Jump to content

BryanLeaman

Members
  • Posts

    9
  • Joined

  • Last visited

Everything posted by BryanLeaman

  1. Looks clean. ESET found a false positive -- an upload script I wrote to push changed files to a web server via FTP. Otherwise the computer is clean as a whistle. Since running TDSSKiller I haven't had any blocked outgoing IP address issues either. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5461 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/4/2011 8:24:44 PM mbam-log-2011-01-04 (20-24-44).txt Scan type: Quick scan Objects scanned: 175082 Time elapsed: 8 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) C:\Documents and Settings\Ann\My Documents\Ohio Conference\Web page\Upload.js probably unknown SCRIPT virus deleted - quarantined --Bryan
  2. Samuel, Thanks. That appears to be all that needed to be done. I've added the startup registry entry and it's working fine now. --Bryan
  3. I just recently noticed that Malwarebytes' Anti-Malware protection module is disabled after I reboot. It lets me enable it again, but when I reboot, I have to start up Anti-Malware and turn on the protection module all over again. --Bryan P.S. Anti-Malware has been a wonderful tool. I've licensed it on my 2 Windows PCs, my daughter's notebook and just recently for my Mom's new notebook too. Thanks!
  4. I hope you don't mind, but I peeked at another forum post that listed the same IP addresses being blocked that I'm experiencing. Malwarebytes forum thread As suggested in that thread, I downloaded Kaspersky's TDSSKiller and ran it and it seems to have cleared up the problem. It found TDSS.tdl4 rootkit and removed it. Here's the log: 2011/01/03 20:10:50.0375 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46 2011/01/03 20:10:50.0375 =========================================================================== ===== 2011/01/03 20:10:50.0375 SystemInfo: 2011/01/03 20:10:50.0375 2011/01/03 20:10:50.0375 OS Version: 5.1.2600 ServicePack: 3.0 2011/01/03 20:10:50.0375 Product type: Workstation 2011/01/03 20:10:50.0375 ComputerName: PRESARIO 2011/01/03 20:10:50.0375 UserName: Ann 2011/01/03 20:10:50.0375 Windows directory: C:\WINDOWS 2011/01/03 20:10:50.0375 System windows directory: C:\WINDOWS 2011/01/03 20:10:50.0375 Processor architecture: Intel x86 2011/01/03 20:10:50.0375 Number of processors: 1 2011/01/03 20:10:50.0375 Page size: 0x1000 2011/01/03 20:10:50.0375 Boot type: Normal boot 2011/01/03 20:10:50.0375 =========================================================================== ===== 2011/01/03 20:10:52.0171 Initialize success 2011/01/03 20:10:57.0093 =========================================================================== ===== 2011/01/03 20:10:57.0093 Scan started 2011/01/03 20:10:57.0093 Mode: Manual; 2011/01/03 20:10:57.0093 =========================================================================== ===== 2011/01/03 20:10:59.0187 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys 2011/01/03 20:10:59.0453 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/01/03 20:10:59.0609 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/01/03 20:10:59.0812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/01/03 20:10:59.0984 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys 2011/01/03 20:11:00.0171 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2011/01/03 20:11:00.0390 AgereSoftModem (51a66c689ad9b9a953f75496209ae520) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2011/01/03 20:11:00.0875 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys 2011/01/03 20:11:01.0046 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/01/03 20:11:01.0468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/01/03 20:11:01.0609 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/01/03 20:11:01.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/01/03 20:11:01.0953 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/01/03 20:11:02.0000 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys 2011/01/03 20:11:02.0109 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys 2011/01/03 20:11:02.0250 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/01/03 20:11:02.0390 BW2NDIS5 (71cb7616cb36d43ea787c41ab55fe458) C:\WINDOWS\system32\Drivers\BW2NDIS5.sys 2011/01/03 20:11:02.0562 C-Dilla (2423d6259dd63a6f1ffd3d3684b941e5) C:\WINDOWS\system32\drivers\CDANT.SYS 2011/01/03 20:11:02.0750 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/01/03 20:11:02.0859 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/01/03 20:11:03.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/01/03 20:11:03.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/01/03 20:11:03.0406 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/01/03 20:11:03.0921 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/01/03 20:11:04.0109 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/01/03 20:11:04.0609 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/01/03 20:11:04.0687 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/01/03 20:11:04.0843 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/01/03 20:11:04.0984 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/01/03 20:11:05.0140 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/01/03 20:11:05.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2011/01/03 20:11:05.0468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/01/03 20:11:05.0609 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/01/03 20:11:05.0750 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/01/03 20:11:05.0984 FPAV_RTP (a98b9d16a38df7afdc1a465925d03884) C:\WINDOWS\system32\DRIVERS\FStopW.sys 2011/01/03 20:11:06.0218 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/01/03 20:11:06.0359 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/01/03 20:11:06.0484 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys 2011/01/03 20:11:06.0656 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/01/03 20:11:06.0734 hamachi (64b48a0d899deca24c424a2cac3ecffa) C:\WINDOWS\system32\DRIVERS\hamachi.sys 2011/01/03 20:11:06.0859 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/01/03 20:11:06.0937 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/01/03 20:11:07.0156 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/01/03 20:11:07.0437 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/01/03 20:11:07.0687 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys 2011/01/03 20:11:08.0046 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/01/03 20:11:08.0359 IntcAzAudAddService (90e1b42e49d9e91e5accaaaaefa10ce8) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2011/01/03 20:11:08.0671 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/01/03 20:11:08.0796 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/01/03 20:11:08.0890 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/01/03 20:11:09.0000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/01/03 20:11:09.0125 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/01/03 20:11:09.