Jump to content


Photo
- - - - -

Please Help


  • This topic is locked This topic is locked
18 replies to this topic

#1 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 25 December 2010 - 11:19 PM

Hello, Merry Christmas and thank you in advance.

This is my stepsons computer and I am compleatly baffeled. I have been working on this all weekend(since yesterday anyhow) and just seem to be getting nowhere.


I believe this is all of the info you need to sart according to here :
http://forums.malwar...?showtopic=9573

I work 2 jobs so I might not be able to do things right away so please let me know if that is going to be a problem.

I have to upload this from my computer because the infected one blocks your site when I try to upload from there.

Thank You,

Willd


MBAM LOG:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5394

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/25/2010 2:51:57 PM
mbam-log-2010-12-25 (14-51-57).txt

Scan type: Quick scan
Objects scanned: 169944
Time elapsed: 19 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JP595IR86O (Trojan.FraudPack) -> Value: JP595IR86O -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\Oz1.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Oz0.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Oz2.exe (Trojan.FraudPack) -> Delete on reboot.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


DDS:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 19:10:55.34 on Sat 12/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.177 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uSearchAssistant =
mSearchAssistant =
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DW6]
uRun: [dejfphmx] c:\docume~1\owner\locals~1\temp\uubicvqdq\jqwvkdiaffm.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CHotkey] zHotkey.exe
mRun: [BearShare] "c:\program files\bearshare\BearShare.exe" /pause
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: live.com\onecare
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://albertsons.coupons.smartsource.com/download/cscmv5X.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293234691093
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S0 adwikxd;adwikxd;c:\windows\system32\drivers\bekr.sys --> c:\windows\system32\drivers\bekr.sys [?]
S2 NNServ;NNServ;"c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart --> c:\program files\newdotnet\nnrun.exe [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-11-16 267568]

=============== Created Last 30 ================

2010-12-25 23:56:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-25 23:56:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-25 18:14:13 -------- d-----w- C:\ee6b30a673b1b541293562ab4ca0d8
2010-12-25 16:30:55 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-12-25 16:30:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-25 16:30:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-25 04:20:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-25 04:20:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-25 03:19:08 -------- d-----w- c:\program files\Loaris
2010-12-25 00:16:48 -------- d--h--w- c:\program files\WindowsUpdate
2010-12-25 00:12:38 -------- d-----w- c:\docume~1\owner\applic~1\ElevatedDiagnostics
2010-12-24 23:26:57 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\FixItCenter
2010-12-24 23:25:07 -------- d-----w- c:\windows\MATS
2010-12-24 23:25:04 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-12-24 22:32:59 76800 ------w- c:\windows\system32\msshavmsg.dll
2010-12-24 22:26:08 4255 ------w- c:\windows\system32\drivers\adv01nt5.dll
2010-12-24 22:24:32 19569 ----a-w- c:\windows\002788_.tmp
2010-12-24 22:18:32 -------- d-----w- c:\windows\EHome
2010-12-24 14:26:19 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2010-12-24 05:53:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-24 05:24:22 -------- d-----w- c:\windows\pss
2010-12-24 05:23:54 -------- d-----w- C:\0dd941d7f2610f30b7d323a55326
2010-12-24 05:23:53 -------- d-----w- C:\2aaeaeff91a25884dc00e8
2010-12-24 05:23:52 -------- d-----w- C:\487a6b61adb0c567cb
2010-12-24 05:23:50 -------- d-----w- C:\c6783c46a2fe735c7d298838b81471
2010-12-24 05:23:46 -------- d-----w- C:\70c4babbaf749f43a4
2010-12-24 04:18:40 -------- d-----w- C:\0219c6c091bc11352e6d91
2010-12-24 04:17:05 -------- d-----w- C:\5088597288c1ba94e3
2010-12-24 04:16:56 -------- d-----w- C:\893ffd6facbecd1bdae1
2010-12-24 04:16:45 -------- d-----w- C:\08156ec3aa9500a47e
2010-12-24 04:16:21 -------- d-----w- C:\571aaf439bdc918cee53a21c5ec8c032
2010-12-24 04:15:58 -------- d-----w- C:\3750f0569d0635b1411e1f2cb15517ac
2010-12-24 04:15:47 -------- d-----w- C:\57f3331fb5c8dbb83238abb4b325c9be
2010-12-24 04:14:32 -------- d-----w- C:\1fe66f0e39f02e4b019637a4df013928
2010-12-24 04:14:11 -------- d-----w- C:\31925ef44076c8c61d69
2010-12-24 04:13:58 -------- d-----w- C:\da0db74252d895d3143228
2010-12-24 04:13:55 -------- d-----w- C:\f43a6c60d2d752d174b3b450d2
2010-12-24 02:15:05 -------- d-----w- C:\718f3e9d89c2bd59606e
2010-12-24 02:14:53 -------- d-----w- C:\ce472f0a452fcd55f1a101c5f3af8b
2010-12-24 02:14:32 -------- d-----w- C:\13f53ddf082dc6787a140ba7

==================== Find3M ====================

2010-11-16 07:10:14 65328 ----a-w- c:\windows\apppatch\matsshim.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BB-22GUA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-1f

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8336E446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x83374504]; MOV EAX, [0x83374580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x83341030]
3 CLASSPNP[0xF76FCFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007f[0x833D45B8]
5 ACPI[0xF7513620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x833D4770]
\Driver\atapi[0x832F39A8] -> IRP_MJ_CREATE -> 0x8336E446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP4T0L0-1f -> \??\IDE#DiskWDC_WD1600BB-22GUA0_____________________08.02D08#5&df90ce5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8336E292
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 19:12:28.75 ===============

Attached Files



#2 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 27 December 2010 - 11:41 AM

Posted Image

Please don't attach the scans / logs, use "copy/paste".


DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Open Notepad, click on Format and uncheck Word Wrap.


Internet Explorer (Windows)
1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.



Firefox (Windows)
1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.



Next:


Disable Internet Explorer Proxy Settings and Reset TCP/IP and Winsock

Disable Internet Explorer Proxy Settings and Reset TCP/IP

It is very important that these steps be carried out exactly as shown otherwise the fix will not work.
If you have any questions please ask before moving on.
  • Please start Notepad and using your mouse make sure you select and copy all the information below in the Code box into your new document.
  • Then save the file as "fixme.bat" to your Desktop
  • In the drop down box for Save as type: make sure you select All Files (*.*) and keep the quotes on the name as well. Then close the new file.
    @ECHO OFF
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable  /t REG_DWORD /d 0 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f
    netsh int ip reset resetlog.txt
    netsh winsock reset catalog
  • On Windows XP you can double-click the file to run it.
  • On Vista/Win7 you need to Right click the file and choose Run as administrator to run it. With User Account Control on it should ask permission to run it. Click Yes
  • This will flash a black DOS box very quickly and go away, this is normal.
  • Restart your computer now.
  • Launch Internet Explorer and see if you can connect to the Internet.
  • Launch MBAM and check for Updates

Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 27 December 2010 - 06:56 PM

Hello,

Ok the first part: Use proxy server was not checked but neither was automatically detect settings, so checked that.

