Jump to content

atwitsend99

Honorary Members
 View Profile  See their activity

  • Posts

    34

  • Joined

  • Last visited

 Content Type 

Everything posted by atwitsend99

  1. atwitsend99
    Thanks dcollins....it freezes. I have to manually turn off the box.
  2. atwitsend99
    Sorry I'm back with this problem. The rest of Tuesday and early Wednesday, the pc froze regularily. Yesterday morning I disabled Mbam and I have not had a freeze since then. Any more ideas plse ??
  3. atwitsend99
    Thanks dcollins, that seems to have been the problem, because now, everything is actually working. I had sadly neglected to update windows and apparently paid for it with hours of frustration and grief. I have rebooted a couple of times and so far no more freezes and bsods.
  4. atwitsend99
    ps. And tho I did not get a bsod on the reboot, my pc just froze
  5. atwitsend99
    Okay lol...I have reinstalled Avast, have given both program the exclusions, rebooted and the malware shield is missing again - I'm back to square one. Do I need to run the tool again for you to look at ???
  6. atwitsend99
    Thanks dccollins. I have uninstalled Bitdefender (I do not want to stay with that av anyway) and now Mbam is working correctly, but I would like to go back to Avast as well if that is at all possible. Do you know if there is a way to make the 2 compatible again ?? They did play nice for a looong time.
  7. atwitsend99
    Hi exile360, Many thanks for taking up my cause . I enabled UAC by pushing the slider to the default setting and okaying the change, rebooted, re/dl the tool and ran it. However, I still have the two protection shields off, but no more bsods on reboot. I also, still do not have the farflt driver, and I cannot force an exclusion in bitdefender without the driver being present. I have apphended a new tool-scan, in case it is needed. mbst-grab-results.zip
  8. atwitsend99
    For the last 4 month or so I also have experienced these incidents and since Mbam had worked flawlessly with Avast, we never suspected this problem. At first it was only every once in a while, but then increased in frequency, with a bsod on every first reboot and non-protection of one or the other (not always the same) shields. Figured out that if I shut down Avast altogether, then installed Mbam, then reactivated Avast, all would be good until the next reboot, which set me back to firstly the bsod on the first reboot attempt (the second was a go) and a steady non-protection of one or more of the shields. I had run the support tool on myriad occasion and it did not help. Not being an extremely pc-savvy person, I had hoped to fix this issue without diving into major fact-finding. I therefore uninstalled Avast (since it seemed that Mbam had issues with Avast) and installed Bitdefender, only to run into the same non-protection of both, malware and ransomware, with the only improvement being that there is no bsod on the first reboot. The exclusions for Mbam were entered into Bitdefender, with the exception of C:\Windows\System32\drivers\farflt.sys , which cannot be found on my pc. Also Bitdefender is entered in the exclusion on Mbam. Attached plse find the logs for the tool-scans. Any help will be muchly appreciated, since I would hate to let go of Mbam, which has been so helpful over many years. mbst-grab-results.zip
  9. atwitsend99
    No, Thank you.
  10. atwitsend99
    Sorry....this has been resolved....confusion has been reigning supreme :-(.
  11. atwitsend99
    Well, I have been trying to do this by myself (not that I know what I am doing mind you :-(), but I have one more question plse....it seems ComboFix put a folder named "Windows_softwareDistribution_download_090811" on my D drive. It has a bunch of folders inside it, but I do not know what they are....can I delete this folder (ComboFix is already uninstalled, since I was unable to access the internet again)? Thanks in advance
  12. atwitsend99
    Apparently combo-fix allowed the updating of the pc, since "NET runtime optimization" is trying to access the nework, and, last night as I shut down it was trying to install 83 updates, managed to install some of them....I did not ask for the updates and I do not know if they are legit. Thanks for the help. P.S. also NET framwork (ServiceModelReg.exe), along with (mscorsvw.exe) is making an utter pest out of itself :-(.
  13. atwitsend99
    Hi, thanks for the help...here are the requested logs: MBAM Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7674 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 9/7/2011 11:25:00 PM mbam-log-2011-09-07 (23-25-00).txt Scan type: Quick scan Objects scanned: 177140 Time elapsed: 4 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ----------------------- DSS log DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Liz at 23:27:44 on 2011-09-07 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1205 [GMT -4:00] . AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Sygate\SPF\smc.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Calibre2\calibre.exe C:\Program Files\Calibre2\calibre-parallel.exe C:\Program Files\Calibre2\calibre-parallel.exe C:\Program Files\Calibre2\calibre-parallel.exe C:\Program Files\Calibre2\calibre-parallel.exe C:\Program Files\Mozilla Firefox\firefox.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://www.sygate.com/swat/support/spf50_reg.htm TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [smcService] c:\progra~1\sygate\spf\smc.exe -startgui mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\liz\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE StartupFolder: c:\documents and settings\liz\start menu\programs\startup\PowerReg Scheduler.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Trusted Zone: aol.com\free TCP: Interfaces\{7EB5D41B-9A63-430D-B471-96F9CBA271B9} : NameServer = 192.168.254.254 Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\liz\application data\mozilla\firefox\profiles\dlx4dmml.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 57717 FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-9-19 165584] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-19 17744] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-5 366640] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-5 22712] R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-4-7 11520] S3 73592422;73592422; [x] S4 vsdatant;vsdatant; [x] . =============== File Associations =============== . txtfile=c:\windows\NOTEPAD.EXE %1 . =============== Created Last 30 ================ . 2011-09-05 14:20:07 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-09-05 14:20:03 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-09-05 14:20:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-08-31 12:21:46 -------- d-----w- c:\documents and settings\liz\application data\Remote 2011-08-30 19:56:22 -------- d-----w- c:\windows\system32\wbem\repository\FS 2011-08-30 19:56:22 -------- d-----w- c:\windows\system32\wbem\Repository 2011-08-25 21:29:19 -------- d-----w- c:\program files\Everything 2011-08-24 13:03:27 -------- d-----w- c:\documents and settings\liz\application data\pdftoepub 2011-08-24 13:03:09 -------- d-----w- c:\program files\PDFtoEPUB . ==================== Find3M ==================== . 