Jump to content

Possible TDSS Rootkit Infection - Need Help Please


Recommended Posts

Dec 22, 2009

Hi all! Sorry to drop my troubles on you so close the holidays, but I hope someone out there can help me...

On Dec 18, I awoke to find on my computer an alert from CA Anti-Spyware that I had gotten infected with the following:

-------------------------------------------------------------------------------

Infected Item: C:\WINDOWS\system32\tdlcmd.dll

Infection: Win32/TDSS!packed

-------------------------------------------------------------------------------

This had been appearing regularly every two hours throughout the night and CA was quarantining it sucessfully (I suppose). I searched CA's website and found little info beyond the fact that I had a problem that couldn't be eradicated. After a day of quarantining and deleting, CA caught "Win32/TDSS!packed" once in the following location:

-------------------------------------------------------------------------------

Infected Item: A0097809.dll

Location: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP939

Infection: Win32/TDSS!packed

-------------------------------------------------------------------------------

and thereafter only in its original form as C:\WINDOWS\system32\tdlcmd.dll

This has been going on since that day, as I was doing research on this problem and trying to find a fix, until I finally physically disconnected my system from the internet. The constant alerts have stopped but I have many problems remaining.

- I cannot boot into Safe mode (I'm running XP sp3)

- I cannot restore to an earlier point

- I'm getting Google searches redirected. ( From my browser history, I can see that something is trying to take me to nuisance websites [e.g. "Download Fartsounds Now!"] but my pop-up blocker or something is snapping me right back to the Google search window. I can still successfully surf by cutting and pasting the url or by opening a new site in a new tab.)

- I'm getting an increased amount of spam from legitimate commercial sites that are similar to actual sites I have visited (e.g.adult education schools) [something's tracking my history]

Following advice on a CA forum, I disabled my system restore and cleaned out my temp internet folder and recycle bin, but as I was unable to reboot to safe mode I was unable follow through.

From CA forum I was pointed to Prevx and malwarebytes.org

-----

Prevx 3.0 found and removed "trojan.downloader"

-----

Various Mbam scans found and removed the following:

Registry Keys Infected:

HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe cpcp.cpo bef0regiiav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Files Infected:

K:\autorun.inf (Worm.Agent.H) -> Quarantined and deleted successfully.

-----

Current Mbam scans were clean but my problems persisted, so I ran some of the scans suggested in your forums:

GMER:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2009-12-22 02:42:04

Windows 5.1.2600 Service Pack 3

Running: cft7el00.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwlyqpod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xBA2A91CC]

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwCreateKey [0xB4DF76EA]

SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ZwCreateSection [0xB62D2FD2]

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwCreateSymbolicLinkObject [0xB4DF840B]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xBA2A9206]

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwMakeTemporaryObject [0xB4DF875C]

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwOpenKey [0xB4DF764E]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xBA2A951A]

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwOpenSection [0xB4DF8130]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xBA2A93F6]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xBA2A9292]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xBA2A918E]

SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ZwSetInformationProcess [0xB62D2662]

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwSetSystemInformation [0xB4DF8538]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xBA2A964E]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xBA2A9316]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xBA2A934E]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs kmxagent.sys (HIPS Agent Driver/CA)

AttachedDevice \FileSystem\Ntfs \Ntfs KmxFile.sys (HIPS File Guard driver/CA)

AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip kmxfw.sys (HIPS Firewall Driver/CA)

Device \Driver\Tcpip \Device\Tcp kmxfw.sys (HIPS Firewall Driver/CA)

AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

Device \Driver\atapi \Device\Ide\IdePort0 [b9F22B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [b9F22B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\atapi \Device\Ide\IdePort1 [b9F22B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\atapi \Device\Ide\IdePort2 [b9F22B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\atapi \Device\Ide\IdePort3 [b9F22B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 [b9F22B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\Modem \Device\00000093 kmxfw.sys (HIPS Firewall Driver/CA)

Device \Driver\Tcpip \Device\Udp kmxfw.sys (HIPS Firewall Driver/CA)

Device \Driver\Tcpip \Device\RawIp kmxfw.sys (HIPS Firewall Driver/CA)

Device \Driver\Tcpip \Device\IPMULTICAST kmxfw.sys (HIPS Firewall Driver/CA)