Second part: Ran the script restarted computer,updated MBAM went from database 5394 to 5405 and I am posting this from this infected computer now.

I stopped there because I was not sure if you wanted me to run another scan now or not.

Thank you,
Willd

#4 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 27 December 2010 - 07:08 PM

I stopped there because I was not sure if you wanted me to run another scan now or not.

Yes run and post the results.

Also let me know how it's running.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 27 December 2010 - 08:17 PM

Ok, I went to grab a bite to eat after my last post and had left Internet Explorer open as well as MBAM and when I got back both would not respond. Did Control-Alt-Delete and that finally came up after approxmately 60 seconds and was able to end those processes then ran a new scan that found this one item.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5405

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/27/2010 7:08:47 PM
mbam-log-2010-12-27 (19-08-47).txt

Scan type: Quick scan
Objects scanned: 175922
Time elapsed: 21 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dejfphmx (Trojan.FakeAlert.Gen) -> Value: dejfphmx -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 27 December 2010 - 08:20 PM

Next:
Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 27 December 2010 - 08:33 PM

Ok, Here is the log and I dont think I mentioned this before but my hard drive was not showing up in disk management before but its there now so there is progress for sure.

2010/12/27 19:26:08.0296 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/27 19:26:08.0296 ================================================================================
2010/12/27 19:26:08.0296 SystemInfo:
2010/12/27 19:26:08.0296
2010/12/27 19:26:08.0296 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/27 19:26:08.0296 Product type: Workstation
2010/12/27 19:26:08.0296 ComputerName: QUIGLEY
2010/12/27 19:26:08.0296 UserName: Owner
2010/12/27 19:26:08.0296 Windows directory: C:\WINDOWS
2010/12/27 19:26:08.0296 System windows directory: C:\WINDOWS
2010/12/27 19:26:08.0296 Processor architecture: Intel x86
2010/12/27 19:26:08.0296 Number of processors: 1
2010/12/27 19:26:08.0296 Page size: 0x1000
2010/12/27 19:26:08.0296 Boot type: Normal boot
2010/12/27 19:26:08.0296 ================================================================================
2010/12/27 19:26:08.0984 Initialize success
2010/12/27 19:27:00.0859 ================================================================================
2010/12/27 19:27:00.0859 Scan started
2010/12/27 19:27:00.0859 Mode: Manual;
2010/12/27 19:27:00.0859 ================================================================================
2010/12/27 19:27:01.0781 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/12/27 19:27:01.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/27 19:27:02.0046 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/27 19:27:02.0203 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/27 19:27:02.0468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/27 19:27:02.0703 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/27 19:27:02.0906 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/27 19:27:03.0109 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/27 19:27:03.0296 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/12/27 19:27:03.0437 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/27 19:27:03.0484 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/27 19:27:03.0703 ALCXWDM (933933288df5ed26d1928215c97d05c7) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/12/27 19:27:03.0953 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/27 19:27:04.0109 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/27 19:27:04.0328 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/27 19:27:04.0515 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/12/27 19:27:04.0750 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/27 19:27:04.0843 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/12/27 19:27:04.0890 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/12/27 19:27:04.0937 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/12/27 19:27:05.0015 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/27 19:27:05.0140 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/27 19:27:05.0312 ati2mtag (dcd26b36ce305b718e2f1c56c19df668) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/27 19:27:05.0546 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/27 19:27:05.0734 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/27 19:27:05.0796 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/27 19:27:06.0031 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/27 19:27:06.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/27 19:27:06.0250 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/27 19:27:06.0343 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/27 19:27:06.0453 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/27 19:27:06.0671 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/27 19:27:06.0828 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/27 19:27:07.0078 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/27 19:27:07.0296 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/27 19:27:07.0484 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/27 19:27:07.0625 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/27 19:27:07.0890 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/27 19:27:08.0140 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/27 19:27:08.0328 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/27 19:27:08.0484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/27 19:27:08.0765 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/27 19:27:08.0953 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/27 19:27:09.0093 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/27 19:27:09.0218 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/27 19:27:09.0343 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/27 19:27:09.0437 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/27 19:27:09.0578 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/27 19:27:09.0718 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/27 19:27:09.0828 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/27 19:27:09.0953 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/27 19:27:10.0062 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/27 19:27:10.0265 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/27 19:27:10.0484 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/27 19:27:10.0625 HSFHWBS2 (33dfc0afa95f9a2c753ff2adb7d4a21f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/12/27 19:27:10.0906 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/12/27 19:27:11.0140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/27 19:27:11.0375 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/27 19:27:11.0484 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/27 19:27:11.0609 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/27 19:27:11.0718 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/27 19:27:11.0921 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/12/27 19:27:12.0031 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/27 19:27:12.0250 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/27 19:27:12.0375 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/27 19:27:12.0500 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/27 19:27:12.0625 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/27 19:27:12.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/27 19:27:12.0953 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/27 19:27:13.0078 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/27 19:27:13.0187 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/27 19:27:13.0296 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/27 19:27:13.0515 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/27 19:27:13.0703 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys
2010/12/27 19:27:13.0906 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/27 19:27:14.0031 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/27 19:27:14.0140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/27 19:27:14.0250 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/27 19:27:14.0453 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/27 19:27:14.0671 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/27 19:27:14.0812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/27 19:27:15.0046 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/27 19:27:15.0265 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/27 19:27:15.0375 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/27 19:27:15.0484 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/27 19:27:15.0531 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/27 19:27:15.0625 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/27 19:27:15.0750 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/27 19:27:15.0953 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
2010/12/27 19:27:16.0078 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/27 19:27:16.0281 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/27 19:27:16.0390 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/27 19:27:16.0500 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/27 19:27:16.0625 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/27 19:27:16.0734 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/27 19:27:16.0890 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/27 19:27:17.0109 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/27 19:27:17.0312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/27 19:27:17.0453 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/27 19:27:17.0687 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/27 19:27:17.0859 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/27 19:27:18.0078 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/27 19:27:18.0203 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/27 19:27:18.0328 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/27 19:27:18.0437 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/12/27 19:27:18.0562 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/27 19:27:18.0671 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/27 19:27:18.0781 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/27 19:27:18.0968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/27 19:27:19.0109 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/27 19:27:19.0234 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/27 19:27:19.0578 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/27 19:27:19.0703 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/27 19:27:19.0843 pfc (ed2e7f396b4098608c95bc3806bdf6fc) C:\WINDOWS\system32\drivers\pfc.sys
2010/12/27 19:27:19.0953 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/27 19:27:20.0078 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/27 19:27:20.0187 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/27 19:27:20.0296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/27 19:27:20.0500 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/27 19:27:20.0609 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/27 19:27:20.0734 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/27 19:27:20.0859 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/27 19:27:20.0984 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/27 19:27:21.0109 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/27 19:27:21.0218 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/27 19:27:21.0343 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/27 19:27:21.0453 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/27 19:27:21.0578 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/27 19:27:21.0781 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/27 19:27:21.0921 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/27 19:27:22.0140 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/27 19:27:22.0343 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/27 19:27:22.0484 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/27 19:27:22.0625 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/27 19:27:22.0656 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/27 19:27:22.0859 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/27 19:27:23.0062 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/27 19:27:23.0171 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/27 19:27:23.0296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/27 19:27:23.0468 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/27 19:27:23.0656 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/12/27 19:27:23.0781 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/27 19:27:23.0921 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/27 19:27:24.0156 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/27 19:27:24.0359 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys
2010/12/27 19:27:24.0484 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/27 19:27:24.0593 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/27 19:27:24.0703 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/27 19:27:24.0828 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/27 19:27:25.0031 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/27 19:27:25.0140 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/27 19:27:25.0328 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/27 19:27:25.0468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/27 19:27:25.0671 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/27 19:27:25.0796 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/27 19:27:25.0921 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/27 19:27:26.0171 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/27 19:27:26.0296 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/27 19:27:26.0500 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/27 19:27:26.0640 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/27 19:27:26.0859 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/27 19:27:26.0984 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/27 19:27:27.0109 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/27 19:27:27.0218 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/27 19:27:27.0328 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/27 19:27:27.0515 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/27 19:27:27.0734 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/27 19:27:27.0796 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/27 19:27:27.0859 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/27 19:27:27.0906 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/27 19:27:28.0000 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/27 19:27:28.0187 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/27 19:27:28.0328 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/27 19:27:28.0468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/27 19:27:28.0656 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/27 19:27:28.0812 winachsf (2dc7c0b6175a0a8ed84a4f70199c93b5) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/27 19:27:28.0984 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/27 19:27:28.0984 ================================================================================
2010/12/27 19:27:28.0984 Scan finished
2010/12/27 19:27:28.0984 ================================================================================
2010/12/27 19:27:29.0000 Detected object count: 1
2010/12/27 19:28:04.0578 \HardDisk0 - will be cured after reboot
2010/12/27 19:28:04.0578 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/27 19:28:30.0734 Deinitialize success

