[Novice needs Help - TDSS Rootkit]

Results of screen317's Security Check version 0.99.56

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

avast! Internet Security

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

SUPERAntiSpyware Free Edition

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 27

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 10.3.183.10 Flash Player out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Thunderbird (17.0.)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

AVAST Software Avast afwServ.exe

AVAST Software Avast AvastSvc.exe

AVAST Software Avast avastUI.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 19% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

[Novice needs Help - TDSS Rootkit]

AdwCleanerS1.txt

Will now run the other thing you told me to do. Will report back shortly.

[Novice needs Help - TDSS Rootkit]

AdwCleanerR1.txt

[Novice needs Help - TDSS Rootkit]

unhide.txt

We've got sound now, yay!

But the folders in the Start Menu are still grayed out and empty, even after running Unhide twice and rebooting. Second time I ran it with all the virus-software disabled. Still no go.

Am now printing out the instructions for restoring Start Menu Items and will try these.

Do you have suggestions on how much/what kind of anti-virus software I should be running? Also, could you point me in the right direction for speeding up/spring cleaning my pc?

Thanks!

[Novice needs Help - TDSS Rootkit]

Still no sound. And when I look under "programs" on the start menu, most of them still read "empty."

Thank you for your help.

[Novice needs Help - TDSS Rootkit]

12102012_223928.log Sorry for the delay. Thanks for hanging in there.

[Novice needs Help - TDSS Rootkit]

Just learned that we have no sound, even though the mute button is off.... isn't that special? :-o

[Novice needs Help - TDSS Rootkit]

OTL.Txt

Extras.Txt

The free version of Avast running on my pc thinks c:\windows\msisear.exe is bad and has quarantined it.

Is it possible that I now have too many anti-virus/firewalls/anti-malware programs running?

Malwarebytes (paid version)

Windows (security & firewall)

Avast (trial)

Panda USB vaccine

[Novice needs Help - TDSS Rootkit]

c:\windows\msisear.exe is still present.

The other files are not present.

The PC is running very slowly (it was doing this before the virus attack)

I am about to back up my files to an external hard drive.

Where shall I look now for suggestions on cleaning up the system and speeding things up?

Thank you.

[Novice needs Help - TDSS Rootkit]

I have sent a donation through PayPal. Thank you very much for your help. I'm sorry I can't afford to send you a larger donation.

My sincerest thanks.

[Novice needs Help - TDSS Rootkit]

Thank you, Mr. C.

unhide.txt

[Novice needs Help - TDSS Rootkit]

And the F-Drive:

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.27.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

shae :: DRAGONLADY [administrator]

Protection: Disabled

11/27/2012 11:10:39 PM

mbam-log-2012-11-27 (23-10-39).txt

Scan type: Full scan (F:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 243890

Time elapsed: 11 minute(s), 16 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[Novice needs Help - TDSS Rootkit]

ComboFix 12-11-27.01 - shae 11/27/2012 22:50:30.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1010 [GMT -8:00]

Running from: c:\documents and settings\shae\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\shae\Desktop\CFScript.txt

AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

FILE ::

"c:\windows\msisear.exe"

"c:\windows\system32\drivers\53419241.sys"

"c:\windows\system32\drivers\69148762.sys"

"c:\windows\system32\drivers\78844860.sys"

.

.

((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-28 )))))))))))))))))))))))))))))))

.

.

2012-11-27 05:12 . 2012-11-27 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2012-11-27 05:12 . 2012-11-27 05:12 -------- d-----w- C:\Panda USB Vaccine

2012-11-27 05:04 . 2012-11-27 05:04 -------- d-----w- c:\windows\system32\KB905474

2012-11-24 04:27 . 2012-11-24 04:27 -------- d-----w- C:\CCE_Quarantine

2012-11-22 21:56 . 2012-11-22 21:56 307712 ----a-w- c:\windows\msisear.exe

2012-11-22 20:33 . 2012-11-22 20:33 177496 ----a-w- c:\windows\system32\drivers\53419241.sys

2012-11-22 20:21 . 2012-11-22 20:21 177496 ----a-w- c:\windows\system32\drivers\69148762.sys