Device \Driver\AFD \Device\Afd KmxCF.sys (HIPS Content Filter Driver/CA)

AttachedDevice \FileSystem\Fastfat \Fat kmxagent.sys (HIPS Agent Driver/CA)

AttachedDevice \FileSystem\Fastfat \Fat KmxFile.sys (HIPS File Guard driver/CA)

AttachedDevice \FileSystem\Fastfat \Fat VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

Device \FileSystem\Cdfs \Cdfs B3320400

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

A ROOTREPEAL scan of my entire system including two external usb hard drives (K: & L: - with FAT file systems) found MBR rootkit but this was the only program that did so:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/12/20 21:32

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\Y564AEXV.V5L\9CH77D92.73L\manifests\Interop.IWshRuntimeLibrary.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\Y564AEXV.V5L\9CH77D92.73L\manifests\Interop.IWshRuntimeLibrary.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\Y564AEXV.V5L\9CH77D92.73L\manifests\RapidShareManager.exe.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\Y564AEXV.V5L\9CH77D92.73L\manifests\RapidShareManager.exe.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\Y564AEXV.V5L\9CH77D92.73L\manifests\RapidShareManager.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\Y564AEXV.V5L\9CH77D92.73L\manifests\RapidShareManager.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\Y564AEXV.V5L\9CH77D92.73L\manifests\RapidShareManager.resources.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\Y564AEXV.V5L\9CH77D92.73L\manifests\RapidShareManager.resources.manifest

Status: Locked to the Windows API!

Path: Volume K:\

Status: MBR Rootkit Detected!

Path: Volume K:\, Sector 61

Status: Sector mismatch

Path: K:\

Link to post
Share on other sites

Hello Jonah6Whale8,

Your patience is appreciated. This forum is super-busy.

Do not do anything else on your own. Do not make changes or additions, or run anything without my guidance.

Do NOT try using Safe mode. Do not attempt to either use System Restore nor turn it off.

At some point later, we'll need to re-activate it. And turning it off is a bad idea.

The atapi.sys is likely infected and we'll have Combofix fix that.

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not Jonah6Whale8 and have a similar problem, do NOT post here; start your own topic

Next steps:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 4

Disable your antivirus program and any real-time antimalware monitor proram as well.

For directions on how, see this reference How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do not turn off your firewall.

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :processes
    killallprocesses
    :files
    C:\WINDOWS\system32\tdlcmd.dll
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 5

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of OTL MovedFiles log

copy of contents of C:\Combofix.txt

and tell me, How is your system now ?

There will be more to do later.

Link to post
Share on other sites

Maurice -

A million thanks for your response! I am in the process of following your instructions - already ran ERUNT and am about to run TFC which will close me down and reboot.

Will reply as soon as I finish your procedures...

Again, my thanks !

OOPS! Just noticed your instruction:

"Do not attempt to either use System Restore nor turn it off.

At some point later, we'll need to re-activate it. And turning it off is a bad idea."

As per my original post, while following advice in the CA forum, I did turn off my system restore. Should I turn it back on now?? I await your answer before I procede.

Link to post
Share on other sites

Cannot download ComboFix.exe despite name change. Get up to 99% download, then get error massage:

"Cannot copy ComboFix[1]: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use."

Also at the same time my CA AntiVirus gives me an infection alert for "Win32/SillyDLPRR" or "Win32/SillyDl.PRR" and informs me I must reboot to permanently clean infected items, which I did. (My AV and Spyware were still on - In your Step #5 you say to disable AV and anti-spyware both before and after downloading Combo-Fix.exe - I figured one of these had to be wrong or extraneous so I left them on during the DL.)

Here is my OTL Log:

All processes killed

========== PROCESSES ==========

========== FILES ==========

File\Folder C:\WINDOWS\system32\tdlcmd.dll not found.

C:\RECYCLER\S-1-5-21-3232649838-2400106633-3930050485-1003 folder moved successfully.

C:\RECYCLER\S-1-5-21-1219026002-1398350807-613475608-1003 folder moved successfully.

C:\RECYCLER folder moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Owner

->Temp folder emptied: 1704186 bytes

->Temporary Internet Files folder emptied: 5124461 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 7.00 mb

Restore point Set: OTL Restore Point (64424509440)

OTL by OldTimer - Version 3.1.20.1 log created on 12262009_194630

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

---End of File---

I await your reply. Thanks

Link to post
Share on other sites

That did the trick....