#8 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 27 December 2010 - 08:35 PM

We need to run it again to make sure it's gone before moving on.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 27 December 2010 - 08:51 PM

Ok,
Here is the new log. Did not find anything.


2010/12/27 19:45:28.0390 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/27 19:45:28.0390 ================================================================================
2010/12/27 19:45:28.0390 SystemInfo:
2010/12/27 19:45:28.0390
2010/12/27 19:45:28.0390 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/27 19:45:28.0390 Product type: Workstation
2010/12/27 19:45:28.0390 ComputerName: QUIGLEY
2010/12/27 19:45:28.0390 UserName: Owner
2010/12/27 19:45:28.0390 Windows directory: C:\WINDOWS
2010/12/27 19:45:28.0390 System windows directory: C:\WINDOWS
2010/12/27 19:45:28.0390 Processor architecture: Intel x86
2010/12/27 19:45:28.0390 Number of processors: 1
2010/12/27 19:45:28.0390 Page size: 0x1000
2010/12/27 19:45:28.0390 Boot type: Normal boot
2010/12/27 19:45:28.0390 ================================================================================
2010/12/27 19:45:28.0609 Initialize success
2010/12/27 19:45:31.0515 ================================================================================
2010/12/27 19:45:31.0515 Scan started
2010/12/27 19:45:31.0515 Mode: Manual;
2010/12/27 19:45:31.0515 ================================================================================
2010/12/27 19:45:32.0640 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/12/27 19:45:32.0734 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/27 19:45:32.0937 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/27 19:45:33.0093 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/27 19:45:33.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/27 19:45:33.0390 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/27 19:45:33.0593 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/27 19:45:34.0031 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/27 19:45:34.0375 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/12/27 19:45:34.0578 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/27 19:45:34.0750 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/27 19:45:34.0968 ALCXWDM (933933288df5ed26d1928215c97d05c7) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/12/27 19:45:35.0218 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/27 19:45:35.0328 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/27 19:45:35.0562 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/27 19:45:35.0750 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/12/27 19:45:35.0843 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/27 19:45:35.0937 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/12/27 19:45:35.0984 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/12/27 19:45:36.0015 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/12/27 19:45:36.0093 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/27 19:45:36.0234 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/27 19:45:36.0406 ati2mtag (dcd26b36ce305b718e2f1c56c19df668) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/27 19:45:36.0640 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/27 19:45:36.0812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/27 19:45:36.0859 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/27 19:45:36.0968 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/27 19:45:37.0093 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/27 19:45:37.0171 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/27 19:45:37.0218 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/27 19:45:37.0281 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/27 19:45:37.0406 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/27 19:45:37.0593 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/27 19:45:37.0796 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/27 19:45:38.0000 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/27 19:45:38.0187 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/27 19:45:38.0328 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/27 19:45:38.0609 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/27 19:45:38.0937 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/27 19:45:39.0140 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/27 19:45:39.0265 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/27 19:45:39.0500 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/27 19:45:39.0703 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/27 19:45:39.0859 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/27 19:45:40.0062 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/27 19:45:40.0171 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/27 19:45:40.0281 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/27 19:45:40.0406 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/27 19:45:40.0531 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/27 19:45:40.0578 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/27 19:45:40.0687 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/27 19:45:40.0812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/27 19:45:40.0921 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/27 19:45:41.0125 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/27 19:45:41.0265 HSFHWBS2 (33dfc0afa95f9a2c753ff2adb7d4a21f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/12/27 19:45:41.0515 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/12/27 19:45:41.0765 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/27 19:45:41.0984 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/27 19:45:42.0078 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/27 19:45:42.0203 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/27 19:45:42.0328 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/27 19:45:42.0437 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/12/27 19:45:42.0625 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/27 19:45:42.0812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/27 19:45:43.0000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/27 19:45:43.0187 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/27 19:45:43.0343 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/27 19:45:43.0578 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/27 19:45:43.0781 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/27 19:45:43.0890 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/27 19:45:44.0015 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/27 19:45:44.0125 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/27 19:45:44.0328 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/27 19:45:44.0609 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys
2010/12/27 19:45:44.0718 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/27 19:45:44.0828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/27 19:45:44.0937 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/27 19:45:45.0046 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/27 19:45:45.0171 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/27 19:45:45.0265 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/27 19:45:45.0390 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/27 19:45:45.0625 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/27 19:45:45.0843 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/27 19:45:45.0953 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/27 19:45:46.0062 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/27 19:45:46.0171 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/27 19:45:46.0296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/27 19:45:46.0421 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/27 19:45:46.0515 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
2010/12/27 19:45:46.0656 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/27 19:45:46.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/27 19:45:46.0968 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/27 19:45:47.0078 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/27 19:45:47.0187 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/27 19:45:47.0296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/27 19:45:47.0406 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/27 19:45:47.0640 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/27 19:45:47.0843 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/27 19:45:47.0984 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/27 19:45:48.0203 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/27 19:45:48.0343 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/27 19:45:48.0578 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/27 19:45:48.0687 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/27 19:45:48.0812 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/27 19:45:48.0921 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/12/27 19:45:49.0031 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/27 19:45:49.0140 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/27 19:45:49.0234 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/27 19:45:49.0359 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/27 19:45:49.0609 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/27 19:45:49.0828 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/27 19:45:50.0156 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/27 19:45:50.0265 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/27 19:45:50.0406 pfc (ed2e7f396b4098608c95bc3806bdf6fc) C:\WINDOWS\system32\drivers\pfc.sys
2010/12/27 19:45:50.0531 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/27 19:45:50.0656 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/27 19:45:50.0765 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/27 19:45:50.0875 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/27 19:45:51.0078 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/27 19:45:51.0187 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/27 19:45:51.0296 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/27 19:45:51.0421 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/27 19:45:51.0531 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/27 19:45:51.0671 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/27 19:45:51.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/27 19:45:51.0906 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/27 19:45:52.0015 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/27 19:45:52.0125 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/27 19:45:52.0328 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/27 19:45:52.0453 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/27 19:45:52.0656 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/27 19:45:52.0859 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/27 19:45:53.0000 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/27 19:45:53.0125 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/27 19:45:53.0140 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/27 19:45:53.0343 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/27 19:45:53.0468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/27 19:45:53.0671 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/27 19:45:53.0812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/27 19:45:54.0031 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/27 19:45:54.0234 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/12/27 19:45:54.0359 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/27 19:45:54.0515 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/27 19:45:54.0718 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/27 19:45:54.0937 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys
2010/12/27 19:45:55.0046 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/27 19:45:55.0156 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/27 19:45:55.0265 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/27 19:45:55.0375 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/27 19:45:55.0578 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/27 19:45:55.0687 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/27 19:45:55.0812 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/27 19:45:55.0953 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/27 19:45:56.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/27 19:45:56.0250 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/27 19:45:56.0375 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/27 19:45:56.0609 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/27 19:45:56.0734 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/27 19:45:56.0937 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/27 19:45:57.0109 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/27 19:45:57.0312 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/27 19:45:57.0421 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/27 19:45:57.0546 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/27 19:45:57.0656 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/27 19:45:57.0781 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/27 19:45:57.0890 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/27 19:45:58.0000 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/27 19:45:58.0140 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/27 19:45:58.0250 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/27 19:45:58.0296 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/27 19:45:58.0421 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/27 19:45:58.0609 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/27 19:45:58.0750 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/27 19:45:58.0875 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/27 19:45:58.0984 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/27 19:45:59.0140 winachsf (2dc7c0b6175a0a8ed84a4f70199c93b5) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/27 19:45:59.0328 ================================================================================
2010/12/27 19:45:59.0328 Scan finished
2010/12/27 19:45:59.0328 ================================================================================
2010/12/27 19:46:17.0765 Deinitialize success