2011-08-31 12:01:54 69632 ----a-w- c:\windows\system32\realbap1.dll 2011-08-31 12:01:48 45568 ----a-w- c:\windows\system32\realbsf1.dll . ============= FINISH: 23:27:58.36 =============== ------------------------------------------------------------------------------------------------------------ TDSSKiller log 2011/09/07 23:31:40.0396 6392 TDSS rootkit removing tool 2.5.19.0 Sep 6 2011 19:23:56 2011/09/07 23:31:42.0396 6392 ================================================================================ 2011/09/07 23:31:42.0396 6392 SystemInfo: 2011/09/07 23:31:42.0396 6392 2011/09/07 23:31:42.0396 6392 OS Version: 5.1.2600 ServicePack: 2.0 2011/09/07 23:31:42.0396 6392 Product type: Workstation 2011/09/07 23:31:42.0396 6392 ComputerName: LACEY 2011/09/07 23:31:42.0396 6392 UserName: Liz 2011/09/07 23:31:42.0396 6392 Windows directory: C:\WINDOWS 2011/09/07 23:31:42.0396 6392 System windows directory: C:\WINDOWS 2011/09/07 23:31:42.0396 6392 Processor architecture: Intel x86 2011/09/07 23:31:42.0396 6392 Number of processors: 2 2011/09/07 23:31:42.0396 6392 Page size: 0x1000 2011/09/07 23:31:42.0396 6392 Boot type: Normal boot 2011/09/07 23:31:42.0396 6392 ================================================================================ 2011/09/07 23:31:54.0662 6392 Initialize success 2011/09/07 23:32:13.0927 6484 ================================================================================ 2011/09/07 23:32:13.0927 6484 Scan started 2011/09/07 23:32:13.0927 6484 Mode: Manual; 2011/09/07 23:32:13.0927 6484 ================================================================================ 2011/09/07 23:32:14.0849 6484 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys 2011/09/07 23:32:14.0943 6484 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/09/07 23:32:14.0974 6484 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/09/07 23:32:15.0052 6484 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys 2011/09/07 23:32:15.0083 6484 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys 2011/09/07 23:32:15.0302 6484 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys 2011/09/07 23:32:15.0349 6484 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys 2011/09/07 23:32:15.0380 6484 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys 2011/09/07 23:32:15.0412 6484 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys 2011/09/07 23:32:15.0443 6484 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys 2011/09/07 23:32:15.0458 6484 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys 2011/09/07 23:32:15.0490 6484 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/09/07 23:32:15.0521 6484 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/09/07 23:32:15.0552 6484 AtcL002 (07ed1101f574b93a6312bf5d4241b41a) C:\WINDOWS\system32\DRIVERS\atl02_xp.sys 2011/09/07 23:32:15.0599 6484 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/09/07 23:32:15.0630 6484 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/09/07 23:32:15.0662 6484 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/09/07 23:32:15.0724 6484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/09/07 23:32:15.0787 6484 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/09/07 23:32:15.0833 6484 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/09/07 23:32:15.0865 6484 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/09/07 23:32:15.0880 6484 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/09/07 23:32:15.0927 6484 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2011/09/07 23:32:16.0021 6484 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/09/07 23:32:16.0068 6484 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys 2011/09/07 23:32:16.0083 6484 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys 2011/09/07 23:32:16.0115 6484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/09/07 23:32:16.0146 6484 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys 2011/09/07 23:32:16.0193 6484 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/09/07 23:32:16.0240 6484 E100B (5e72c8fbba5e949995ceb4d25656f904) C:\WINDOWS\system32\DRIVERS\e100b325.sys 2011/09/07 23:32:16.0271 6484 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/09/07 23:32:16.0302 6484 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys 2011/09/07 23:32:16.0318 6484 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys 2011/09/07 23:32:16.0333 6484 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/09/07 23:32:16.0365 6484 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 2011/09/07 23:32:16.0380 6484 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/09/07 23:32:16.0412 6484 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/09/07 23:32:16.0427 6484 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/09/07 23:32:16.0458 6484 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/09/07 23:32:16.0505 6484 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/09/07 23:32:16.0568 6484 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/09/07 23:32:16.0630 6484 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/09/07 23:32:16.0771 6484 ialm (c1c2d6940d6ec2f247b0f3c11e0a18e0) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 2011/09/07 23:32:16.0849 6484 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/09/07 23:32:16.0896 6484 InCDfs (544f76e71f026099a563c202e2e4a341) C:\WINDOWS\system32\drivers\InCDFs.sys 2011/09/07 23:32:16.0912 6484 InCDPass (13708047b3988ac50e81e524ac32edbe) C:\WINDOWS\system32\drivers\InCDPass.sys 2011/09/07 23:32:16.0927 6484 InCDrec (182edee6cfaeaf5174ae6e6d714cf778) C:\WINDOWS\system32\drivers\InCDrec.sys 2011/09/07 23:32:16.0927 6484 incdrm (367f3d160e7129f057838a341a5339b2) C:\WINDOWS\system32\drivers\InCDRm.sys 2011/09/07 23:32:17.0083 6484 IntcAzAudAddService (915ce2a58c6917e3c53be1e91fa66ba8) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2011/09/07 23:32:17.0146 6484 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/09/07 23:32:17.0193 6484 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/09/07 23:32:17.0224 6484 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 2011/09/07 23:32:17.0255 6484 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/09/07 23:32:17.0287 6484 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/09/07 23:32:17.0318 6484 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/09/07 23:32:17.0349 6484 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/09/07 23:32:17.0380 6484 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/09/07 23:32:17.0412 6484 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/09/07 23:32:17.0443 6484 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/09/07 23:32:17.0490 6484 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys 2011/09/07 23:32:17.0521 6484 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/09/07 