Jump to content

Recommended Posts

Hello! Well I've tried to fix it myself and I'm stumped. My google searches were redirecting, popups reoccurred, I lost my start menu, run, settings, etc, none of my programs would run because the 2012 fake protection thing claimed they were all infected.

What I've done so far: TDSS killer multiple times, downloaded malwarebytes (great program btw, thanks guys), OTS and DDS logs.

I also found a key online for the 2012 fake protection thing that it accepted so it stopped hassling me. I did some registry fixes I found on other people's posts here on this site. I also deleted firefox and installed the newest version.

Also downloaded GMER under name zg6cb281.exe... had it scan but didn't do anything with it.

Where it is now: My start menu functions are back, I can run programs, internet is back up and running.

Errors include:

1. malwarebytes blocking random address numbers only when an internet browser is up.

2. A Flash installer popping up frequently that I don't believe is real.

3. start menu-all programs is back, but each individual folder is EMPTY except for new things I've installed like Malwarebytes.

4. TDSSkiller continues to find an infection with i8042prt.sys, tries to cure it each time

5. ping.exe (something that I never saw before in my task manager) continues to come back and increase in comp usage over time until I kill it again.

Below are my LOGS for malwarebytes, DDS, and OTL

Malwarebytes Log

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8271

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

11/29/2011 1:57:01 PM

mbam-log-2011-11-29 (13-57-01).txt

Scan type: Quick scan

Objects scanned: 194472

Time elapsed: 16 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS Log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24

Run by Josef at 13:02:11 on 2011-11-29

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2294 [GMT -8:00]

.

AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Josef\My Documents\Downloads\OTL.exe

C:\WINDOWS\System32\ping.exe

C:\WINDOWS\notepad.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [PathNvidiaTV] c:\program files\gigabyte\nvidia\patchnvidiaTVout.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://vdi.coa.gatech.edu/downloads/VMware-viewclient.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{76E38801-4FE4-4302-93FC-161D4E451D3D} : DhcpNameServer = 192.168.2.1

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

AppInit_DLLs: acaptuser32.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\josef\application data\mozilla\firefox\profiles\o3g21vep.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\josef\application data\mozilla\firefox\profiles\o3g21vep.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video

FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}

.

============= SERVICES / DRIVERS ===============

.

R?2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-10-22 147984]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-12-3 344712]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-27 366152]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-10-22 22816]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-10-22 66880]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-12-3 69192]

R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2010-2-10 151552]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-27 22216]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-3 136176]

S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-4-19 23456]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-3 136176]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-3 91896]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-3 43192]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-3 66536]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

.

=============== Created Last 30 ================

.

2011-11-29 14:01:28 0 ---ha-w- c:\documents and settings\josef\local settings\application data\BIT8.tmp

2011-11-29 05:19:04 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-29 05:04:01 -------- d-----w- C:\_OTL

2011-11-28 20:04:55 -------- d-----w- C:\TDSSKiller_Quarantine

2011-11-28 05:15:02 -------- d-----w- c:\documents and settings\josef\application data\Malwarebytes

2011-11-28 05:14:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-28 05:14:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-28 05:14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-28 04:39:22 -------- d-----w- c:\documents and settings\josef\application data\SUPERAntiSpyware.com

2011-11-28 04:38:37 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-11-28 04:38:37 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-11-16 09:36:54 231936 ---ha-w- c:\windows\system32\SNWValid.dll

2011-11-16 09:36:54 1053184 ---ha-w- c:\windows\system32\SierraNW.dll

2011-11-16 09:36:51 -------- d--h--w- c:\windows\solcache

2011-11-16 09:34:41 -------- d--h--w- C:\SIERRA

2011-11-16 09:34:41 -------- d-----w- c:\program files\Sierra On-Line

.

==================== Find3M ====================

.

