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:14:18:671 2232 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
19:14:18:859 2232 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
19:14:18:984 2232 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:14:19:109 2232 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:14:19:234 2232 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:14:19:500 2232 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:14:19:640 2232 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:14:19:781 2232 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:14:19:890 2232 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:14:20:046 2232 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:14:20:187 2232 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:14:20:546 2232 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
19:14:20:796 2232 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:14:20:937 2232 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:14:21:093 2232 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
19:14:21:218 2232 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys
19:14:21:421 2232 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
19:14:21:640 2232 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
19:14:21:843 2232 mfehidk (317997eb32fe039e7881704e596a2ed1) C:\WINDOWS\system32\drivers\mfehidk.sys
19:14:22:078 2232 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
19:14:22:343 2232 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
19:14:22:562 2232 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys
19:14:22:765 2232 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:14:22:875 2232 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:14:23:000 2232 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:14:23:203 2232 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:14:23:343 2232 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:14:23:500 2232 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
19:14:23:812 2232 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
19:14:23:953 2232 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:14:24:125 2232 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:14:24:437 2232 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:14:24:562 2232 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:14:24:687 2232 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:14:24:843 2232 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:14:24:968 2232 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:14:25:093 2232 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
19:14:25:234 2232 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:14:25:406 2232 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:14:25:531 2232 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:14:25:671 2232 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:14:25:812 2232 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
19:14:25:953 2232 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:14:26:078 2232 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:14:26:203 2232 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:14:26:359 2232 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:14:26:515 2232 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:14:26:671 2232 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:14:26:921 2232 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:14:27:046 2232 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:14:27:171 2232 omci (1d98907d80461371437a7c898c58c8ae) C:\WINDOWS\system32\DRIVERS\omci.sys
19:14:27:359 2232 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
19:14:27:484 2232 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:14:27:640 2232 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:14:27:781 2232 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:14:27:906 2232 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:14:28:062 2232 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:14:28:203 2232 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:14:28:390 2232 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
19:14:28:578 2232 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
19:14:28:718 2232 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:14:28:843 2232 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
19:14:28:953 2232 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:14:29:078 2232 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:14:29:156 2232 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys
19:14:29:390 2232 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:14:29:593 2232 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
19:14:29:718 2232 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
19:14:29:843 2232 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
19:14:29:968 2232 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
19:14:30:109 2232 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
19:14:30:250 2232 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:14:30:390 2232 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:14:30:515 2232 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:14:30:640 2232 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:14:30:750 2232 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:14:30:906 2232 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.SYS
19:14:31:031 2232 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:14:31:156 2232 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:14:31:343 2232 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:14:31:484 2232 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:14:31:609 2232 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:14:31:750 2232 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:14:31:875 2232 setup_9.0.0.722_12.06.2010_23-38[1]drv (66ef49622baa18e4d4f1fe4bae1d51b8) C:\WINDOWS\system32\DRIVERS\9927476.sys
19:14:32:187 2232 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:14:32:359 2232 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
19:14:32:484 2232 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
19:14:32:796 2232 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
19:14:33:000 2232 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:14:33:140 2232 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:14:33:312 2232 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
19:14:33:531 2232 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:14:33:656 2232 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:14:33:796 2232 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
19:14:33:984 2232 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
19:14:34:171 2232 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
19:14:34:406 2232 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
19:14:34:546 2232 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
19:14:34:734 2232 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:14:34:875 2232 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:14:35:031 2232 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:14:35:171 2232 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:14:35:312 2232 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:14:35:453 2232 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
19:14:35:593 2232 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
19:14:35:828 2232 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:14:35:953 2232 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
19:14:36:156 2232 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:14:36:343 2232 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:14:36:500 2232 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:14:36:625 2232 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:14:36:765 2232 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:14:36:890 2232 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:14:37:015 2232 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:14:37:140 2232 utqxodiy (524d8d450622db4a7875b111c299a76b) C:\WINDOWS\system32\Drivers\utqxodiy.sys
19:14:37:390 2232 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:14:37:531 2232 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
19:14:37:671 2232 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
19:14:37:796 2232 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:14:37:921 2232 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:14:38:062 2232 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:14:38:203 2232 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
19:14:38:406 2232 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:14:38:531 2232 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:14:38:671 2232 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:14:38:812 2232 {6080A529-897E-4629-A488-ABA0C29B635E} (afeffe0f8805fcd47b05cf1fbde08092) C:\WINDOWS\system32\drivers\ialmsbw.sys
19:14:38:984 2232 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (85a36991a5ceaf9e65c4b743210e759b) C:\WINDOWS\system32\drivers\ialmkchw.sys
19:14:39:046 2232
19:14:39:046 2232 Completed
19:14:39:046 2232
19:14:39:046 2232 Results:
19:14:39:062 2232 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:14:39:062 2232 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:14:39:062 2232
19:14:39:062 2232 KLMD(ARK) unloaded successfully

#37
Maniac
Posted 18 June 2010 - 09:15 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please download to your Desktop: Dr.Web CureIt
  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked
  • On the Log file tab leave the Log to file checked.
  • Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
  • Log mode = Append
  • Encoding = ANSI
  • Details Leave Names of file packers and Statistics checked.
  • Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
  • On the General tab leave the Scan Priority on High
  • Click the Apply button at the bottom, and then the OK button.
  • On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
  • In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
  • The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
  • When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
  • Click 'Yes to all' if it asks if you want to cure/move the files.
  • This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
    Posted Image

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#38
cgrammie2
Posted 18 June 2010 - 03:46 PM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 18 2010, 07:15 AM, said:

Please download to your Desktop: Dr.Web CureIt
  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked
  • On the Log file tab leave the Log to file checked.
  • Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
  • Log mode = Append
  • Encoding = ANSI
  • Details Leave Names of file packers and Statistics checked.
  • Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
  • On the General tab leave the Scan Priority on High
  • Click the Apply button at the bottom, and then the OK button.
  • On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
  • In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
  • The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
  • When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
  • Click 'Yes to all' if it asks if you want to cure/move the files.
  • This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
    Posted Image

Think there is a problem - I never got past the 2nd bullet item in your instructions. I downloaded Dr.Web CureIt as instructed (it took 15-20 minutes to download). When download finished I disabled anti-virus and disconnected from the internet. Received a prompt to run Dr.Web - clicked on run - waited about 1/2 hour and received no other prompts - received no indication that any scan was happening or anything. Tried to uninstall or delete from my desktop - received this message: "Error deleting file or folder - Cannot delete Dr.Web-Cureit: Access denied. Make sure the disk is not full or write protected and that the file is not currently in use." I checked Task Manager which doesn't show ANY programs running. Please let me know what to do next.

I'm going to try to delete Dr. Web from my desktop and then download again while waiting for your comments.

Thank you!

#39
Maniac
Posted 18 June 2010 - 04:01 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,047 posts
  • Gender:Male
  • Location:Bulgaria, EU
Please try again in Safe Mode with Networking:
http://www.microsoft.com/resources/documen...t_failsafe.mspx
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

#40
cgrammie2
Posted 18 June 2010 - 04:25 PM

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 107 posts
  • Gender:Female

View PostManiac, on Jun 18 2010, 02:01 PM, said:

Please try again in Safe Mode with Networking:
http://www.microsoft.com/resources/documen...t_failsafe.mspx

Please take me through the steps on how to run in safe mode with networking.

thanks!
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us