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/01/03 20:11:09.0437 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/01/03 20:11:09.0562 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/01/03 20:11:09.0828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/01/03 20:11:09.0937 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/01/03 20:11:10.0093 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/01/03 20:11:10.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/01/03 20:11:10.0625 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys 2011/01/03 20:11:10.0796 MLPTDR_C (a0559040b0df7403ddcd9574cb2694de) C:\WINDOWS\system32\MLPTDR_C.sys 2011/01/03 20:11:10.0921 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/01/03 20:11:11.0046 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/01/03 20:11:11.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/01/03 20:11:11.0328 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/01/03 20:11:11.0484 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/01/03 20:11:11.0671 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/01/03 20:11:11.0937 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/01/03 20:11:12.0343 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys 2011/01/03 20:11:12.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/01/03 20:11:12.0578 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/01/03 20:11:12.0687 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/01/03 20:11:12.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/01/03 20:11:12.0812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/01/03 20:11:12.0859 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/01/03 20:11:12.0953 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/01/03 20:11:13.0078 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/01/03 20:11:13.0234 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/01/03 20:11:13.0359 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/01/03 20:11:13.0500 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/01/03 20:11:13.0734 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/01/03 20:11:13.0937 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/01/03 20:11:14.0109 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/01/03 20:11:14.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/01/03 20:11:14.0593 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/01/03 20:11:14.0984 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/01/03 20:11:15.0265 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/01/03 20:11:15.0718 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/01/03 20:11:16.0171 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/01/03 20:11:16.0984 nv (77be0cee4e4a17474650d38ccc9d5579) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/01/03 20:11:18.0000 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 2011/01/03 20:11:18.0312 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 2011/01/03 20:11:18.0515 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/01/03 20:11:18.0937 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/01/03 20:11:19.0281 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/01/03 20:11:19.0687 OMAWGU(Belkin Corporation) (0c2cb1c6e7d23ff74832839f2fb25163) C:\WINDOWS\system32\DRIVERS\OMAWGU.sys 2011/01/03 20:11:20.0218 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/01/03 20:11:21.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/01/03 20:11:21.0468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/01/03 20:11:21.0812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/01/03 20:11:22.0890 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/01/03 20:11:23.0343 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/01/03 20:11:24.0890 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/01/03 20:11:25.0203 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2011/01/03 20:11:25.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/01/03 20:11:26.0031 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/01/03 20:11:26.0640 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/01/03 20:11:27.0750 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/01/03 20:11:27.0968 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/01/03 20:11:28.0234 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/01/03 20:11:28.0578 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/01/03 20:11:29.0015 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/01/03 20:11:29.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/01/03 20:11:29.0531 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/01/03 20:11:30.0125 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/01/03 20:11:30.0546 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 2011/01/03 20:11:30.0984 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/01/03 20:11:31.0203 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/01/03 20:11:31.0515 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys 2011/01/03 20:11:31.0812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/01/03 20:11:32.0187 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/01/03 20:11:32.0671 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/01/03 20:11:32.0828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/01/03 20:11:33.0250 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/01/03 20:11:33.0500 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/01/03 20:11:33.0781 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/01/03 20:11:34.0000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/01/03 20:11:34.0843 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/01/03 20:11:35.0187 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/01/03 20:11:35.0484 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/01/03 20:11:35.0609 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/01/03 20:11:35.