2011-09-28 07:06:50 599040 ---ha-w- c:\windows\system32\crypt32.dll

2011-09-09 03:15:39 233812 ---ha-w- c:\windows\system32\nvdrsdb0.bin

2011-09-09 03:15:39 1 ---ha-w- c:\windows\system32\nvdrssel.bin

2011-09-09 03:15:38 233812 ---ha-w- c:\windows\system32\nvdrsdb1.bin

2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys

2011-09-05 13:56:22 667136 ---ha-w- c:\windows\system32\wininet.dll

2011-09-05 13:56:22 61952 ---ha-w- c:\windows\system32\tdc.ocx

2011-09-05 13:56:21 81920 ---ha-w- c:\windows\system32\ieencode.dll

2011-09-05 12:35:09 369664 ---ha-w- c:\windows\system32\html.iec

.

============= FINISH: 13:02:48.46 ===============

OTL log

OTL logfile created on: 11/29/2011 12:24:40 PM - Run 2

OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Josef\My Documents\Downloads

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.53 Gb Available Physical Memory | 77.74% Memory free

7.09 Gb Paging File | 6.47 Gb Available in Paging File | 91.30% Paging File free

Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.76 Gb Total Space | 424.07 Gb Free Space | 91.05% Space Free | Partition Type: NTFS

Drive D: | 34.46 Gb Total Space | 0.57 Gb Free Space | 1.64% Space Free | Partition Type: NTFS

Drive E: | 74.53 Gb Total Space | 22.09 Gb Free Space | 29.64% Space Free | Partition Type: NTFS

Drive F: | 604.23 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive G: | 3.73 Gb Total Space | 0.10 Gb Free Space | 2.67% Space Free | Partition Type: FAT32

Computer Name: MOXY | User Name: Josef | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Josef\My Documents\Downloads\zg6cb281.exe ()

PRC - C:\Documents and Settings\Josef\My Documents\Downloads\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)

PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe (McAfee, Inc.)

PRC - C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe (VMware, Inc.)

PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\ping.exe (Microsoft Corporation)

========== Modules (No Company Name) ==========

MOD - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll ()

MOD - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll ()

MOD - C:\Documents and Settings\Josef\My Documents\Downloads\zg6cb281.exe ()

MOD - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

MOD - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL ()

MOD - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll ()

MOD - C:\Program Files\Mozilla Firefox\js3250.dll ()

MOD - C:\Program Files\NVIDIA Corporation\nView\nvShell.dll ()

MOD - C:\Program Files\McAfee\Common Framework\boost_thread-vc71-mt-1_32.dll ()

MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()

MOD - \\.\globalroot\systemroot\system32\mswsock.dll ()

MOD - C:\Program Files\McAfee\Common Framework\cryptocme2.dll ()

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (McAfee, Inc.)

SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)

SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (McAfee, Inc.)

SRV - (McAfeeEngineService) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe (McAfee, Inc.)

SRV - (SwitchBoard) -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)

SRV - (wsnm) -- C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe (VMware, Inc.)

SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)

SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)

========== Driver Services (SafeList) ==========

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (DrvAgent32) -- C:\WINDOWS\system32\drivers\DrvAgent32.sys (Phoenix Technologies)

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)

DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)

DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (nvatabus) -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys (NVIDIA Corporation)

DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)

DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)

DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)

DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)

DRV - (Si3114r5) -- C:\WINDOWS\system32\DRIVERS\Si3114r5.sys (Silicon Image, Inc)

DRV - (GVCplDrv) -- C:\WINDOWS\System32\drivers\GVCplDrv.sys ()

DRV - (SiFilter) -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc.)