#10 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 27 December 2010 - 08:52 PM

Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 27 December 2010 - 09:38 PM

If I havent said Hello and Thank You yet, Hello and Thank You.
Scan installed Recovery console and ran ok(as far as I know anyway).

ComboFix 10-12-26.01 - Owner 12/27/2010 20:10:06.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.135 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\completescan
c:\documents and settings\Owner\My Documents\iexplore.exe
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\system32\Oeminfo.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV
-------\Service_NNServ


((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-28 )))))))))))))))))))))))))))))))
.

2010-12-25 23:56 . 2010-12-25 23:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-25 23:56 . 2010-12-25 23:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-25 19:14 . 2010-12-25 19:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-12-25 18:14 . 2010-12-25 18:58 -------- d-----w- C:\ee6b30a673b1b541293562ab4ca0d8
2010-12-25 16:30 . 2010-12-25 16:30 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-12-25 16:30 . 2010-12-25 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-25 16:30 . 2010-12-25 16:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-25 09:03 . 2010-12-25 09:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-12-25 04:20 . 2010-12-25 21:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-25 04:20 . 2010-12-25 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-25 03:19 . 2010-12-25 03:19 -------- d-----w- c:\program files\Loaris
2010-12-25 00:12 . 2010-12-25 00:12 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics
2010-12-24 23:26 . 2010-12-24 23:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FixItCenter
2010-12-24 23:25 . 2010-12-24 23:25 -------- d-----w- c:\windows\MATS
2010-12-24 23:25 . 2010-12-24 23:25 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-12-24 22:32 . 2008-04-14 11:42 155136 ------w- c:\windows\system32\mssha.dll
2010-12-24 22:24 . 2006-12-29 06:31 19569 ----a-w- c:\windows\002788_.tmp
2010-12-24 22:18 . 2010-12-24 22:18 -------- d-----w- c:\windows\EHome
2010-12-24 14:40 . 2010-12-25 00:31 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-24 14:26 . 2010-12-24 14:26 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-12-24 14:09 . 2010-12-24 14:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-24 05:53 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-24 05:23 . 2010-12-24 05:23 -------- d-----w- C:\0dd941d7f2610f30b7d323a55326
2010-12-24 05:23 . 2010-12-24 05:23 -------- d-----w- C:\2aaeaeff91a25884dc00e8
2010-12-24 05:23 . 2010-12-24 05:23 -------- d-----w- C:\487a6b61adb0c567cb
2010-12-24 05:23 . 2010-12-24 05:23 -------- d-----w- C:\c6783c46a2fe735c7d298838b81471
2010-12-24 05:23 . 2010-12-24 05:23 -------- d-----w- C:\70c4babbaf749f43a4
2010-12-24 04:18 . 2010-12-24 04:18 -------- d-----w- C:\0219c6c091bc11352e6d91
2010-12-24 04:17 . 2010-12-24 04:17 -------- d-----w- C:\5088597288c1ba94e3
2010-12-24 04:16 . 2010-12-24 04:16 -------- d-----w- C:\893ffd6facbecd1bdae1
2010-12-24 04:16 . 2010-12-24 04:16 -------- d-----w- C:\08156ec3aa9500a47e
2010-12-24 04:16 . 2010-12-24 04:16 -------- d-----w- C:\571aaf439bdc918cee53a21c5ec8c032
2010-12-24 04:15 . 2010-12-24 04:15 -------- d-----w- C:\3750f0569d0635b1411e1f2cb15517ac
2010-12-24 04:15 . 2010-12-24 04:15 -------- d-----w- C:\57f3331fb5c8dbb83238abb4b325c9be
2010-12-24 04:14 . 2010-12-24 04:14 -------- d-----w- C:\1fe66f0e39f02e4b019637a4df013928
2010-12-24 04:14 . 2010-12-24 04:14 -------- d-----w- C:\31925ef44076c8c61d69
2010-12-24 04:13 . 2010-12-24 04:13 -------- d-----w- C:\da0db74252d895d3143228
2010-12-24 04:13 . 2010-12-24 04:13 -------- d-----w- C:\f43a6c60d2d752d174b3b450d2
2010-12-24 02:15 . 2010-12-24 02:15 -------- d-----w- C:\718f3e9d89c2bd59606e
2010-12-24 02:14 . 2010-12-24 02:14 -------- d-----w- C:\ce472f0a452fcd55f1a101c5f3af8b
2010-12-24 02:14 . 2010-12-25 17:22 -------- d-----w- C:\13f53ddf082dc6787a140ba7
2010-12-11 21:23 . 2010-12-11 21:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-03 22:36 . 2010-12-03 22:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-12-03 22:35 . 2010-12-03 22:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 00:09 . 2010-11-17 22:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-11-17 22:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 07:10 . 2010-11-16 07:10 65328 ----a-w- c:\windows\apppatch\matsshim.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-16 180269]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\pokher\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
S0 adwikxd;adwikxd;c:\windows\system32\drivers\bekr.sys --> c:\windows\system32\drivers\bekr.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [11/16/2010 1:10 AM 267568]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2005-04-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]