Ran ComboFix successfully! ComboFix.txt follows below:

ComboFix 09-12-26.01 - Owner 12/26/2009 21:31:31.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2431.2026 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :)

.

((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))

.

2009-12-27 00:46 . 2009-12-27 00:46 -------- d-----w- C:\_OTL

2009-12-26 21:04 . 2009-12-26 21:04 -------- d-----w- c:\program files\ERUNT

2009-12-23 17:44 . 2009-12-23 17:44 -------- d-----w- c:\program files\Trend Micro

2009-12-22 15:50 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2009-12-19 19:56 . 2009-12-19 19:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-12-19 19:56 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-19 19:56 . 2009-12-19 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-19 19:56 . 2009-12-21 05:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-19 19:56 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-19 07:15 . 2009-12-19 07:15 -------- d-----w- c:\program files\Prevx

2009-12-18 21:09 . 2009-12-18 21:09 53136 ----a-w- c:\windows\system32\PxSecure.dll

2009-12-18 21:09 . 2009-12-18 21:09 47408 ----a-w- c:\windows\system32\drivers\pxrts.sys

2009-12-18 21:09 . 2009-12-18 21:09 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys

2009-12-18 21:09 . 2009-12-18 21:09 24496 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2009-12-18 21:08 . 2009-12-19 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-12-01 10:15 . 2009-12-01 10:18 -------- d-----w- c:\program files\mp3DirectCut

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-27 02:40 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7

2009-12-27 02:40 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6

2009-12-27 02:40 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5

2009-12-27 02:40 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4

2009-12-27 02:40 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3

2009-12-27 02:40 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2

2009-12-27 02:40 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1

2009-12-27 02:40 . 2009-05-01 15:32 119882 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0

2009-12-19 08:40 . 2009-05-01 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\CA

2009-12-01 22:59 . 2006-09-26 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-12-01 16:45 . 2009-10-13 15:19 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys

2009-12-01 16:45 . 2009-10-13 15:19 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys

2009-12-01 16:45 . 2009-05-01 15:15 32240 ----a-w- c:\windows\system32\drivers\vetmonnt.sys

2009-12-01 16:45 . 2009-05-01 15:15 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys

2009-12-01 16:45 . 2009-05-01 15:15 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys

2009-12-01 16:45 . 2009-05-01 15:15 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys

2009-11-21 15:51 . 2004-08-26 16:11 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-11 11:22 . 2009-11-11 11:22 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys

2009-10-29 07:45 . 2004-08-26 16:12 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2004-08-26 16:12 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-26 16:11 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 15:19 . 2009-07-23 23:38 1541416 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll

2009-10-13 10:30 . 2004-08-26 16:12 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-26 16:12 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-26 16:12 79872 ----a-w- c:\windows\system32\raschap.dll

2009-09-30 17:49 . 2009-10-01 14:59 89600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.dll

2009-09-30 17:49 . 2009-10-01 14:59 89088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.3.1.dll

2009-09-28 18:20 . 2009-09-28 18:20 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll

2007-03-19 02:52 . 2007-03-19 02:51 8650 ----a-w- c:\program files\MXDB.DB

2007-03-19 02:51 . 2007-03-19 02:51 336 ----a-w- c:\program files\MXDB.bak

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-02 39408]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-07-03 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-17 7204864]

"nwiz"="nwiz.exe" [2005-09-17 1519616]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-17 86016]

"CHotkey"="zHotkey.exe" [2004-12-09 550912]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-11 98304]

"HostManager"="c:\program files\Common Files\AOL\1147354590\ee\AOLSoftware.exe" [2006-09-26 50736]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]

"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 198184]

"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-30 177392]

"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-05-01 14088]

"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-01 230664]

"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2009-05-01 1193200]

"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-05-01 173296]

"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-05-01 259312]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-05 198160]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

2007-05-18 18:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2006-08-14 05:07 102400 ----a-w- c:\program files\Roxio\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1147354590\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]

2003-05-08 15:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-05-11 13:37 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-07-31 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]

2002-03-13 03:18 32768 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1147354590\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Roxio\\Disc Copier 9\\DiscCopier9.exe"=