DRV - (irsir) -- C:\WINDOWS\system32\drivers\irsir.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900

FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {ab91efd4-6975-4081-8552-1b3922ed79e2}:1.0.5.1

FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/02/03 16:45:42 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/02/03 16:45:42 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.24\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/11 07:06:38 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.24\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/11 07:06:38 | 000,000,000 | ---D | M]

[2010/12/07 19:49:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Josef\Application Data\Mozilla\Extensions

[2011/11/29 06:11:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Josef\Application Data\Mozilla\Firefox\Profiles\o3g21vep.default\extensions

[2011/01/01 23:04:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Josef\Application Data\Mozilla\Firefox\Profiles\o3g21vep.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011/04/14 16:36:41 | 000,000,000 | ---D | M] (HP Detect) -- C:\Documents and Settings\Josef\Application Data\Mozilla\Firefox\Profiles\o3g21vep.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}

[2011/11/28 21:01:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2011/03/13 18:55:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

[2011/02/03 16:45:42 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 <video>) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO

[2011/02/03 16:45:42 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA

[2011/03/13 18:54:53 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2011/03/13 18:54:50 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

Hosts file not found

O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe File not found

O4 - HKLM..\Run: [shStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0

O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - mswsock.dll File not found

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)

O16 - DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} https://vdi.coa.gatech.edu/downloads/VMware-viewclient.cab (VMware_VDM_Client Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{76E38801-4FE4-4302-93FC-161D4E451D3D}: DhcpNameServer = 192.168.2.1

O20 - AppInit_DLLs: (acaptuser32.dll) -C:\WINDOWS\System32\acaptuser32.dll (Adobe Systems, Inc.)

O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/12/03 11:28:45 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2003/09/06 16:29:11 | 000,000,000 | -H-- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2003/11/11 13:22:24 | 000,000,047 | -H-- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [1998/09/09 14:03:47 | 000,000,000 | R--D | M] - F:\Autorun -- [ CDFS ]

O32 - AutoRun File - [1998/05/27 03:08:02 | 000,156,672 | R--- | M] () - F:\autorun.exe -- [ CDFS ]

O32 - AutoRun File - [1998/08/27 12:12:00 | 000,000,317 | R--- | M] () - F:\autorun.inf -- [ CDFS ]

O33 - MountPoints2\{32f13a3c-ff16-11df-a00a-806d6172696f}\Shell - "" = AutoRun

O33 - MountPoints2\{32f13a3c-ff16-11df-a00a-806d6172696f}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{32f13a3c-ff16-11df-a00a-806d6172696f}\Shell\AutoRun\command - "" = F:\autorun.exe -- [1998/05/27 03:08:02 | 000,156,672 | R--- | M] ()

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O35 - HKCU\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/28 21:19:04 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2011/11/28 21:04:01 | 000,000,000 | ---D | C] -- C:\_OTL

[2011/11/28 12:39:39 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2011/11/28 12:04:55 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2011/11/27 21:27:27 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Josef\Recent

[2011/11/27 21:15:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josef\Application Data\Malwarebytes

[2011/11/27 21:14:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011/11/27 21:14:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2011/11/27 21:14:51 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2011/11/27 21:14:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011/11/27 20:39:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josef\Application Data\SUPERAntiSpyware.com

[2011/11/27 20:38:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware

[2011/11/27 20:38:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2011/11/27 20:38:37 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2011/11/27 20:31:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2011/11/27 19:21:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC

[2011/11/16 21:23:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth

[2011/11/16 01:36:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sierra

[2011/11/16 01:36:54 | 001,053,184 | -H-- | C] (Cendant Software) -- C:\WINDOWS\System32\SierraNW.dll

[2011/11/16 01:36:54 | 000,231,936 | -H-- | C] (Cendant Software) -- C:\WINDOWS\System32\SNWValid.dll

[2011/11/16 01:36:51 | 000,000,000 | -H-D | C] -- C:\WINDOWS\solcache

[2011/11/16 01:34:41 | 000,000,000 | -H-D | C] -- C:\SIERRA

[2011/11/16 01:34:41 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra On-Line

[2011/11/13 16:24:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josef\Desktop\construction pics

[1 C:\Documents and Settings\Josef\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Josef\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/29 12:22:03 | 000,000,884 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2011/11/29 09:14:45 | 000,000,880 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2011/11/29 09:14:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/11/29 08:12:08 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2011/11/29 06:25:00 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{375F3F81-C89A-4EBD-B2EF-952D7011D67C}