23:32:17.0599 6484 LVPr2Mon (a6919138f29ae45e90e99fa94737e04c) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 2011/09/07 23:32:17.0646 6484 LVRS (b895839b8743e400d7c7dae156f74e7e) C:\WINDOWS\system32\DRIVERS\lvrs.sys 2011/09/07 23:32:17.0693 6484 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys 2011/09/07 23:32:17.0740 6484 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys 2011/09/07 23:32:17.0755 6484 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/09/07 23:32:17.0787 6484 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys 2011/09/07 23:32:17.0849 6484 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/09/07 23:32:17.0865 6484 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/09/07 23:32:17.0927 6484 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/09/07 23:32:17.0958 6484 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/09/07 23:32:18.0005 6484 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys 2011/09/07 23:32:18.0052 6484 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/09/07 23:32:18.0068 6484 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/09/07 23:32:18.0083 6484 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/09/07 23:32:18.0115 6484 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/09/07 23:32:18.0162 6484 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/09/07 23:32:18.0193 6484 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys 2011/09/07 23:32:18.0224 6484 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/09/07 23:32:18.0240 6484 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys 2011/09/07 23:32:18.0271 6484 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/09/07 23:32:18.0318 6484 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/09/07 23:32:18.0349 6484 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/09/07 23:32:18.0365 6484 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/09/07 23:32:18.0380 6484 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/09/07 23:32:18.0427 6484 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/09/07 23:32:18.0443 6484 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/09/07 23:32:18.0474 6484 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys 2011/09/07 23:32:18.0521 6484 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/09/07 23:32:18.0568 6484 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/09/07 23:32:18.0599 6484 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/09/07 23:32:18.0630 6484 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/09/07 23:32:18.0662 6484 PalmUSBD (803cf09c795290825607505d37819135) C:\WINDOWS\system32\drivers\PalmUSBD.sys 2011/09/07 23:32:18.0693 6484 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/09/07 23:32:18.0708 6484 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/09/07 23:32:18.0740 6484 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/09/07 23:32:18.0771 6484 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/09/07 23:32:18.0818 6484 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/09/07 23:32:18.0880 6484 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/09/07 23:32:19.0005 6484 pepifilter (a05f0d7419cf4680eedd5736e6549e7b) C:\WINDOWS\system32\DRIVERS\lv302af.sys 2011/09/07 23:32:19.0146 6484 PID_PEPI (4bb5ac2dd485b8eefccb977ee66a68ad) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 2011/09/07 23:32:19.0208 6484 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/09/07 23:32:19.0208 6484 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/09/07 23:32:19.0255 6484 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/09/07 23:32:19.0287 6484 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys 2011/09/07 23:32:19.0443 6484 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/09/07 23:32:19.0474 6484 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/09/07 23:32:19.0490 6484 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/09/07 23:32:19.0505 6484 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/09/07 23:32:19.0537 6484 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/09/07 23:32:19.0552 6484 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/09/07 23:32:19.0583 6484 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/09/07 23:32:19.0630 6484 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/09/07 23:32:19.0646 6484 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/09/07 23:32:19.0708 6484 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/09/07 23:32:19.0755 6484 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/09/07 23:32:19.0771 6484 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/09/07 23:32:19.0802 6484 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/09/07 23:32:19.0896 6484 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/09/07 23:32:19.0943 6484 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys 2011/09/07 23:32:19.0990 6484 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/09/07 23:32:20.0052 6484 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/09/07 23:32:20.0099 6484 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/09/07 23:32:20.0115 6484 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/09/07 23:32:20.0146 6484 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys 2011/09/07 23:32:20.0240 6484 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/09/07 23:32:20.0287 6484 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/09/07 23:32:20.0333 6484 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/09/07 23:32:20.0365 6484 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/09/07 23:32:20.0396 6484 Teefer (04906f0072903bd0280791a562596b95) C:\WINDOWS\system32\Drivers\Teefer.sys 2011/09/07 23:32:20.0443 6484 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/09/07 23:32:20.0505 6484 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys 2011/09/07 23:32:20.0537 6484 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys 2011/09/07 23:32:20.0568 6484 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys 2011/09/07 23:32:20.0615 6484 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/09/07 23:32:20.0677 6484 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/09/07 23:32:20.0708 6484 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/09/07 23:32:20.0724 6484 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/09/07 23:32:20.0787 6484 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/09/07 23:32:20.0802 6484 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys 2011/09/07 23:32:20.0865 6484 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/09/07 23:32:20.0912 6484 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/09/07 23:32:20.0958 6484 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys 2011/09/07 23:32:21.0021 6484 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/09/07 23:32:21.0037 6484 wg3n (038ad5561af23bc9bba3d624daf311f0) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys 2011/09/07 23:32:21.0052 6484 wg4n (266aa247c92f5d202a9cc633142ca425) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys 2011/09/07 23:32:21.0083 6484 wg5n (c2a06a1673391203c023de8bc60927bc) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys 2011/09/07 23:32:21.0099 6484 wg6n (2e94e4ef8d985be291cb4573c5dfca35) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys 2011/09/07 23:32:21.0146 6484 wpsdrvnt (9eb103f5652c9253bad58350aede476d) C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2011/09/07 23:32:21.0177 6484 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/09/07 23:32:21.0208 6484 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0 2011/09/07 23:32:21.0302 6484 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1 2011/09/07 23:32:21.0318 6484 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2 2011/09/07 23:32:21.0318 6484 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk3\DR3 2011/09/07 23:32:21.0333 6484 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk8\DR14 2011/09/07 23:32:21.0349 6484 Boot (0x1200) (4f1cd2d2601736911c3c2f2c1d24d594) \Device\Harddisk0\DR0\Partition0 2011/09/07 23:32:21.0365 6484 Boot (0x1200) (0a91c2da3d38541b70fb9cc43e6b6fd6) \Device\Harddisk0\DR0\Partition1 2011/09/07 23:32:21.0380 6484 Boot (0x1200) (94f52901b7b6726e9594af1c64ce8285) \Device\Harddisk0\DR0\Partition2 2011/09/07 23:32:21.0396 6484 Boot (0x1200) (a9b99e769a5de73eec10eea51707546e) \Device\Harddisk1\DR1\Partition0 2011/09/07 23:32:21.0396 6484 Boot (0x1200) (ad231c240e647e299bc2f6817d23c828) \Device\Harddisk2\DR2\Partition0 2011/09/07 23:32:21.0412 6484 Boot (0x1200) (303d3cd1930fefe62146d471d4761521) \Device\Harddisk3\DR3\Partition0 2011/09/07 23:32:21.0412 6484 Boot (0x1200) (99577adfee4914cb76a5be72066e2d31) \Device\Harddisk8\DR14\Partition0 2011/09/07 23:32:21.0412 6484 ================================================================================ 2011/09/07 23:32:21.0412 6484 Scan finished 2011/09/07 23:32:21.0412 6484 ================================================================================ 2011/09/07 23:32:21.0427 6812 Detected object count: 0 2011/09/07 23:32:21.0427 6812 Actual detected object count: 0 2011/09/07 23:32:31.0162 7464 Deinitialize success --------------------------------------------------------------------------------------------------------------------------------- and the Combo-Fix log (grabbed from another one of your posts, because I did not have one) ComboFix 11-09-07.04 - Liz 09/08/2011 0:18.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1434 [GMT -4:00] Running from: c:\documents and settings\Liz\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Liz\Application Data\0D8A.C2F c:\documents and settings\Liz\Application Data\Remote\owlctx c:\documents and settings\Liz\Cookies\gapor._sy c:\documents and settings\Liz\WINDOWS c:\windows\sagipixe._sy c:\windows\system32\comct332.ocx c:\windows\system32\lvci11801048.dll c:\windows\TEMP\logishrd\LVPrcInj01.dll . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_6TO4 . . ((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 ))))))))))))))))))))))))))))))) . . 2011-09-05 14:20 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-09-05 14:20 . 2011-09-05 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-09-05 14:20 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-31 12:21 . 2011-09-08 04:20 -------- d-----w- c:\documents and settings\Liz\Application Data\Remote 2011-08-30 19:56 . 2011-08-30 19:56 -------- d-----w- c:\windows\system32\wbem\Repository 2011-08-25 21:29 . 2011-09-08 03:10 -------- d-----w- c:\program files\Everything 2011-08-24 13:03 . 2011-09-08 03:07 -------- d-----w- c:\documents and settings\Liz\Application Data\pdftoepub 2011-08-24 13:03 . 2011-08-24 13:03 -------- d-----w- c:\program files\PDFtoEPUB . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-31 12:01 . 2008-11-06 16:18 69632 ----a-w- c:\windows\system32\realbap1.dll 2011-08-31 12:01 . 2008-11-06 16:18 45568 ----a-w- c:\windows\system32\realbsf1.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912] "WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-16 430080] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-06 136600] "SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-14 2532576] "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-02-12 1620480] "RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008] "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-02-12 1050112] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584] . c:\documents and settings\Liz\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008] PowerReg Scheduler.exe [2010-9-5 233472] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/19/2009 2:29 PM 165584] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/19/2009 2:29 PM 17744] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/5/2011 10:20 AM 366640] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 6:12 PM 102400] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/5/2011 10:20 AM 22712] R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [4/7/2009 7:34 PM 11520] S3 73592422;73592422; [x] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://www.sygate.com/swat/support/spf50_reg.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\free TCP: Interfaces\{7EB5D41B-9A63-430D-B471-96F9CBA271B9}: NameServer = 192.168.254.254 FF - ProfilePath - c:\documents and settings\Liz\Application Data\Mozilla\Firefox\Profiles\dlx4dmml.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 57717 FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . . ------- File Associations ------- . txtfile=c:\windows\NOTEPAD.EXE %1 . - - - - ORPHANS REMOVED - - - - . Notify-avgrsstarter - avgrsstx.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-09-08 00:26 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant] "ImagePath"="" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(8028) c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\windows\system32\SSSensor.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Sygate\SPF\smc.exe c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe c:\program files\Nero\Nero 7\InCD\InCDsrv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\windows\system32\wdfmgr.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe . ************************************************************************** . Completion time: 2011-09-08 00:29:27 - machine was rebooted ComboFix-quarantined-files.txt 2011-09-08 04:29 . Pre-Run: 44,669,607,936 bytes free Post-Run: 44,894,470,144 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 33F4A2CDEB650D3F8183EDD5E96E1894 ------------------------------------------------------------------------------------------------ I had both, Sygate and Avast disabled for the scan, but both programs came back on, when combo-fix rebooted the machine, and were present during log-creation. I also do not know if defogger ever did it's job, because it was unable to reboot the pc. The incessant attacks on my pc have stopped, but it still takes more than 2.5 min to boot and almost as long to shut down.