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/01/03 20:11:36.0421 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/01/03 20:11:36.0609 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/01/03 20:11:36.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/01/03 20:11:37.0265 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/01/03 20:11:37.0562 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2011/01/03 20:11:37.0828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/01/03 20:11:38.0062 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/01/03 20:11:38.0250 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/01/03 20:11:38.0515 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/01/03 20:11:38.0750 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/01/03 20:11:38.0968 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/01/03 20:11:39.0156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/01/03 20:11:39.0390 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/01/03 20:11:39.0687 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2011/01/03 20:11:40.0062 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/01/03 20:11:40.0562 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys 2011/01/03 20:11:40.0796 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2011/01/03 20:11:40.0937 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/01/03 20:11:41.0093 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0) 2011/01/03 20:11:41.0093 =========================================================================== ===== 2011/01/03 20:11:41.0093 Scan finished 2011/01/03 20:11:41.0093 =========================================================================== ===== 2011/01/03 20:11:41.0125 Detected object count: 1 2011/01/03 20:12:02.0046 \HardDisk1 - will be cured after reboot 2011/01/03 20:12:02.0046 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure 2011/01/03 20:12:05.0796 Deinitialize success Thank you so much for your assistance! --Bryan
  5. Thanks for your continued assistance. (A little background) The kpylirel.sys file you mentioned was one I discovered earlier last month and submitted to Malwarebytes mid-December, since it didn't detect it. At the time my PC was trying to make hundreds of SMTP connections at a time. I booted Knoppix off a CD in order to remove it, as I was unable to manually remove it while windows was running. As far as I can tell, the kpylirel.sys file has not re-appeared. Removing kpylirel.sys stopped the SMTP connections, but I am still getting many blocked outgoing connections attempts reported by Anti-Malware (and an unknown number of allowed connections?) when I'm not running anything other than Firefox, using this forum. This was in addition to several other malware programs I discovered and removed (manually & via scanning with Anti-Malware and F-Prot antivirus) including WhiteSmoke Translator and Toolbar. These last ones I discovered within minutes of the infection because the PC was running very slowly and I just happened to ask my son to let me use it -- about 10 minutes after the creation date on the WhiteSmoke stuff. (Current) I followed your instructions and Combofix.exe reported finding the TDL3 rootkit, later reported rootkit activity & rebooted and continued. Here's the log: ComboFix 11-01-02.04 - Ann 01/03/2011 9:48.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.558 [GMT -5:00] Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ann\Desktop\CFScript.txt AV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9} * Resident AV is active FILE :: "c:\windows\system32\drivers\kpylirel.sys" "c:\windows\system32\tspkgk.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\tspkgk.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_KPYLIREL -------\Service_kpylirel ((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 ))))))))))))))))))))))))))))))) . 2011-01-03 14:27 . 2011-01-03 14:28 -------- d-----w- C:\32788R22FWJFW.0.tmp 2010-12-31 19:06 . 2010-12-31 19:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird 2010-12-31 19:06 . 2010-12-31 19:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird 2010-12-17 03:52 . 2010-12-17 03:52 -------- d-----w- c:\documents and settings\Ann\Application Data\Amazon 2010-12-17 03:46 . 2010-12-17 03:46 -------- d-----w- c:\program files\Amazon 2010-12-16 13:27 . 2010-12-28 15:57 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2010-12-16 13:27 . 2010-12-16 13:27 -------- d-----w- c:\documents and settings\Ann\Application Data\Corel 2010-12-16 02:59 . 2010-12-16 02:59 -------- d-----w- c:\documents and settings\Ann\Application Data\FRISK Software 2010-12-16 01:44 . 2010-12-16 01:44 -------- d-----w- c:\program files\Common Files\Protexis 2010-12-16 01:44 . 2010-12-16 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel 2010-12-16 01:43 . 2010-12-16 01:43 -------- d-----w- c:\program files\Common Files\Corel 2010-12-16 01:41 . 2010-12-16 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Borland 2010-12-16 01:41 . 2010-12-16 01:41 -------- d-----w- c:\program files\Common Files\Borland Shared 2010-12-16 01:34 . 2010-12-16 01:34 -------- d-----w- c:\program files\Corel 2010-12-14 16:53 . 2010-12-14 16:53 -------- d-----w- c:\documents and settings\Ann\Application Data\TrojanHunter . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-20 23:09 . 2008-10-06 01:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-20 23:08 . 2008-10-06 01:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-17 03:57 . 2009-05-27 19:40 89680 ------w- c:\documents and settings\Ann\MSSSerif120.fon 2007-08-06 16:07 . 