2005-04-05 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]

2005-04-05 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
Trusted Zone: live.com\onecare
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-DW6 - (no file)
HKLM-Run-BearShare - c:\program files\BearShare\BearShare.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-27 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(408)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\zHotkey.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-27 20:32:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-28 02:32

Pre-Run: 122,866,352,128 bytes free
Post-Run: 124,386,492,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F8B27DA671B1F66A3862954F5447271A

#12 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 27 December 2010 - 09:45 PM

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\002788_.tmp

Folder::
C:\0dd941d7f2610f30b7d323a55326
C:\2aaeaeff91a25884dc00e8
C:\487a6b61adb0c567cb
C:\c6783c46a2fe735c7d298838b81471
C:\70c4babbaf749f43a4
C:\0219c6c091bc11352e6d91
C:\5088597288c1ba94e3
C:\893ffd6facbecd1bdae1
C:\08156ec3aa9500a47e
C:\571aaf439bdc918cee53a21c5ec8c032
C:\3750f0569d0635b1411e1f2cb15517ac
C:\57f3331fb5c8dbb83238abb4b325c9be
C:\1fe66f0e39f02e4b019637a4df013928
C:\31925ef44076c8c61d69
C:\da0db74252d895d3143228
C:\f43a6c60d2d752d174b3b450d2
C:\718f3e9d89c2bd59606e
C:\ce472f0a452fcd55f1a101c5f3af8b
C:\13f53ddf082dc6787a140ba7

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe


Then post the results log using Copy / Paste


Also please describe how your computer behaves at the moment.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 27 December 2010 - 10:29 PM

The computer seems to be running a lot faster. I can now get to Microsoft Windows Update site(couldnt before). Seems like I am not getting redirected to other web sites when clicking search results in Google but I now have 2 icons on my desktop for Internet Explorer one just called Internet and shows the short cut symbol and brings up a regular properties short cut box when going to properties the other says Internet Explorer with no short cut symbol and brings up the internet Explorer properties box like it should.