  14. atwitsend99
    Thanks screen 317, I did not know about the new version. I bought mbam a while ago and have updated it regularily, but was not aware of newer versions. I have d/l the 1.51 and done a quick scan...here is the log: Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7655 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 9/5/2011 10:27:43 AM mbam-log-2011-09-05 (10-27-17).txt Scan type: Quick scan Objects scanned: 173558 Time elapsed: 3 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lpc (Trojan.Agent) -> Value: lpc -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\Liz\application data\Remote\srjmh47.dll (Trojan.Agent) -> No action taken. This is the log right after the scan....my mbam log (in the mbam log file) stated that all threats were quarantined and deleted successfully. and here is the killer log: 2011/09/05 10:42:11.0859 3584 TDSS rootkit removing tool 2.5.18.0 Sep 5 2011 09:53:09 2011/09/05 10:42:13.0859 3584 ================================================================================ 2011/09/05 10:42:13.0859 3584 SystemInfo: 2011/09/05 10:42:13.0859 3584 2011/09/05 10:42:13.0859 3584 OS Version: 5.1.2600 ServicePack: 2.0 2011/09/05 10:42:13.0859 3584 Product type: Workstation 2011/09/05 10:42:13.0859 3584 ComputerName: LACEY 2011/09/05 10:42:13.0859 3584 UserName: Liz 2011/09/05 10:42:13.0859 3584 Windows directory: C:\WINDOWS 2011/09/05 10:42:13.0859 3584 System windows directory: C:\WINDOWS 2011/09/05 10:42:13.0859 3584 Processor architecture: Intel x86 2011/09/05 10:42:13.0859 3584 Number of processors: 2 2011/09/05 10:42:13.0859 3584 Page size: 0x1000 2011/09/05 10:42:13.0859 3584 Boot type: Normal boot 2011/09/05 10:42:13.0859 3584 ================================================================================ 2011/09/05 10:42:14.0515 3584 Initialize success 2011/09/05 10:42:33.0312 3936 ================================================================================ 2011/09/05 10:42:33.0312 3936 Scan started 2011/09/05 10:42:33.0312 3936 Mode: Manual; 2011/09/05 10:42:33.0312 3936 ================================================================================ 2011/09/05 10:42:36.0265 3936 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys 2011/09/05 10:42:36.0406 3936 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/09/05 10:42:36.0437 3936 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/09/05 10:42:36.0578 3936 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys 2011/09/05 10:42:36.0640 3936 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys 2011/09/05 10:42:37.0312 3936 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys 2011/09/05 10:42:37.0484 3936 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys 2011/09/05 10:42:37.0546 3936 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys 2011/09/05 10:42:37.0750 3936 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys 2011/09/05 10:42:37.0890 3936 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys 2011/09/05 10:42:37.0968 3936 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys 2011/09/05 10:42:38.0000 3936 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/09/05 10:42:38.0078 3936 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/09/05 10:42:38.0187 3936 AtcL002 (07ed1101f574b93a6312bf5d4241b41a) C:\WINDOWS\system32\DRIVERS\atl02_xp.sys 2011/09/05 10:42:38.0343 3936 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/09/05 10:42:38.0453 3936 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/09/05 10:42:38.0546 3936 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/09/05 10:42:38.0656 3936 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/09/05 10:42:38.0687 3936 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/09/05 10:42:38.0765 3936 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/09/05 10:42:38.0796 3936 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/09/05 10:42:38.0828 3936 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/09/05 10:42:38.0921 3936 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2011/09/05 10:42:39.0093 3936 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/09/05 10:42:39.0156 3936 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys 2011/09/05 10:42:39.0218 3936 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys 2011/09/05 10:42:39.0265 3936 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/09/05 10:42:39.0296 3936 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys 2011/09/05 10:42:39.0328 3936 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/09/05 10:42:39.0375 3936 E100B (5e72c8fbba5e949995ceb4d25656f904) C:\WINDOWS\system32\DRIVERS\e100b325.sys 2011/09/05 10:42:39.0421 3936 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/09/05 10:42:39.0437 3936 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys 2011/09/05 10:42:39.0468 3936 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys 2011/09/05 10:42:39.0515 3936 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/09/05 10:42:39.0562 3936 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 2011/09/05 10:42:39.0625 3936 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/09/05 10:42:39.0656 3936 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/09/05 10:42:39.0718 3936 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/09/05 10:42:39.0796 3936 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/09/05 10:42:39.0843 3936 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/09/05 10:42:39.0906 3936 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/09/05 10:42:39.0968 3936 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/09/05 10:42:40.0109 3936 ialm (c1c2d6940d6ec2f247b0f3c11e0a18e0) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 2011/09/05 10:42:40.0875 3936 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/09/05 10:42:40.0921 3936 InCDfs (544f76e71f026099a563c202e2e4a341) C:\WINDOWS\system32\drivers\InCDFs.sys 2011/09/05 10:42:40.0937 3936 InCDPass (13708047b3988ac50e81e524ac32edbe) C:\WINDOWS\system32\drivers\InCDPass.sys 2011/09/05 10:42:40.0968 3936 InCDrec (182edee6cfaeaf5174ae6e6d714cf778) C:\WINDOWS\system32\drivers\InCDrec.sys 2011/09/05 10:42:40.0984 3936 incdrm (367f3d160e7129f057838a341a5339b2) C:\WINDOWS\system32\drivers\InCDRm.sys 2011/09/05 10:42:41.0171 3936 IntcAzAudAddService (915ce2a58c6917e3c53be1e91fa66ba8) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2011/09/05 10:42:41.0218 3936 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/09/05 10:42:41.0265 3936 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/09/05 10:42:41.0312 3936 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 2011/09/05 10:42:41.0359 3936 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/09/05 10:42:41.0375 3936 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/09/05 10:42:41.0406 3936 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/09/05 10:42:41.0453 3936 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/09/05 10:42:41.0500 3936 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/09/05 10:42:41.0562 3936 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/09/05 10:42:41.0656 3936 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/09/05 10:42:41.0703 3936 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys 2011/09/05 10:42:41.0734 3936 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/09/05 10:42:41.0843 3936 LVPr2Mon (a6919138f29ae45e90e99fa94737e04c) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 2011/09/05 10:42:41.0906 3936 LVRS (b895839b8743e400d7c7dae156f74e7e) C:\WINDOWS\system32\DRIVERS\lvrs.sys 2011/09/05 10:42:41.0953 3936 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys 2011/09/05 10:42:41.0984 3936 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys 2011/09/05 10:42:42.0015 3936 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2011/09/05 10:42:42.0093 3936 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/09/05 10:42:42.0156 3936 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys 2011/09/05 10:42:42.0187 3936 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/09/05 10:42:42.0203 3936 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/09/05 10:42:42.0265 3936 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/09/05 10:42:42.0281 3936 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/09/05 10:42:42.0312 3936 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys 2011/09/05 10:42:42.0343 3936 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/09/05 10:42:42.0375 3936 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/09/05 10:42:42.0390 3936 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/09/05 10:42:42.0437 3936 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/09/05 10:42:42.0468 3936 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/09/05 10:42:42.0500 3936 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys 2011/09/05 10:42:42.0515 3936 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/09/05 10:42:42.0609 3936 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys 2011/09/05 10:42:42.0656 3936 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/09/05 10:42:42.0687 3936 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/09/05 10:42:42.0734 3936 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/09/05 10:42:42.0750 3936 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/09/05 10:42:42.0781 3936 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/09/05 10:42:42.0812 3936 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/09/05 10:42:42.0859 3936 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/09/05 10:42:42.0937 3936 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys 2011/09/05 10:42:42.0968 3936 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/09/05 10:42:43.0015 3936 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/09/05 10:42:43.0062 3936 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/09/05 10:42:43.0093 3936 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/09/05 10:42:43.0187 3936 PalmUSBD (803cf09c795290825607505d37819135) C:\WINDOWS\system32\drivers\PalmUSBD.sys 2011/09/05 10:42:43.0234 3936 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/09/05 10:42:43.0250 3936 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/09/05 10:42:43.0281 3936 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/09/05 10:42:43.0312 3936 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/09/05 10:42:43.0343 3936 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/09/05 10:42:43.0375 3936 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/09/05 10:42:43.0468 3936 pepifilter (a05f0d7419cf4680eedd5736e6549e7b) C:\WINDOWS\system32\DRIVERS\lv302af.sys 2011/09/05 10:42:43.0687 3936 PID_PEPI (4bb5ac2dd485b8eefccb977ee66a68ad) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 2011/09/05 10:42:43.0750 3936 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/09/05 10:42:43.0796 3936 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/09/05 10:42:43.0812 3936 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/09/05 10:42:43.0859 3936 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys 2011/09/05 10:42:44.0015 3936 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/09/05 10:42:44.0046 3936 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/09/05 10:42:44.0078 3936 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/09/05 10:42:44.0125 3936 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/09/05 10:42:44.0156 3936 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/09/05 10:42:44.0171 3936 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/09/05 10:42:44.0218 3936 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/09/05 10:42:44.0312 3936 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/09/05 10:42:44.0406 3936 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/09/05 10:42:44.0515 3936 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/09/05 10:42:44.0546 3936 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/09/05 10:42:44.0593 3936 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/09/05 10:42:44.0640 3936 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/09/05 10:42:44.0703 3936 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/09/05 10:42:44.0765 3936 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys 2011/09/05 10:42:44.0796 3936 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/09/05 10:42:44.0843 3936 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/09/05 10:42:44.0953 3936 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/09/05 10:42:44.0984 3936 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/09/05 10:42:45.0015 3936 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys 2011/09/05 10:42:45.0218 3936 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/09/05 10:42:45.0296 3936 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/09/05 10:42:45.0359 3936 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/09/05 10:42:45.0406 3936 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/09/05 10:42:45.0468 3936 Teefer (04906f0072903bd0280791a562596b95) C:\WINDOWS\system32\Drivers\Teefer.sys 2011/09/05 10:42:45.0546 3936 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/09/05 10:42:45.0609 3936 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys 2011/09/05 10:42:45.0656 3936 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys 2011/09/05 10:42:45.0703 3936 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys 2011/09/05 10:42:45.0734 3936 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/09/05 10:42:45.0765 3936 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/09/05 10:42:45.0796 3936 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/09/05 10:42:45.0843 3936 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/09/05 10:42:45.0859 3936 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/09/05 10:42:45.0890 3936 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys 2011/09/05 10:42:45.0921 3936 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/09/05 10:42:45.0968 3936 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/09/05 10:42:46.0000 3936 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys 2011/09/05 10:42:46.0046 3936 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/09/05 10:42:46.0093 3936 wg3n (038ad5561af23bc9bba3d624daf311f0) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys 2011/09/05 10:42:46.0125 3936 wg4n (266aa247c92f5d202a9cc633142ca425) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys 2011/09/05 10:42:46.0140 3936 wg5n (c2a06a1673391203c023de8bc60927bc) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys 2011/09/05 10:42:46.0156 3936 wg6n (2e94e4ef8d985be291cb4573c5dfca35) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys 2011/09/05 10:42:46.0250 3936 wpsdrvnt (9eb103f5652c9253bad58350aede476d) C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2011/09/05 10:42:46.0531 3936 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/09/05 10:42:46.0593 3936 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0 2011/09/05 10:42:46.0593 3936 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0) 2011/09/05 10:42:46.0609 3936 MBR (0x1B8) (306add9cc3098b7cedfd918955cd6731) \Device\Harddisk1\DR4 2011/09/05 10:42:46.0609 3936 \Device\Harddisk1\DR4 - detected Backdoor.Win32.Sinowal.kmy (0) 2011/09/05 10:42:46.0609 3936 Boot (0x1200) (4f1cd2d2601736911c3c2f2c1d24d594) \Device\Harddisk0\DR0\Partition0 2011/09/05 10:42:46.0640 3936 Boot (0x1200) (6da653e671361b2437dda0cdba03a28c) \Device\Harddisk0\DR0\Partition1 2011/09/05 10:42:46.0671 3936 Boot (0x1200) (dc09798aab97c904450119ce795c9813) \Device\Harddisk0\DR0\Partition2 2011/09/05 10:42:46.0671 3936 Boot (0x1200) (1d4f677201c3da9a48c026b16efbcf2b) \Device\Harddisk1\DR4\Partition0 2011/09/05 10:42:46.0687 3936 ================================================================================ 2011/09/05 10:42:46.0687 3936 Scan finished 2011/09/05 10:42:46.0687 3936 ================================================================================ 2011/09/05 10:42:46.0687 3924 Detected object count: 2 2011/09/05 10:42:46.0687 3924 Actual detected object count: 2 2011/09/05 10:44:13.0015 3924 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot 2011/09/05 10:44:13.0015 3924 \Device\Harddisk0\DR0 - ok 2011/09/05 10:44:13.0015 3924 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure 2011/09/05 10:44:13.0046 3924 \Device\Harddisk1\DR4 (Backdoor.Win32.Sinowal.kmy) - cured 2011/09/05 10:44:13.0046 3924 \Device\Harddisk1\DR4 - ok 2011/09/05 10:44:13.0046 3924 Backdoor.Win32.Sinowal.kmy(\Device\Harddisk1\DR4) - User select action: Cure 2011/09/05 10:44:24.0968 0516 Deinitialize success The program asked for a reboot, but then was unable to shut down. I waited a good long while then hit the reset button. I just scanned again with the TDSS and it seems this \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot \Device\Harddisk0\DR0 - ok remained...I will attempt a second reboot, and if unsuccessful again, will report back.
  15. atwitsend99
    Thank you screen317 for your help I have updated and run mbam and here is the log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 7642 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 9/3/2011 10:37:58 AM mbam-log-2011-09-03 (10-37-58).txt Scan type: Quick scan Objects scanned: 171254 Time elapsed: 3 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I also d/l DDS and here is it's log: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Liz at 10:43:03 on 2011-09-03 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1402 [GMT -4:00] . AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Sygate\SPF\smc.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://www.sygate.com/swat/support/spf50_reg.htm TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [smcService] c:\progra~1\sygate\spf\smc.exe -startgui mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe dRun: [lpc] rundll32.exe "c:\documents and settings\liz\application data\remote\srjmh47.dll",RegisterDll StartupFolder: c:\docume~1\liz\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE StartupFolder: c:\documents and settings\liz\start menu\programs\startup\PowerReg Scheduler.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Trusted Zone: aol.com\free TCP: Interfaces\{7EB5D41B-9A63-430D-B471-96F9CBA271B9} : NameServer = 192.168.254.254 Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\liz\application data\mozilla\firefox\profiles\dlx4dmml.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 57717 FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-9-19 165584] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-19 17744] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-9-18 303952] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-9-18 20824] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-4-7 11520] S4 vsdatant;vsdatant; [x] . =============== File Associations =============== . txtfile=c:\windows\NOTEPAD.EXE %1 . =============== Created Last 30 ================ . 2011-08-31 12:21:46 -------- d-----w- c:\documents and settings\liz\application data\Remote 2011-08-30 19:56:22 -------- d-----w- c:\windows\system32\wbem\repository\FS 2011-08-30 19:56:22 -------- d-----w- c:\windows\system32\wbem\Repository 2011-08-25 21:29:19 -------- d-----w- c:\program files\Everything 2011-08-24 13:03:27 -------- d-----w- c:\documents and settings\liz\application data\pdftoepub 2011-08-24 13:03:09 -------- d-----w- c:\program files\PDFtoEPUB . ==================== Find3M ==================== . 2011-08-31 12:01:54 69632 ----a-w- c:\windows\system32\realbap1.dll 2011-08-31 12:01:48 45568 ----a-w- c:\windows\system32\realbsf1.dll . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST3500830AS rev.3.AAC -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A67B4D0]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6817d0]; MOV EAX, [0x8a68184c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E19BC] -> \Device\Harddisk0\DR0[0x8A7812C0] 3 CLASSPNP[0xF763805B] -> nt!IofCallDriver[0x804E19BC] -> \Device\00000071[0x8A6A69E8] 5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E19BC] -> [0x8A72AD98] \Driver\atapi[0x8A728F38] -> IRP_MJ_CREATE -> 0x8A67B4D0 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8A67B31B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 10:44:11.54 =============== I cannot ordinarily connect to the internet anymore, since, whenever I do, I get hammered with malicious URL's
  16. atwitsend99
    I picked up a Trojan a couple of days ago and the following happened: Machine shut down, then was unable to re-boot, being trapped in a loop, unable to load the os. We disconnected all drives except the C and were able to finally boot after disconnecting from the network. Mbam was able to remove the malware. It had set firefox to a proxy setting and ie8 was redirecting as well...changed all those settings, and it seemed that the battle was won, as I was able to boot normally (if perhaps a bit slow). We then reconnected the drives and that set us back to square one...cannot boot with the drives connected. Last night after disconnecting the drives again, I ran HouseCall, which found NO malware, but Avast keeps catching malware trying to get in. I would just reinstall the OS, but at this point I don't know if there is malware on the other drives :-(. Here is what mbam caught: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 7569 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 8/30/2011 3:11:15 PM mbam-log-2011-08-30 (15-11-15).txt Scan type: Full scan (C:\|) Objects scanned: 235866 Time elapsed: 23 minute(s), 12 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: C:\Documents and Settings\Liz\Application Data\Microsoft\conhost.exe (Trojan.Agent) -> Failed to unload process. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\proxyserver (PUM.Bad.Proxy) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Liz\Application Data\Microsoft\conhost.exe (Trojan.Agent) -> Delete on reboot. Subsequent mbam scans are clean. Thanks in advance for any help. P.S. Sorry, forgot to add...I don't know if defogger worked, because it never asked for a reboot and the "disable" window stayed the desktop.