"c:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"=

"c:\\Program Files\\Common Files\\AOL\\1147354590\\EE\\aolsoftware.exe"=

"c:\\Program Files\\Roxio\\Audio Master 9\\MusicDiscCreator9.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [12/18/2009 4:09 PM 30280]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]

R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [12/18/2009 4:08 PM 6222312]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]

R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [12/18/2009 4:09 PM 47408]

R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [4/30/2009 2:53 PM 202280]

R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]

R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]

R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]

R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [12/18/2009 4:09 PM 24496]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.rr.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

LSP: c:\windows\system32\VetRedir.dll

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.3.1.dll

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-AOLAspSunset2 - c:\documents and settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe

MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe

MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe

MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe

MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-26 21:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Owner\LOCALS~1\Temp\_tfE.tmp 2048 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)

c:\windows\system32\UmxWnp.Dll

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(724)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(1240)

c:\windows\system32\WININET.dll

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wdfmgr.exe

c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\zHotkey.exe

c:\windows\RTHDCPL.EXE

c:\program files\CA\CA Internet Security Suite\ccprovsp.exe

c:\program files\common files\aol\1147354590\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Completion time: 2009-12-26 21:50:02 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-27 02:49

Pre-Run: 10,052,493,312 bytes free

Post-Run: 10,022,260,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A6260A9251057FBBC478D6224FB10BF5

Right after ComboFix finished and rebooted, I got an alert from an AOL anti-Spyware window I'd never seen before alerting me to the "Bitfrost" backdoor, which it isolated and I deleted. Puzzling.

Otherwise the computer seems to boot and reboot more quickly. I have not tried to get to safe mode yet, since that was one of the first things you advised me against.

So far so good, I think. What's next?

Link to post
Share on other sites

Oh, and one other quirk - I have a new second icon for Internet Explorer on my desktop, which (perhaps foolishly) I've already clicked on to get back on line.

The Google redirection seems to be gone though, both in IE and in Firefox... and "Win32/TDSS!packed" has not popped up yet!

I am a little concerned by the appearance of Bifrost

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gifIf you are a casual viewer, do NOT try this on your system!

If you are not Jonah6Whale8 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

A bit of housekeeping: If you did not purchase PREVX CSI and you are done with it, de-install it thru Add-or-Remove Programs in Control Panel.

There's indications of leftover traces of McAfee, which need removal. Get and run the McAfee Consumer Products Removal Tool from here http://service.mcafee.com/FAQDocument.aspx...amp;id=TS100507

Do only steps 1 and 2, then logoff and restart Windows.

I suspect you had an autorun infection from sharing USB thumb-flash drives. Get a hold of your flash drives.

Plug in your USB flash drives so that some of these programs will be able to find them.

Step 2

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :processes
    killallprocesses
    :files
    c:\Documents and Settings\Owner\Local Settings\Temp\_tfE.tmp
    c:\Documents and Settings\Owner\Local Settings\Temp\*.tmp
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    i:\recycler
    j:\recycler
    k:\recycler
    l:\recycler
    m:\recycler
    :Commands
    [emptytemp]
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 3

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Step 4

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 3437 and the latest program version is 1.42.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 5

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=42611

Step 6

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

    Step 7

    Insure that your USB flash drives are still in-place (plugged in).

    Download and Install Microsoft's TweakUI:

    http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

    Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

    Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

    Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

    Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

    http://www.techsupportforum.com/sectools/s...Disinfector.exe

    There is no GUI interface or log file produced.

    Step 8

    Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Scan with DrWeb-CureIt as follows:

    • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
    • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the "Scan tab" and UNcheck "Heuristic analysis"
    • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
    • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
    • When done, a message will be displayed at the bottom advising if any viruses were found.
    • Click "Yes to all" if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
    • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
    • Save the DrWeb.csv report to your desktop.
    • Exit Dr.Web Cureit when done.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

    RE-Enable your AntiVirus and AntiSpyware applications.

    Reply with copy of the latest MBAM scan log

    the ESET scan log

    the DrWeb Cure-It log

    and tell me, How is your system now ?

    I want to especially know if you are getting unwanted popups.

Link to post
Share on other sites

Here's what's happened so far...