ComboFix 10-12-26.01 - Owner 12/27/2010 20:55:50.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.131 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\windows\002788_.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0219c6c091bc11352e6d91
c:\0219c6c091bc11352e6d91\compappscontent.dll
c:\0219c6c091bc11352e6d91\en-us\amhelp.chm
c:\0219c6c091bc11352e6d91\en-us\epploc.cab
c:\0219c6c091bc11352e6d91\en-us\epploc_x86.msi
c:\0219c6c091bc11352e6d91\en-us\eula.rtf
c:\0219c6c091bc11352e6d91\en-us\setupres.dll.mui
c:\0219c6c091bc11352e6d91\epplauncher.exe
c:\0219c6c091bc11352e6d91\eppmanifest.dll
c:\0219c6c091bc11352e6d91\setup.ini
c:\0219c6c091bc11352e6d91\setupres.dll
c:\0219c6c091bc11352e6d91\x86\dw20shared.msi
c:\0219c6c091bc11352e6d91\x86\epp.msi
c:\0219c6c091bc11352e6d91\x86\legitlib.dll
c:\0219c6c091bc11352e6d91\x86\mp_ambits.msi
c:\0219c6c091bc11352e6d91\x86\setup.exe
c:\0219c6c091bc11352e6d91\x86\sqmapi.dll
c:\0219c6c091bc11352e6d91\x86\windows6.0-kb981889-v2.msu
c:\0219c6c091bc11352e6d91\x86\windows6.1-kb981889.msu
C:\08156ec3aa9500a47e
c:\08156ec3aa9500a47e\compappscontent.dll
c:\08156ec3aa9500a47e\en-us\amhelp.chm
c:\08156ec3aa9500a47e\en-us\epploc.cab
c:\08156ec3aa9500a47e\en-us\epploc_x86.msi
c:\08156ec3aa9500a47e\en-us\eula.rtf
c:\08156ec3aa9500a47e\en-us\setupres.dll.mui
c:\08156ec3aa9500a47e\epplauncher.exe
c:\08156ec3aa9500a47e\eppmanifest.dll
c:\08156ec3aa9500a47e\setup.ini
c:\08156ec3aa9500a47e\setupres.dll
c:\08156ec3aa9500a47e\x86\dw20shared.msi
c:\08156ec3aa9500a47e\x86\epp.msi
c:\08156ec3aa9500a47e\x86\legitlib.dll
c:\08156ec3aa9500a47e\x86\mp_ambits.msi
c:\08156ec3aa9500a47e\x86\setup.exe
c:\08156ec3aa9500a47e\x86\sqmapi.dll
c:\08156ec3aa9500a47e\x86\windows6.0-kb981889-v2.msu
c:\08156ec3aa9500a47e\x86\windows6.1-kb981889.msu
C:\0dd941d7f2610f30b7d323a55326
c:\0dd941d7f2610f30b7d323a55326\compappscontent.dll
c:\0dd941d7f2610f30b7d323a55326\en-us\amhelp.chm
c:\0dd941d7f2610f30b7d323a55326\en-us\epploc.cab
c:\0dd941d7f2610f30b7d323a55326\en-us\epploc_x86.msi
c:\0dd941d7f2610f30b7d323a55326\en-us\eula.rtf
c:\0dd941d7f2610f30b7d323a55326\en-us\setupres.dll.mui
c:\0dd941d7f2610f30b7d323a55326\epplauncher.exe
c:\0dd941d7f2610f30b7d323a55326\eppmanifest.dll
c:\0dd941d7f2610f30b7d323a55326\setup.ini
c:\0dd941d7f2610f30b7d323a55326\setupres.dll
c:\0dd941d7f2610f30b7d323a55326\x86\legitlib.dll
C:\13f53ddf082dc6787a140ba7
c:\13f53ddf082dc6787a140ba7\mrtstub.exe
C:\1fe66f0e39f02e4b019637a4df013928
c:\1fe66f0e39f02e4b019637a4df013928\compappscontent.dll
c:\1fe66f0e39f02e4b019637a4df013928\en-us\amhelp.chm
c:\1fe66f0e39f02e4b019637a4df013928\en-us\epploc.cab
c:\1fe66f0e39f02e4b019637a4df013928\en-us\epploc_x86.msi
c:\1fe66f0e39f02e4b019637a4df013928\en-us\eula.rtf
c:\1fe66f0e39f02e4b019637a4df013928\en-us\setupres.dll.mui
c:\1fe66f0e39f02e4b019637a4df013928\epplauncher.exe
c:\1fe66f0e39f02e4b019637a4df013928\eppmanifest.dll
c:\1fe66f0e39f02e4b019637a4df013928\setup.ini
c:\1fe66f0e39f02e4b019637a4df013928\setupres.dll
c:\1fe66f0e39f02e4b019637a4df013928\x86\legitlib.dll
c:\1fe66f0e39f02e4b019637a4df013928\x86\setup.exe
c:\1fe66f0e39f02e4b019637a4df013928\x86\sqmapi.dll
C:\2aaeaeff91a25884dc00e8
c:\2aaeaeff91a25884dc00e8\compappscontent.dll
c:\2aaeaeff91a25884dc00e8\eppmanifest.dll
C:\31925ef44076c8c61d69
c:\31925ef44076c8c61d69\compappscontent.dll
c:\31925ef44076c8c61d69\eppmanifest.dll
C:\3750f0569d0635b1411e1f2cb15517ac
c:\3750f0569d0635b1411e1f2cb15517ac\compappscontent.dll
c:\3750f0569d0635b1411e1f2cb15517ac\en-us\amhelp.chm
c:\3750f0569d0635b1411e1f2cb15517ac\en-us\epploc.cab
c:\3750f0569d0635b1411e1f2cb15517ac\en-us\epploc_x86.msi
c:\3750f0569d0635b1411e1f2cb15517ac\en-us\eula.rtf
c:\3750f0569d0635b1411e1f2cb15517ac\en-us\setupres.dll.mui
c:\3750f0569d0635b1411e1f2cb15517ac\epplauncher.exe
c:\3750f0569d0635b1411e1f2cb15517ac\eppmanifest.dll
c:\3750f0569d0635b1411e1f2cb15517ac\setup.ini
c:\3750f0569d0635b1411e1f2cb15517ac\setupres.dll
c:\3750f0569d0635b1411e1f2cb15517ac\x86\dw20shared.msi
c:\3750f0569d0635b1411e1f2cb15517ac\x86\epp.msi
c:\3750f0569d0635b1411e1f2cb15517ac\x86\legitlib.dll
c:\3750f0569d0635b1411e1f2cb15517ac\x86\mp_ambits.msi
c:\3750f0569d0635b1411e1f2cb15517ac\x86\setup.exe
c:\3750f0569d0635b1411e1f2cb15517ac\x86\sqmapi.dll
c:\3750f0569d0635b1411e1f2cb15517ac\x86\windows6.0-kb981889-v2.msu
c:\3750f0569d0635b1411e1f2cb15517ac\x86\windows6.1-kb981889.msu
C:\487a6b61adb0c567cb
c:\487a6b61adb0c567cb\compappscontent.dll
c:\487a6b61adb0c567cb\epplauncher.exe
c:\487a6b61adb0c567cb\eppmanifest.dll
c:\487a6b61adb0c567cb\setupres.dll
C:\5088597288c1ba94e3
c:\5088597288c1ba94e3\compappscontent.dll
c:\5088597288c1ba94e3\en-us\amhelp.chm
c:\5088597288c1ba94e3\en-us\epploc.cab
c:\5088597288c1ba94e3\en-us\epploc_x86.msi
c:\5088597288c1ba94e3\en-us\eula.rtf
c:\5088597288c1ba94e3\en-us\setupres.dll.mui
c:\5088597288c1ba94e3\epplauncher.exe
c:\5088597288c1ba94e3\eppmanifest.dll
c:\5088597288c1ba94e3\setup.ini
c:\5088597288c1ba94e3\setupres.dll
c:\5088597288c1ba94e3\x86\dw20shared.msi