2012-11-22 19:44 . 2012-11-22 19:44 177496 ----a-w- c:\windows\system32\drivers\78844860.sys

2012-11-20 16:56 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-11-20 16:56 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-11-20 16:56 . 2012-10-30 23:51 106560 ----a-w- c:\windows\system32\drivers\aswFW.sys

2012-11-20 16:55 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2012-11-20 16:55 . 2012-10-30 23:51 199320 ----a-w- c:\windows\system32\drivers\aswNdis2.sys

2012-11-20 16:55 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-11-20 16:55 . 2012-10-30 23:51 20624 ----a-w- c:\windows\system32\drivers\aswKbd.sys

2012-11-20 16:55 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-11-20 16:55 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2012-11-20 16:55 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys

2012-11-20 16:55 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2012-11-20 16:52 . 2012-09-21 09:26 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys

2012-11-20 16:52 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr

2012-11-20 16:52 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe

2012-11-20 16:51 . 2012-11-20 16:51 -------- d-----w- c:\program files\AVAST Software

2012-11-20 16:51 . 2012-11-20 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2012-11-16 08:30 . 2012-09-30 03:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-16 08:30 . 2012-11-16 08:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-16 06:14 . 2012-11-16 06:14 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2012-10-30 09:09 . 2012-11-08 00:01 -------- d-----w- c:\program files\Mozilla Thunderbird

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-16 05:14 . 2012-07-11 03:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-11-16 05:14 . 2011-06-05 12:19 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-10-22 08:37 . 2008-05-03 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-10-02 18:04 . 2008-05-03 12:00 58368 ----a-w- c:\windows\system32\synceng.dll

2012-06-05 06:18 . 2012-06-05 06:07 22259528 ----a-w- c:\program files\vlc-2.0.1-win32.exe

2003-08-27 14:19 . 2009-02-25 08:36 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE" [2003-05-27 99840]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-08 128512]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowRun"= 1 (0x1)

"Start_ShowSearch"= 0 (0x0)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON SMART PANEL for Scanner.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON SMART PANEL for Scanner.lnk

backup=c:\windows\pss\EPSON SMART PANEL for Scanner.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

c:\docume~1\ADMINI~1\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-02 17:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series (Copy 1)]

2003-05-27 03:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I2C1.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2005-10-19 08:59 126976 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-12-14 01:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2004-04-13 22:36 1470464 ----a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]

2003-08-27 14:20 94208 ----a-r- c:\windows\SM1bg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2004-10-14 14:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Bonjour Service"=2 (0x2)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [11/20/2012 8:52 AM 12112]

R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [11/20/2012 8:55 AM 199320]

R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [11/20/2012 8:56 AM 106560]

R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [11/20/2012 8:55 AM 20624]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/20/2012 8:55 AM 738504]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/20/2012 8:56 AM 361032]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 3:38 PM 116608]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/20/2012 8:56 AM 21256]

R2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [11/20/2012 8:52 AM 133912]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/16/2012 12:30 AM 399432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/16/2012 12:30 AM 676936]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/16/2012 12:30 AM 22856]

S1 MpKslb2b6002e;MpKslb2b6002e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E21659E5-641D-4A14-B42A-8F6FED3420D6}\MpKslb2b6002e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E21659E5-641D-4A14-B42A-8F6FED3420D6}\MpKslb2b6002e.sys [?]

S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-424UB\WLSVC.exe [9/27/2011 5:47 PM 167936]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [9/27/2011 5:47 PM 264576]

S3 SASENUM;SASENUM;\??\c:\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> C:c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 11:34]

.

2012-11-27 c:\windows\Tasks\avast! Emergency Update.job

- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-20 23:50]

.

2012-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1343024091-1547161642-1004Core.job

- c:\documents and settings\shae\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 14:09]

.

2012-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1343024091-1547161642-1004UA.job

- c:\documents and settings\shae\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 14:09]

.

2012-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1343024091-1547161642-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-28 06:15]

.

2012-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1343024091-1547161642-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-28 06:15]

.

2012-11-27 c:\windows\Tasks\PandaUSBVaccine.job

- c:\panda usb vaccine\RunInteractiveWin.exe [2012-11-27 00:45]

.