Woke up to find that a scheduled CA Anti-spyware scan had discovered and quarantined two rogue security programs, "WinSpywareProtect" and "WinAntiVirusPro"

I did your suggested housekeeping, attached my two thumb drives ( m: & n:), and then ran OTL.

During run of OTL got the following error messages while OTL was "moving file f:\recycler", "moving file g:\recycler", etc

"Windows - No Disk

Exception Processing Message c0000013 Parameters 75b6bf7c 75b6bf7c 75b6bf7c

Try Again - Exit - Continue"

I kept pressing "Continue" and the scan completed with the following log:

All processes killed

========== PROCESSES ==========

========== FILES ==========

File\Folder c:\Documents and Settings\Owner\Local Settings\Temp\_tfE.tmp not found.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF167D.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF1B70.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF20D1.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF63E0.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF7F26.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF8A1D.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF9144.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF9A93.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFB375.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFBBB.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFBEF7.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFC26A.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFCAC9.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFD2EE.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFEEEA.tmp moved successfully.

File\Folder C:\recycler not found.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

File\Folder i:\recycler not found.

File\Folder j:\recycler not found.

File\Folder k:\recycler not found.

File\Folder l:\recycler not found.

File\Folder m:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 65748 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Owner

->Temp folder emptied: 450635 bytes

->Temporary Internet Files folder emptied: 5305171 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 16541062 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 21.00 mb

OTL by OldTimer - Version 3.1.20.1 log created on 12272009_185828

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

---End of File---

Then I noticed that your copy and paste script for OTL didn't cover my newly inserted thumb drive n: so I added

"n:\recycler" after "m:\recycler" and re-ran OTL with the following result:

All processes killed

========== PROCESSES ==========

========== FILES ==========

File\Folder c:\Documents and Settings\Owner\Local Settings\Temp\_tfE.tmp not found.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF1955.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DF73CB.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFC3BA.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFD6A.tmp moved successfully.

c:\Documents and Settings\Owner\Local Settings\Temp\~DFE7A5.tmp moved successfully.

C:\RECYCLER\S-1-5-21-1219026002-1398350807-613475608-1003 folder moved successfully.

C:\RECYCLER folder moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

File\Folder i:\recycler not found.

File\Folder j:\recycler not found.

File\Folder k:\recycler not found.

File\Folder l:\recycler not found.

File\Folder m:\recycler not found.

File\Folder n:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Owner

->Temp folder emptied: 250 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.1.20.1 log created on 12272009_193100

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

---End of File---

This second time there were no error messages from OTL.

Then I ran Gooredfix:

GooredFix by jpshortstuff (06.12.09.1)

Log created at 19:40 on 27/12/2009 (Owner)

Firefox version 3.0.15 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:50 22/05/2009]

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\

outwit-images@outwit.com [14:59 01/10/2009]

SkipScreen@SkipScreen [03:03 17/09/2009]

{02450954-cdd9-410f-b1da-db804e18c671} [17:58 19/09/2009]

{20a82645-c095-46ed-80e3-08825760534b} [01:30 30/09/2009]

{53A03D43-5363-4669-8190-99061B2DEBA5} [03:03 17/09/2009]

{5fb1186a-3398-4c47-b579-0f2eee222ad1} [14:59 01/10/2009]

{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [13:04 22/05/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [16:49 05/05/2009]

"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [12:38 07/08/2009]

-=E.O.F=-

I next disabled CA AV and anti-Spyware and then updated and ran MBAM:

Malwarebytes' Anti-Malware 1.42

Database version: 3442

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/27/2009 7:52:38 PM

mbam-log-2009-12-27 (19-52-38).txt

Scan type: Quick Scan

Objects scanned: 109409

Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---End of File---

After DLing and updating the latest Java Runtime I went to ESET (using IE) for an online scan and got as far as the Virus Signature Download window, where I got the following

"Can not update. Is Proxy configured?"

ESET also noted that i still had CA Security Center running, but I had shut down both the CA antivirus and the antispyware programs, keeping only the firewall on.

I don't know if the CA Security Center shell was the problem, but I could get no farther after several tries. (And no, I have no proxy configured)

I await your reply before proceding further.

(New twist - now my CA Email protection module is turned off and can't be reactivated. No unwanted pop-ups though)

Link to post
Share on other sites

Sorry, but I gave an old link for the flash drive disinfector utility.