c:\5088597288c1ba94e3\x86\epp.msi
c:\5088597288c1ba94e3\x86\legitlib.dll
c:\5088597288c1ba94e3\x86\mp_ambits.msi
c:\5088597288c1ba94e3\x86\setup.exe
c:\5088597288c1ba94e3\x86\sqmapi.dll
c:\5088597288c1ba94e3\x86\windows6.0-kb981889-v2.msu
c:\5088597288c1ba94e3\x86\windows6.1-kb981889.msu
C:\571aaf439bdc918cee53a21c5ec8c032
c:\571aaf439bdc918cee53a21c5ec8c032\compappscontent.dll
c:\571aaf439bdc918cee53a21c5ec8c032\en-us\amhelp.chm
c:\571aaf439bdc918cee53a21c5ec8c032\en-us\epploc.cab
c:\571aaf439bdc918cee53a21c5ec8c032\en-us\epploc_x86.msi
c:\571aaf439bdc918cee53a21c5ec8c032\en-us\eula.rtf
c:\571aaf439bdc918cee53a21c5ec8c032\en-us\setupres.dll.mui
c:\571aaf439bdc918cee53a21c5ec8c032\epplauncher.exe
c:\571aaf439bdc918cee53a21c5ec8c032\eppmanifest.dll
c:\571aaf439bdc918cee53a21c5ec8c032\setup.ini
c:\571aaf439bdc918cee53a21c5ec8c032\setupres.dll
c:\571aaf439bdc918cee53a21c5ec8c032\x86\dw20shared.msi
c:\571aaf439bdc918cee53a21c5ec8c032\x86\epp.msi
c:\571aaf439bdc918cee53a21c5ec8c032\x86\legitlib.dll
c:\571aaf439bdc918cee53a21c5ec8c032\x86\mp_ambits.msi
c:\571aaf439bdc918cee53a21c5ec8c032\x86\setup.exe
c:\571aaf439bdc918cee53a21c5ec8c032\x86\sqmapi.dll
c:\571aaf439bdc918cee53a21c5ec8c032\x86\windows6.0-kb981889-v2.msu
c:\571aaf439bdc918cee53a21c5ec8c032\x86\windows6.1-kb981889.msu
C:\57f3331fb5c8dbb83238abb4b325c9be
c:\57f3331fb5c8dbb83238abb4b325c9be\compappscontent.dll
c:\57f3331fb5c8dbb83238abb4b325c9be\en-us\amhelp.chm
c:\57f3331fb5c8dbb83238abb4b325c9be\en-us\epploc.cab
c:\57f3331fb5c8dbb83238abb4b325c9be\en-us\epploc_x86.msi
c:\57f3331fb5c8dbb83238abb4b325c9be\en-us\eula.rtf
c:\57f3331fb5c8dbb83238abb4b325c9be\en-us\setupres.dll.mui
c:\57f3331fb5c8dbb83238abb4b325c9be\epplauncher.exe
c:\57f3331fb5c8dbb83238abb4b325c9be\eppmanifest.dll
c:\57f3331fb5c8dbb83238abb4b325c9be\setup.ini
c:\57f3331fb5c8dbb83238abb4b325c9be\setupres.dll
c:\57f3331fb5c8dbb83238abb4b325c9be\x86\dw20shared.msi
c:\57f3331fb5c8dbb83238abb4b325c9be\x86\epp.msi
c:\57f3331fb5c8dbb83238abb4b325c9be\x86\legitlib.dll
c:\57f3331fb5c8dbb83238abb4b325c9be\x86\mp_ambits.msi
c:\57f3331fb5c8dbb83238abb4b325c9be\x86\setup.exe
c:\57f3331fb5c8dbb83238abb4b325c9be\x86\sqmapi.dll
c:\57f3331fb5c8dbb83238abb4b325c9be\x86\windows6.0-kb981889-v2.msu
c:\57f3331fb5c8dbb83238abb4b325c9be\x86\windows6.1-kb981889.msu
C:\70c4babbaf749f43a4
c:\70c4babbaf749f43a4\compappscontent.dll
c:\70c4babbaf749f43a4\en-us\amhelp.chm
c:\70c4babbaf749f43a4\en-us\epploc.cab
c:\70c4babbaf749f43a4\en-us\epploc_x86.msi
c:\70c4babbaf749f43a4\en-us\eula.rtf
c:\70c4babbaf749f43a4\en-us\setupres.dll.mui
c:\70c4babbaf749f43a4\epplauncher.exe
c:\70c4babbaf749f43a4\eppmanifest.dll
c:\70c4babbaf749f43a4\setup.ini
c:\70c4babbaf749f43a4\setupres.dll
c:\70c4babbaf749f43a4\x86\dw20shared.msi
c:\70c4babbaf749f43a4\x86\epp.msi
c:\70c4babbaf749f43a4\x86\legitlib.dll
c:\70c4babbaf749f43a4\x86\mp_ambits.msi
c:\70c4babbaf749f43a4\x86\setup.exe
c:\70c4babbaf749f43a4\x86\sqmapi.dll
c:\70c4babbaf749f43a4\x86\windows6.0-kb981889-v2.msu
c:\70c4babbaf749f43a4\x86\windows6.1-kb981889.msu
C:\718f3e9d89c2bd59606e
c:\718f3e9d89c2bd59606e\compappscontent.dll
c:\718f3e9d89c2bd59606e\eppmanifest.dll
c:\718f3e9d89c2bd59606e\setupres.dll
C:\893ffd6facbecd1bdae1
C:\c6783c46a2fe735c7d298838b81471
c:\c6783c46a2fe735c7d298838b81471\compappscontent.dll
c:\c6783c46a2fe735c7d298838b81471\en-us\amhelp.chm
c:\c6783c46a2fe735c7d298838b81471\en-us\epploc.cab
c:\c6783c46a2fe735c7d298838b81471\en-us\epploc_x86.msi
c:\c6783c46a2fe735c7d298838b81471\en-us\eula.rtf
c:\c6783c46a2fe735c7d298838b81471\en-us\setupres.dll.mui
c:\c6783c46a2fe735c7d298838b81471\epplauncher.exe
c:\c6783c46a2fe735c7d298838b81471\eppmanifest.dll
c:\c6783c46a2fe735c7d298838b81471\setup.ini
c:\c6783c46a2fe735c7d298838b81471\setupres.dll
c:\c6783c46a2fe735c7d298838b81471\x86\dw20shared.msi
c:\c6783c46a2fe735c7d298838b81471\x86\epp.msi
c:\c6783c46a2fe735c7d298838b81471\x86\legitlib.dll
c:\c6783c46a2fe735c7d298838b81471\x86\mp_ambits.msi
c:\c6783c46a2fe735c7d298838b81471\x86\setup.exe
c:\c6783c46a2fe735c7d298838b81471\x86\sqmapi.dll
c:\c6783c46a2fe735c7d298838b81471\x86\windows6.0-kb981889-v2.msu
c:\c6783c46a2fe735c7d298838b81471\x86\windows6.1-kb981889.msu
C:\ce472f0a452fcd55f1a101c5f3af8b
C:\da0db74252d895d3143228
c:\da0db74252d895d3143228\compappscontent.dll
c:\da0db74252d895d3143228\en-us\amhelp.chm
c:\da0db74252d895d3143228\en-us\epploc.cab
c:\da0db74252d895d3143228\en-us\epploc_x86.msi
c:\da0db74252d895d3143228\en-us\eula.rtf
c:\da0db74252d895d3143228\en-us\setupres.dll.mui
c:\da0db74252d895d3143228\epplauncher.exe
c:\da0db74252d895d3143228\eppmanifest.dll
c:\da0db74252d895d3143228\setup.ini
c:\da0db74252d895d3143228\setupres.dll
c:\da0db74252d895d3143228\x86\legitlib.dll
c:\da0db74252d895d3143228\x86\setup.exe
c:\da0db74252d895d3143228\x86\sqmapi.dll
C:\f43a6c60d2d752d174b3b450d2
c:\f43a6c60d2d752d174b3b450d2\compappscontent.dll
c:\f43a6c60d2d752d174b3b450d2\eppmanifest.dll
c:\f43a6c60d2d752d174b3b450d2\setupres.dll
c:\windows\002788_.tmp