  17. atwitsend99
    Would it be possible for someone to help me plse ? Thanks in advance !
  18. atwitsend99
    I have noticed that some of my programs are subtly affected also. Here is a HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:29:14 PM, on 9/23/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Sandboxie\SbieSvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (User 'Default user') O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1243963776417 O17 - HKLM\System\CCS\Services\Tcpip\..\{7EB5D41B-9A63-430D-B471-96F9CBA271B9}: NameServer = 192.168.254.254 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe -- End of file - 7113 bytes and a mbam log: Malwarebytes' Anti-Malware 1.41 Database version: 2822 Windows 5.1.2600 Service Pack 2 9/23/2009 8:35:01 PM mbam-log-2009-09-23 (20-35-01).txt Scan type: Quick Scan Objects scanned: 95615 Time elapsed: 2 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) If someone would be so kind as to look at these, and hopefully help me get my search back and my progs in order, I would muchly appreciate that. Liz
  19. atwitsend99
    So sorry I have to get back into this thread :-(. It seems that after the clean-up of my pc, my search function is not working properly anymore, with the drives searched in random order and searched again and again. This is what is happening when I try to search: I go to start>search>"filexyz".....(parameter given are all the harddrives, starting with "C") It will find "filexyz" on D drive, on Q drive and on F drive, then again on D and Q and F....it never stops...it seems to be in a loop, finding the same files over and over, but not in the order of the drives given (i.e. C,D,E,F). The filexyz found are the correct files I was looking for. So, it actually works, but does not quit working and does not give me the results in the correct alpahbetical harddisk order. The only thing I did since Sunday was to register malwarebytes and scheduled scanning, requested file extensions which seemed to have disappeared during the clean-up and scanned with AVAST.
  20. atwitsend99
    I am sorry yardbird, I misstated the title of my post, but could not edit it :-(. I go to start>search>"filexyz".....(parameter given are all the harddrives, starting with "C") It will find "filexyz" on D drive, on Q drive and on F drive, then again on D and Q and F....it never stops...it seems to be in a loop, finding the same files over and over, but not in the order of the drives given (i.e. C,D,E,F). The filexyz found are the correct files I was looking for. So, it actually works, but does not quit working and does not give me the results in the correct alpahbetical harddisk order.
  21. atwitsend99
    Thanks to the help from this forum, I was able to clean my pc of malware. However, now I find that my search function is not working properly. The drives searched are in random order and are searched repeatedly. If anyone could help me fix this, I would much appreciate it.
  22. atwitsend99
    Thank you Mona, I believe you just told me, how I got infected. Your tip is now making the rounds among my family and friend.
  23. atwitsend99
    Hi JSntgRvr I know you must hear this every day, several times , but you really have been a lifesaver. You instructions have been extremely clear and easy to follow, even by this uninformed user. Also much appreciated are your closing remarks, since I will do my best not to get into this situation again...even though, I still don't know how I got the darn thing. I was not surfing "questionable" sites, or doing anything which should have left me exposed to this attack, but hopefully AVAST and Malwarebytes will keep me out of trouble in the future. The Recovery Console was installed by ComboFix as a pre-requisite to the scan and I left it in place. It is rare nowadays to find such helpful and thorough advice and support and I was very lucky to find it. Thank YOU !!!! Liz
  24. atwitsend99
    Hi JSntgRvr I think the comp is ok, it is running ok and also seems to boot faster. I'm sorry I was too tired to follow your instructions last night, but did so today. I ran the RenFix, have a new restore point and ComboFix is gone, but I still have Win32Diag and Avenger on my desktop....how can I delete those ? Thanks yet once more Liz
  25. atwitsend99
    Hi JSntgRvr Ahhhh but this time it worked Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Liz>Expand O:\i386\Proquota.ex_ C:\Windows\System32 Microsoft ® File Expansion Utility Version 5.1.2600.0 Copyright © Microsoft Corp 1990-1999. All rights reserved. Expanding o:\i386\proquota.ex_ to c:\windows\system32\proquota.ex_. o:\i386\proquota.ex_: 26379 bytes expanded to 50176 bytes, 90% increase. C:\Documents and Settings\Liz>Expand O:\i386\Proquota.ex_ C:\Windows\System32\dl lcache Microsoft ® File Expansion Utility Version 5.1.2600.0 Copyright © Microsoft Corp 1990-1999. All rights reserved. Expanding o:\i386\proquota.ex_ to c:\windows\system32\dllcache\proquota.ex_. o:\i386\proquota.ex_: 26379 bytes expanded to 50176 bytes, 90% increase. C:\Documents and Settings\Liz> I did remove AVG before installing Avast, but forgot about BoClean (Comodo), but Avast installed fine, and I finally could get my mail....now if I just could find where to schedule scanning, all would be well (I don't think that my version of BoClean was working anymore, but I removed it belatedly)......Liz
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.