[2011/11/29 06:01:34 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{4D9E0D14-B807-4730-B726-50D35D82E2C7}

[2011/11/28 17:03:40 | 000,000,410 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Josef.job

[2011/11/28 17:00:01 | 000,000,390 | -H-- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job

[2011/11/28 15:01:17 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/11/28 12:39:39 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2011/11/27 23:26:38 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\Josef\Desktop\firefox.lnk

[2011/11/27 21:14:55 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/11/27 20:34:18 | 000,000,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\avbase.dat

[2011/11/27 20:28:27 | 000,000,812 | ---- | M] () -- C:\Documents and Settings\Josef\My Documents\fix3.reg

[2011/11/27 20:11:02 | 000,002,600 | ---- | M] () -- C:\Documents and Settings\Josef\My Documents\xp_exe_fix.reg

[2011/11/27 20:06:40 | 000,000,354 | ---- | M] () -- C:\Documents and Settings\Josef\My Documents\fix2.reg

[2011/11/27 19:51:54 | 000,000,235 | -HS- | M] () -- C:\boot.ini

[2011/11/27 19:47:36 | 000,015,732 | -HS- | M] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\121518b2t827b281r656r4vbi8m1

[2011/11/27 19:34:20 | 000,002,278 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/11/27 04:58:14 | 000,000,372 | -H-- | M] () -- C:\WINDOWS\tasks\RegCure.job

[2011/11/27 02:00:00 | 000,000,342 | -H-- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-MOXY-Josef.job

[2011/11/16 01:41:45 | 000,000,436 | ---- | M] () -- C:\WINDOWS\SIERRA.INI

[2011/11/16 00:51:45 | 000,000,936 | ---- | M] () -- C:\Documents and Settings\Josef\Desktop\internet settings.rtf

[2011/11/06 09:15:35 | 000,432,686 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011/11/06 09:15:35 | 000,067,516 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat

[1 C:\Documents and Settings\Josef\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Josef\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/29 06:25:00 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{375F3F81-C89A-4EBD-B2EF-952D7011D67C}

[2011/11/29 06:01:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{4D9E0D14-B807-4730-B726-50D35D82E2C7}

[2011/11/27 23:26:08 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\Josef\Desktop\firefox.lnk

[2011/11/27 21:14:55 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/11/27 20:34:18 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\avbase.dat

[2011/11/27 20:28:27 | 000,000,812 | ---- | C] () -- C:\Documents and Settings\Josef\My Documents\fix3.reg

[2011/11/27 20:11:06 | 000,002,600 | ---- | C] () -- C:\Documents and Settings\Josef\My Documents\xp_exe_fix.reg

[2011/11/27 20:05:53 | 000,000,354 | ---- | C] () -- C:\Documents and Settings\Josef\My Documents\fix2.reg

[2011/11/27 19:09:23 | 000,015,732 | -HS- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\121518b2t827b281r656r4vbi8m1

[2011/11/16 01:34:20 | 000,000,436 | ---- | C] () -- C:\WINDOWS\SIERRA.INI

[2011/11/11 10:59:18 | 000,000,936 | ---- | C] () -- C:\Documents and Settings\Josef\Desktop\internet settings.rtf

[2011/09/09 14:57:11 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/07/04 16:25:05 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{AFB50678-5DF0-4B42-B90B-02BA62A0318F}

[2011/07/04 08:48:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{C0B7FCB7-7664-4055-ADBA-016632E2F4D0}

[2011/07/04 08:48:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{0D8DF1D8-6A78-4279-992E-D8AE9E4BB69A}

[2011/06/24 14:25:34 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Josef\Application Data\Adobe BMP Format CS5 Prefs

[2011/06/21 07:45:01 | 000,139,530 | ---- | C] () -- C:\WINDOWS\hpoins21.dat.temp

[2011/06/21 07:45:01 | 000,007,262 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat.temp

[2011/06/15 08:53:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{AD4C5769-2380-43D7-AB04-F1E0457AEE14}