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-28 )))))))))))))))))))))))))))))))
.

2010-12-25 23:56 . 2010-12-25 23:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-25 23:56 . 2010-12-25 23:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-25 19:14 . 2010-12-25 19:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-12-25 18:14 . 2010-12-25 18:58 -------- d-----w- C:\ee6b30a673b1b541293562ab4ca0d8
2010-12-25 16:30 . 2010-12-25 16:30 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-12-25 16:30 . 2010-12-25 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-25 16:30 . 2010-12-25 16:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-25 09:03 . 2010-12-25 09:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-12-25 04:20 . 2010-12-25 21:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-25 04:20 . 2010-12-25 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-25 03:19 . 2010-12-25 03:19 -------- d-----w- c:\program files\Loaris
2010-12-25 00:12 . 2010-12-25 00:12 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics
2010-12-24 23:26 . 2010-12-24 23:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FixItCenter
2010-12-24 23:25 . 2010-12-24 23:25 -------- d-----w- c:\windows\MATS
2010-12-24 23:25 . 2010-12-24 23:25 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-12-24 22:32 . 2008-04-14 11:42 155136 ------w- c:\windows\system32\mssha.dll
2010-12-24 22:18 . 2010-12-24 22:18 -------- d-----w- c:\windows\EHome
2010-12-24 14:40 . 2010-12-25 00:31 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-24 14:26 . 2010-12-24 14:26 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-12-24 14:09 . 2010-12-24 14:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-24 05:53 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-11 21:23 . 2010-12-11 21:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-03 22:36 . 2010-12-03 22:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-12-03 22:35 . 2010-12-03 22:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 00:09 . 2010-11-17 22:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-11-17 22:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 07:10 . 2010-11-16 07:10 65328 ----a-w- c:\windows\apppatch\matsshim.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-16 180269]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\pokher\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
S0 adwikxd;adwikxd;c:\windows\system32\drivers\bekr.sys --> c:\windows\system32\drivers\bekr.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [11/16/2010 1:10 AM 267568]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2005-04-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]

2005-04-05 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]

2005-04-05 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
Trusted Zone: live.com\onecare
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-27 21:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(408)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\zHotkey.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-27 21:09:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-28 03:08
ComboFix2.txt 2010-12-28 02:32

Pre-Run: 124,406,018,048 bytes free
Post-Run: 124,331,634,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CCA3DBA795AE55E7489C2D4DF3C81682

#14 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 27 December 2010 - 10:36 PM

I'm headed to bed but will check back in the morning

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\drivers\bekr.sys


Driver::
adwikxd

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe


Then post the results log using Copy / Paste


Also please describe how your computer behaves at the moment.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#15 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 27 December 2010 - 11:18 PM

Good Morning LDTate,

Two things Ive noticed, when I open Internet Explorer it says it closed unexpectedly last time and askes if you want to resume where it left off and that it is not the defalt browser whether I check it to be or not.

Also when I ran combofix the last two times it keeps installing the recovery console says not installed and another instance of it needs to be updated. I just keep installing it.

I am working my second job the next two nights so I will try to be on after I get off work. I will try to run whatever commands you tell me to and post before I go to bed but no guarantees there.

ComboFix 10-12-26.01 - Owner 12/27/2010 21:47:28.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.163 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\bekr.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_adwikxd


((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-28 )))))))))))))))))))))))))))))))
.

2010-12-25 23:56 . 2010-12-25 23:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-25 23:56 . 2010-12-25 23:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-25 19:14 . 2010-12-25 19:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-12-25 18:14 . 2010-12-25 18:58 -------- d-----w- C:\ee6b30a673b1b541293562ab4ca0d8
2010-12-25 16:30 . 2010-12-25 16:30 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-12-25 16:30 . 2010-12-25 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-25 16:30 . 2010-12-25 16:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-25 09:03 . 2010-12-25 09:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-12-25 04:20 . 2010-12-25 21:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-25 04:20 . 2010-12-25 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-25 03:19 . 2010-12-25 03:19 -------- d-----w- c:\program files\Loaris
2010-12-25 00:12 . 2010-12-25 00:12 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics
2010-12-24 23:26 . 2010-12-24 23:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FixItCenter
2010-12-24 23:25 . 2010-12-24 23:25 -------- d-----w- c:\windows\MATS
2010-12-24 23:25 . 2010-12-24 23:25 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-12-24 22:32 . 2008-04-14 11:42 155136 ------w- c:\windows\system32\mssha.dll
2010-12-24 22:18 . 2010-12-24 22:18 -------- d-----w- c:\windows\EHome
2010-12-24 14:40 . 2010-12-25 00:31 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-24 14:26 . 2010-12-24 14:26 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-12-24 14:09 . 2010-12-24 14:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-24 05:53 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-11 21:23 . 2010-12-11 21:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-03 22:36 . 2010-12-03 22:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-12-03 22:35 . 2010-12-03 22:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 00:09 . 2010-11-17 22:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-11-17 22:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 07:10 . 2010-11-16 07:10 65328 ----a-w- c:\windows\apppatch\matsshim.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-16 180269]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\pokher\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [11/16/2010 1:10 AM 267568]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2005-04-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]

2005-04-05 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]

2005-04-05 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 11:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
Trusted Zone: live.com\onecare
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-27 21:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(408)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2752)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\zHotkey.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-27 22:00:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-28 04:00
ComboFix2.txt 2010-12-28 03:09
ComboFix3.txt 2010-12-28 02:32

Pre-Run: 124,309,282,816 bytes free
Post-Run: 124,317,319,168 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 360A27C9E17D980162F6DD747A280DCA

#16 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 28 December 2010 - 07:58 AM

Uninstall combofix first and if IE still gives you that error, try Windows Updates and / or unistall IE 8.
Uninstall Internet Explorer 8 to return to Internet Explorer 7 on Windows XP

Click "Start," and then click "Control Panel."
Click "Add or Remove Programs."
Check "Show Updates" at the top of the dialog box.
Scroll down the list and highlight the version of Internet Explorer 8 that you are running, and then click "Change/Remove."

Download IE 8 again.



The following will implement some cleanup procedures as well as reset System Restore points:

For XP:
  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7
  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

If you used DeFogger
To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.


Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.


Log looks good :lol:


  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.
  • WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    Green to go
    Yellow for caution
    Red to stop
    WOT has an addon available for both Firefox and IE.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.


I would suggest you read:
PC Safety and Security--What Do I Need?.
How to Prevent Malware:
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 willd

willd

    New Member

  • Members
  • Pip
  • 19 posts

Posted 29 December 2010 - 12:04 AM

Good morning LDTate,

I want to thank you again for helping me fix this computer it appears to be running great.

It is very refreshing to run across people willing to help other people in need :lol:

Have a GREAT DAY,

Willd

#18 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 29 December 2010 - 07:39 AM

You're more than welcome.
Glad we were able to help

Peace be with you Posted Image
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 29 December 2010 - 07:39 AM

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users