2007-11-22 01:43 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-09-28 23:57 . 2007-09-28 23:57 6275816 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll 2007-07-18 18:54 . 2007-11-22 01:43 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll 2007-09-28 23:57 . 2007-09-28 23:57 6275816 ----a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DIMDownloading your update..1285781009224"="c:\program files\Corel\WordPerfect Office X5\Programs\DIM.exe" [2010-02-18 107880] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360] "EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400] "UPSMON"="c:\program files\UPSMON\UPSMON.exe" [2005-03-30 429568] "F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2010-07-05 1674032] "QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE" [2010-03-12 136600] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk backup=c:\windows\pss\Lotus QuickStart.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^AOL OpenRide.lnk] path=c:\documents and settings\Ann\Start Menu\Programs\Startup\AOL OpenRide.lnk backup=c:\windows\pss\AOL OpenRide.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Bryan^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk] path=c:\documents and settings\Bryan\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel] 2005-09-01 20:24 942080 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-02-17 14:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2005-12-01 20:02 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2004-12-14 10:23 663552 ----a-w- c:\windows\CREATOR\Remind_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2006-02-22 10:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg] 1997-11-23 08:16 20992 ----a-w- c:\progra~1\ULEADS~1\ULEADP~1\SSaver\USSSHREG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "EarthLinkMonitor"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= "c:\\Program Files\\Online Services\\Aol\\InstallAol.exe"= "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [11/28/2007 9:50 PM 700632] R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [11/3/2010 4:40 PM 83624] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/5/2008 8:57 PM 363344] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/5/2008 8:57 PM 20952] S2 MLPTDR_C;MLPTDR_C;c:\windows\system32\MLPTDR_C.SYS [5/31/2002 5:04 PM 19296] S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?] S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [10/23/2007 10:32 PM 408064] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000] S4 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = 192.168.1.3:3128 IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll TCP: {DE062798-F8BE-461F-90A3-B4F34C3B3450} = 207.69.188.185,207.69.188.186 FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ofxf3dwh.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q= FF - prefs.js: network.proxy.ftp - 192.168.1.3 FF - prefs.js: network.proxy.ftp_port - 3128 FF - prefs.js: network.proxy.gopher - 192.168.1.3 FF - prefs.js: network.proxy.gopher_port - 3128 FF - prefs.js: network.proxy.http - 192.168.1.3 FF - prefs.js: network.proxy.http_port - 3128 FF - prefs.js: network.proxy.socks - 192.168.1.3 FF - prefs.js: network.proxy.socks_port - 3128 FF - prefs.js: network.proxy.ssl - 192.168.1.3 FF - prefs.js: network.proxy.ssl_port - 3128 FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-03 10:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: Maxtor_6L160P0 rev.BAJ41G10 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86135555]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8613b7b0]; MOV EAX, [0x8613b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x860F1AB8] 3 CLASSPNP[0xF7640FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000006d[0x86147F18] 5 ACPI[0xF74D7620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8615CD98] \Driver\atapi[0x861439C8] -> IRP_MJ_CREATE -> 0x86135555 kernel: MBR read successfully _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB; JMP FAR 0x7a0:0x5c; } detected disk devices: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6L160P0__________________________BAJ41G10#334c41313159475120 2020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8613539B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\3.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(756) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(816) c:\windows\system32\WININET.dll c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll - - - - - - - > 'explorer.exe'(4020) c:\windows\system32\WININET.dll c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\DRIVERS\CDANTSRV.EXE c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\windows\system32\wdfmgr.exe c:\program files\UPSMON\UPSMON_Service.Exe c:\program files\UPSMON\UPSInt2.exe . ************************************************************************** . Completion time: 2011-01-03 10:16:30 - machine was rebooted ComboFix-quarantined-files.txt 2011-01-03 15:16 ComboFix2.txt 2010-12-31 18:59 Pre-Run: 88,065,761,280 bytes free Post-Run: 88,115,363,840 bytes free - - End Of File - - F76D84FE23B4080128789EAB62B7FDFE --Bryan
  6. Thanks. Looks like it found something, but I'm still seeing blocked IP addresses. I've attached the log from Combofix.exe. --Bryan log.txt
  7. AntiMalware is constantly telling me it's blocking outgoing connections, even when I'm not actively surfing or anything. While I was running the requested scans and Firefox was just resting on this forum (where I was reading the instructions) AntiMalware kept telling me about blocked IP addresses. I'm glad it's blocking them, but I have to think I still have some sort of malware on my system that's causing this. I notice the messages mostly when I have a browser running, but not exclusively then. I believe I've attached all the requested logs. --Bryan attach.zip
  8. From the logs, it looks like my son chose to "allow" a worm that Anti-malware detected, causing me to stay up until about 5 a.m. to clean it and everything else it let in off my PC. I'd love to be able to password-protect the "Allow" option so he can't do that again. -- Bryan
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.