[2011/06/15 08:53:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\{7C2B49EA-3D60-4837-8BD8-0101EA6EFB6C}

[2011/04/24 00:40:36 | 000,001,456 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\Adobe Save for Web 12.0 Prefs

[2011/04/14 16:52:52 | 000,130,893 | ---- | C] () -- C:\WINDOWS\hpoins21.dat

[2011/04/14 16:52:52 | 000,008,252 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat

[2011/03/27 12:03:16 | 000,000,530 | ---- | C] () -- C:\WINDOWS\eReg.dat

[2011/02/27 10:52:56 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Josef\Application Data\Adobe IllExport Filter CS5 Prefs

[2011/01/09 17:08:41 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Josef\Application Data\Adobe PNG Format CS5 Prefs

[2010/12/29 10:40:47 | 000,574,648 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/12/07 21:04:44 | 000,233,812 | -H-- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin

[2010/12/07 21:04:33 | 000,233,812 | -H-- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin

[2010/12/07 21:04:33 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\System32\nvdrssel.bin

[2010/12/07 19:49:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2010/12/03 21:39:21 | 000,026,488 | -H-- | C] () -- C:\WINDOWS\System32\spupdsvc.exe

[2010/12/03 11:51:53 | 000,024,576 | RH-- | C] () -- C:\WINDOWS\System32\NVRTClk.exe

[2010/12/03 11:51:36 | 000,023,040 | RH-- | C] () -- C:\WINDOWS\System32\drivers\GVCplDrv.sys

[2010/12/03 11:50:11 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Josef\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/12/03 11:49:46 | 000,165,376 | -H-- | C] () -- C:\WINDOWS\System32\unrar.dll

[2010/12/03 11:42:52 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini

[2010/12/03 11:42:48 | 000,156,672 | -H-- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

[2010/12/03 11:42:48 | 000,040,960 | -H-- | C] () -- C:\WINDOWS\System32\ChCfg.exe

[2010/12/03 11:32:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2010/12/03 11:25:04 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2010/12/03 00:20:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2010/12/03 00:17:39 | 003,503,000 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/07/10 05:38:00 | 002,195,030 | -H-- | C] () -- C:\WINDOWS\System32\nvdata.bin

[2008/04/14 04:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin

[2008/04/14 04:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat

[2008/04/14 04:00:00 | 000,432,686 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2008/04/14 04:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2008/04/14 04:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat

[2008/04/14 04:00:00 | 000,067,516 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2008/04/14 04:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin

[2008/04/14 04:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2008/04/14 04:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat

[2008/04/14 04:00:00 | 000,004,461 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat

[2008/04/14 04:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2008/04/14 04:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

[2005/02/23 15:32:00 | 000,540,672 | -H-- | C] () -- C:\WINDOWS\System32\nvhwvid.dll

========== LOP Check ==========

[2010/12/29 09:10:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk

[2010/12/08 14:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

[2010/12/28 00:47:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McNeel

[2011/09/09 14:46:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure

[2011/01/02 23:04:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe

[2010/12/29 09:15:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TSplines

[2010/12/29 09:11:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josef\Application Data\Autodesk

[2011/11/15 15:15:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josef\Application Data\BitTorrent

[2011/01/02 14:33:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josef\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2010/12/10 04:02:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josef\Application Data\DAEMON Tools Lite

[2010/12/28 00:02:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josef\Application Data\Local

[2011/02/24 07:10:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josef\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

[2011/03/10 15:41:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josef\Application Data\uPlayer

[2011/11/28 17:00:01 | 000,000,390 | -H-- | M] () -- C:\WINDOWS\Tasks\RegCure Program Check.job

[2011/11/27 04:58:14 | 000,000,372 | -H-- | M] () -- C:\WINDOWS\Tasks\RegCure.job

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

Hello and :welcome:

Unfortunately you have a nasty rootkit on your computer. Before starting the cleaning process, please read the following.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

I'd rather just do the new install thing... I'm not computer literate though, and I don't have a windows CD (this computer was built for me at school from a CS guy I knew.)