Plug in any USB flash (thumb) drives you have so that they can be on-line.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

There is no GUI interface or log file produced.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

You have a prior copy of Combofix on the Desktop, named Combo-fix.exe, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on Combo-Fix.exe (red lion icon) & follow the prompts.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

There will be more to do later.

Link to post
Share on other sites

Woke up to another CA-AV alert and deletion of "Win32/SillyDl.PRR"

----------

Got a spontaneous reboot as I was closing down IE with the following from Windows:

Error signature:

BCCode : fe BCP1 : 00000005 BCP2 : 8AAD40E0 BCP3 : 10DE026E

BCP4 : 8A17A870 OSVer : 5_1_2600 SP : 3_0 Product : 768_1

The following files will be included in the errror report

C:\DOCUME~1\Owner\LOCALS~1\Temp\WER6cb1.dir00\Mini122809-01.dmp

C:\DOCUME~1\Owner\LOCALS~1\Temp\WER6cb1.dir00\sysdata.xml

----------

Downloaded and ran Flash Drive Disinfector. (Can I now remove the flash drives?)

----------

DL and ran new copy of Combo-Fix. Log follows:

ComboFix 09-12-27.04 - Owner 12/28/2009 20:40:47.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2431.1841 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))

.

2009-12-28 01:20 . 2009-12-28 01:20 -------- d-----w- c:\program files\ESET

2009-12-28 01:05 . 2009-12-28 01:05 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-27 00:46 . 2009-12-27 00:46 -------- d-----w- C:\_OTL

2009-12-26 21:04 . 2009-12-26 21:04 -------- d-----w- c:\program files\ERUNT

2009-12-23 17:44 . 2009-12-23 17:44 -------- d-----w- c:\program files\Trend Micro

2009-12-22 15:50 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2009-12-19 19:56 . 2009-12-19 19:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-12-19 19:56 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-19 19:56 . 2009-12-19 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-19 19:56 . 2009-12-21 05:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-19 19:56 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-01 10:15 . 2009-12-01 10:18 -------- d-----w- c:\program files\mp3DirectCut

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-28 12:24 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7

2009-12-28 12:24 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6

2009-12-28 12:24 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5

2009-12-28 12:24 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4

2009-12-28 12:24 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3

2009-12-28 12:24 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2

2009-12-28 12:24 . 2009-05-01 15:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1

2009-12-28 12:24 . 2009-05-01 15:32 122922 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0

2009-12-28 01:13 . 2006-05-11 13:31 -------- d-----w- c:\program files\Java

2009-12-19 08:40 . 2009-05-01 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\CA

2009-12-01 22:59 . 2006-09-26 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-12-01 16:45 . 2009-10-13 15:19 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys

2009-12-01 16:45 . 2009-10-13 15:19 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys

2009-12-01 16:45 . 2009-05-01 15:15 32240 ----a-w- c:\windows\system32\drivers\vetmonnt.sys

2009-12-01 16:45 . 2009-05-01 15:15 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys

2009-12-01 16:45 . 2009-05-01 15:15 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys

2009-12-01 16:45 . 2009-05-01 15:15 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys

2009-11-21 15:51 . 2004-08-26 16:11 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-11 11:22 . 2009-11-11 11:22 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys

2009-10-29 07:45 . 2004-08-26 16:12 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2004-08-26 16:12 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-26 16:11 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 15:19 . 2009-07-23 23:38 1541416 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll

2009-10-13 10:30 . 2004-08-26 16:12 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-26 16:12 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-26 16:12 79872 ----a-w- c:\windows\system32\raschap.dll

2009-09-30 17:49 . 2009-10-01 14:59 89600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.dll

2009-09-30 17:49 . 2009-10-01 14:59 89088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.3.1.dll

2007-03-19 02:52 . 2007-03-19 02:51 8650 ----a-w- c:\program files\MXDB.DB

2007-03-19 02:51 . 2007-03-19 02:51 336 ----a-w- c:\program files\MXDB.bak

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-02 39408]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-07-03 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-17 7204864]

"nwiz"="nwiz.exe" [2005-09-17 1519616]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-17 86016]

"CHotkey"="zHotkey.exe" [2004-12-09 550912]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-11 98304]