2012-11-27 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2012-11-27 06:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-27 23:01

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(992)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(3512)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-11-27 23:03:49

ComboFix-quarantined-files.txt 2012-11-28 07:03

ComboFix2.txt 2012-11-27 07:03

ComboFix3.txt 2012-11-25 05:56

ComboFix4.txt 2011-10-01 23:17

.

Pre-Run: 9,311,186,944 bytes free

Post-Run: 9,300,705,280 bytes free

.

- - End Of File - - 11E2A8D803E08C949A9E7B5D73E316BC

[Novice needs Help - TDSS Rootkit]

DOH! I forgot... there is a second hard drive in this computer, the F-Drive. From the logs generated concerning the threats found on this PC, can you tell whether or not the F-drive was affected? Has it been scanned and were threats contained/removed?

Most programs are hidden. Right now I can access files and photos on the C-Drive (in a round-about way), but the ones on the F-Drive are still hidden.

Thanks!

[Novice needs Help - TDSS Rootkit]

ComboFix.txt

The thumb drive is benign and has been inoculated.

[Novice needs Help - TDSS Rootkit]

"Then scan with MB"

Sorry... MB? Malwarebytes?

[Novice needs Help - TDSS Rootkit]

And how do I determine if my thumb drive is safe or infected?

[Novice needs Help - TDSS Rootkit]

https://www.virustotal.com/file/5e9fe833cb7f520bbef316ca057e873ee7123bdd34c911ccd46f318e87e95f75/analysis/1353907906/

Things feel like they're much better on my PC. What's next, and will I eventually find the programs that were hidden by the rootkit/viruses/trojans/evil code?

[Novice needs Help - TDSS Rootkit]

Hello Mr. C.

Did everything you told me to do. Here is the log:

ComboFix.txt

What's next?

(And Thank You.)

[Novice needs Help - TDSS Rootkit]

The scan kept getting stuck while checking sectors, so after 4 goes, I unchecked the box to check sectors and ran the scan. This worked.

Made it all the way through, found 24 malicious items. Cleaned these up, restarted in normal mode, desktop looked normal for the first time in 8 days.

Ran the scan again (again with "sectors" unchecked), found nothing (!)

Ran the scan again, this time including sectors, the scan made it all the way through this time, no malicious anythings found.

What next? Turn off my PC or leave it on?

Here are the logs:

mbar-log-2012-11-24 (01-23-14).txt

mbar-log-2012-11-24 (02-07-48).txt

mbar-log-2012-11-24 (06-29-59).txt

system-log.txt

[Novice needs Help - TDSS Rootkit]

I sure hope doing a "system restore" to two weeks ago will suffice for "creating a new system restore point" because that's what I've just done.

I'm also hoping it will somehow circumvent the whole "blue screen of death" problem.

The mbar tutorial is telling me to back up files before I begin, but that's not possible is it?

Okay, going to go try running mbar, will report back shortly.

[Novice needs Help - TDSS Rootkit]

I rebooted three times after this and received the same results.

[Novice needs Help - TDSS Rootkit]

I got as far as rebooting the system, checked the boxes and started the scan, but then the screen went blue and read:

"A problem has been detected and Windows has been shut down to prevent further damage to your computer.

If this is the first time you have seen this stop error screen, restart your computer. If this screen appears again follow these steps:

Check to make sure you have adequate disk space. If a driver is id-ed, disable the driver or check for manufacturer updates.

Try changing the video adapters.

Check with hardware vendor for for any Bios updates. Disable Bios memory options such as caching or shadowing, if you need to use safe mode.

TECH INFO:

***STOP:0x0000008E(0xC0000005, 0x87B58097, 0xAF358944, 0x00000000)

Beginning dump of physical memory.

Physical memory dump complete."

[Novice needs Help - TDSS Rootkit]

Mr. C.

Should I be attempting to access this forum from the infected PC? Or from my second computer, a Mac, and saving tdsskiller to a thumbdrive and then putting this on my PC?

[Novice needs Help - TDSS Rootkit]

Let's try again. RogueKiller Nov 20 2012.txt