I can go buy a windows CD or whatever else I need. I would like to know the steps to ensure I keep my data and also the steps to install/download whatever protections I need to make sure this won't happen again, and/or if it does happen that there would be an easier cleaner way of resolving it.

I have 3 hard drives right now, so I assume I can just copy paste my files into one of the other two in order to whipe the C drive for new install?

Link to post
Share on other sites

If you want to copy files I really recommend you to go with the cleaning for now to make sure you will not accidentally back up infected files. Once all active infections are gone, you can safely copy data and reformat then. If you have no recovery partition you will indeed need a Windows CD for that.

Link to post
Share on other sites

If you want to copy files I really recommend you to go with the cleaning for now to make sure you will not accidentally back up infected files. Once all active infections are gone, you can safely copy data and reformat then. If you have no recovery partition you will indeed need a Windows CD for that.

I am back!!! whahaha... Ok, so I went to microcenter and got windows 7 (also got some new parts for early christmas... don't tell the wife)

Anywho, I took my 3rd drive (did not have windows on it) and threw everything I wanted into a folder on the 1st drive (the one with the infected windows)

Then I shut down, installed new parts, restarted, loaded windows on the 3rd drive (now my main I suppose). and am typing this.

I have a few questions, can my other two drives somehow "infect" my new clean windows install on the 3rd drive?

If so, how do I stop that from happening?

If I know what a file is... say Plan_1stflr_1477 Ponce Natatorium.dwg ... can it somehow be "infected"?

Or should I only be worried about random files that were the problem?

I guess what I'm asking is, can't I just grab all of my stuff, dwg files, doc files, excel, the like, without worrying about the "infection" as long as I don't copy exe files or any programs from the old comp and do fresh reinstalls of all my programs???

2nd question, How do you update things? I've heard you're supposed to update drivers but I don't really know what that means. I can plumb a house, construct a wall, put the hardware for computers or my 1997 toyota together, but when we get to software I just don't know what to do.

3rd question, What programs besides malwarebytes should I download and be running to protect me in the future?

Thanks so much for your quick responses, I'm just so happy I have a working computer again.

~itisme

Link to post
Share on other sites

Also, if I've never saved/stored passwords on the computer or with an internet browser when it asks if you want to save them... and I've always manually typed them in, is there a way they could have gotten my passwords?

I'm guessing a lot of my questions seem obvious, sorta like sweating copper pipe, once know how you can't think how anyone would do it differently, but thanks for being patient.

Link to post
Share on other sites

First about the passwords, theoretical it is possible, practical however I think the chance is very, very slim.

I have a few questions, can my other two drives somehow "infect" my new clean windows install on the 3rd drive?
No, but I would definitely reformat the drive that contained your old windows installation, as that one has been compromised. Just to be sure. :)
If I know what a file is... say Plan_1stflr_1477 Ponce Natatorium.dwg ... can it somehow be "infected"?

Or should I only be worried about random files that were the problem?

Legit files can be infected, however in this case I did not see any evidence of a file infector (if one is present, backing up data is not recommended for fear of reinfection).
I guess what I'm asking is, can't I just grab all of my stuff, dwg files, doc files, excel, the like, without worrying about the "infection" as long as I don't copy exe files or any programs from the old comp and do fresh reinstalls of all my programs???
Yes, that is fine. Just to be sure, you could scan the content of your backup with an antivirus.
2nd question, How do you update things? I've heard you're supposed to update drivers but I don't really know what that means. I can plumb a house, construct a wall, put the hardware for computers or my 1997 toyota together, but when we get to software I just don't know what to do.
While it is extremely important to keep software like Windows, antivirus, Java, Adobe and such updated, I am not a fan of driver updates. If a device works okay, no need to update its driver (if it ain't broke, don't fix it...).

See also below, an excellent means to make sure all important software stays up to date, is using Secunia PSI, which is a free program.

I think the information below should address your other question, if not, just let me know!

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.