"HostManager"="c:\program files\Common Files\AOL\1147354590\ee\AOLSoftware.exe" [2006-09-26 50736]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]

"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 198184]

"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-30 177392]

"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-05-01 14088]

"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-01 230664]

"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2009-05-01 1193200]

"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-05-01 173296]

"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-05-01 259312]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-05 198160]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-28 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

2007-05-18 18:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2006-08-14 05:07 102400 ----a-w- c:\program files\Roxio\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1147354590\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]

2003-05-08 15:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-05-11 13:37 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-07-31 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]

2002-03-13 03:18 32768 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1147354590\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Roxio\\Disc Copier 9\\DiscCopier9.exe"=

"c:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"=

"c:\\Program Files\\Common Files\\AOL\\1147354590\\EE\\aolsoftware.exe"=

"c:\\Program Files\\Roxio\\Audio Master 9\\MusicDiscCreator9.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]

R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [4/30/2009 2:53 PM 202280]

R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]

R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]

R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.rr.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

LSP: c:\windows\system32\VetRedir.dll

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.3.1.dll

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8ims8y8y.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-28 20:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1164)

c:\windows\system32\UmxWnp.Dll

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1376)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(1460)

c:\windows\system32\WININET.dll

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2009-12-28 20:50:52

ComboFix-quarantined-files.txt 2009-12-29 01:50

ComboFix2.txt 2009-12-27 02:50

Pre-Run: 7,941,103,616 bytes free

Post-Run: 7,936,786,432 bytes free

- - End Of File - - 04ACF02CDDAEE71A7C0A57D1AF4BF79F

OK, Maurice I'm ready for more, and should be able to respond more quickly over the next few days.

Thanks for all your help so far.

Link to post
Share on other sites

Yes, you can unplug the USB flash drives now.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

You did not do the DrWeb Cure-it, so let's have you do that now.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the DrWeb Cure-It log

and tell me, How is your system now ?

I want to especially know if you are getting unwanted popups.

Link to post
Share on other sites

Somehow managed to run FixPolicies twice at the same time, then closed the first window and let the other finish - hope no damage was done.

Got to Safe Mode OK, but couldn't run Dr. Web-Cureit sucessfully. Tried three times, but each time the computer rebooted about a quarter of the way thru the quick scan.

The crash seemed to come while scanning C:\WINDOWS\system32\drivers, the last time freezing specifically at C:\WINDOWS\system32\drivers\acpi.sys

Got the following Windows error:

Error signature:

BCCode : 1000008e BCP1 : 80000004 BCP2 : 805419D3 BCP3 : B97379B0

BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 768_1

You gave no specific instructions about turning off AV and anti-spyware before running CureIt in Safe Mode - there were no CA icons running in the system tray.

Should I try it again?

Link to post
Share on other sites

In Safe mode, the antivirus & anti-malware apps would not be active; so need to turn them off.

Seeing that you ran into a hitch in Safe mode, let's have you do the following in Normal mode:

Turn off temporarily your antivirus & anti-malware apps.

Close any of your open programs.

Then run the DrWeb Cure-It program as outlined before (just run it in Normal mode).

When all is done, and you have the report, then be sure to re-activate your antivirus program.

Link to post
Share on other sites

If DrWeb CureIt still shows in Task Manager, then end that process.

It shall be a mystery why this has run into a hitch.

Delete the DrWeb downlaods & files.

Let's do an online scan at Kaspersky.

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.

How is your system now icon_question.gif

Link to post
Share on other sites

I'm having trouble with KAV online scan. I've got the anti-virus and anti-spyware off, enabled pop-ups for that site, and then I get this:

"Kaspersky Online Scanner 7.0 download and operation require Java framework version 1.5 or later."

You had me update Java Runtime just the other day.

A Java control panel icon popped up on my system tray when I first got to Kaspersky.com, so I used that to try to update again or get more info, but that program told me I couldn't access the web with my current browser settings.

What to do next?

Link to post
Share on other sites

Went to this Kaspersky page "http://www.kaspersky.com/virusscanner" and found that the online scanner is unavailable. Message below:

----------

Free Virus Scan

Coming soon:

A new, improved version of the Kaspersky Online Scanner

The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not try a free trial of Kaspersky Internet Security 2010, which has everything you need to keep your computer safe.

----------

Suggestions?

Link to post
Share on other sites

The link I gave you in the earlier instructions for Kaspersky-online is the proper current one.

You should have see a EULA notice with scroll bar on the right-side of screen.

Scrolling the scroll bar down will get the Accept button to appear, after which you click Accept button to proceed.

Run these following 2 reports and post back copies for my review, please.

Download the HijackThis Installer

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.msi to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.

Next, start HJT. Do a "Scan and Save log".

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Reply with copy of the Hijackthis log

and the Checkup.txt

Link to post
Share on other sites

" The link I gave you in the earlier instructions for Kaspersky-online is the proper current one.

You should have seen a EULA notice with scroll bar on the right-side of screen.

Scrolling the scroll bar down will get the Accept button to appear, after which you click Accept button to proceed."

I did see the EULA notice, but the "Accept" button was greyed out and inactive, even after the"Java framework version 1.5 or later" notice appeared.

"If one of your security applications (e.g., 3rd-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so."

This issue never came up.

Following are the HijackThis and Security Check logs:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 7:00:38 PM, on 12/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\AOL\1147354590\ee\AOLSoftware.exe

C:\Program Files\twc\medicsp2\bin\sprtcmd.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

c:\program files\common files\aol\1147354590\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX6\u4uzmc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147354590\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--

End of file - 14851 bytes

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

Adobe After Effects CS3 Presets

``````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 17

Adobe Flash Player 10

Adobe Reader 7.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

CA CA Internet Security Suite CA Anti-Virus ISafe.exe

CA CA Internet Security Suite CA Anti-Virus VetMsg.exe

CA CA Internet Security Suite CA Anti-Virus CAVRID.exe

CA CA Internet Security Suite CA Personal Firewall capfsem.exe

CA CA Internet Security Suite CA Personal Firewall capfasem.exe

``````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

So far so good...

I can now boot into Safe mode as needed.

Google redirectors seem to be gone in both IE and Firefox.

Constant alerts for"Win32/TDSS!packed" have stopped, as indeed alerts for any malware or virus in the last 36 hours.

On the negative side:

CA Email Protection still remains off and daily automatic updates seem not to affect this. (I have not attempted a manual update yet.)

I seem unable to complete an online scan of my system.

I await your next step...

(and again, much thanks for all you've done so far!)

Link to post
Share on other sites

If you have the Adobe Acrobat suite, then invoke the Update function to get latest security updates.

For the Adobe Reader only, find the appropriate update here: http://www.adobe.com/support/downloads/pro...latform=Windows

You should (later on) do a manual update of your CA security product.

The HijackThis log looks fine --- only I can't tell why there are 4 instances of Internet Explorer listed as running.

I'd like to have you get and run TrendMicro's Sysclean package and then scan your system locally:

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine

[*]Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package README 1st

[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:

[*]Download icon_arrow.gifSysclean Package

[*]Download icon_arrow.gifVirus Pattern Files that will be a LPTxxx.ZIP file

[*]Download icon_arrow.gifSpyware Pattern Files this is a SSAPIPTNxxx.ZIP

It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware)

Link to post
Share on other sites

"The HijackThis log looks fine --- only I can't tell why there are 4 instances of Internet Explorer listed as running."

IE was running with 3 or 4 tabs open.

Ran TrendMicro's Sysclean package.

Happened to be awake at about 4 am when scan finished, The "View Log" button only revealed the very top of the file, up to where the double-spaced letters are. Boy, did I panic - 6 hours of scanning for naught! The rest of the file finally showed up when I rebooted. Whew!

Interestingly, after it was all over, Sysclean reset my desktop background image (one of the standard Windows preset images) to a plain light blue color. No problem to reset.

Watching the earlier part of the scan, I saw some viruses found in archives I had downloaded or gotten from friends, but had never used.

I can't tell from the log if the archives were actually cleaned, but it would be no problem to delete these entirely.

Sysclean log follows:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-12-29, 21:41:36, Auto-clean mode specified.

2009-12-29, 21:41:36, Initialized Rootkit Driver version 2.2.0.1004.

2009-12-29, 21:41:36, Running scanner "C:\DCE\TSC.BIN"...

2009-12-29, 21:42:02, Scanner "C:\DCE\TSC.BIN" has finished running.

2009-12-29, 21:42:02, TSC Log:

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.