Jump to content

DCOM Server Error!


Recommended Posts

Hello, I am getting a "DCOM Server Terminated unexpectedly" error. I have followed the directions and have post my logs, however I get about 25 minutes into the "GMER Rootkit Scanner" and get a blue screen error and the computer reboots immediatly. Please advise.

Thank you.

Malwarebytes' Anti-Malware 1.44

Database version: 3631

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/24/2010 9:08:37 PM

mbam-log-2010-01-24 (21-08-37).txt

Scan type: Quick Scan

Objects scanned: 123576

Time elapsed: 16 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86

Run by Jimmy Yarbrough at 19:17:24.45 on Sat 01/23/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.419 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Jimmy Yarbrough\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uURLSearchHooks: H - No File

mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"

mRun: [hpWirelessAssistant] "c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe"

mRun: [eabconfg.cpl] "c:\program files\hpq\quick launch buttons\EabServr.exe" /Start

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [DetectorApp] "c:\program files\sonic\digitalmedia plus v7\mydvd plus\DetectorApp.exe"

mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} - hxxp://10.169.0.147/apps/common/includes/PC-CONFIG-CHECK.CAB

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-4 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-4 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-4 144704]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-4 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-4 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-4 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-4 40552]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-11 135664]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-4 34248]

S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-8-12 15576]

=============== Created Last 30 ================

2010-01-24 00:09:32 0 ----a-w- c:\documents and settings\jimmy yarbrough\defogger_reenable

2010-01-23 00:59:09 0 d-sha-r- C:\cmdcons

2010-01-23 00:55:49 77312 ----a-w- c:\windows\MBR.exe

2010-01-23 00:55:48 98816 ----a-w- c:\windows\sed.exe

2010-01-23 00:55:48 261632 ----a-w- c:\windows\PEV.exe

2010-01-23 00:55:48 161792 ----a-w- c:\windows\SWREG.exe

2010-01-21 21:09:21 3245 ----a-w- c:\windows\system32\wbem\Outlook_01ca9ade004bf2b8.mof

2010-01-21 13:44:00 181120 ------w- c:\windows\system32\MpSigStub.exe

2010-01-05 15:49:44 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-01-05 15:49:44 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2010-01-05 15:49:35 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-01-05 15:49:35 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-01-04 22:02:07 11873 ----a-w- c:\windows\system32\Config.MPF

2010-01-04 21:35:17 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-01-04 21:35:17 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-01-04 21:35:17 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-01-04 21:35:12 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-01-04 21:34:42 0 d-----w- c:\program files\common files\McAfee

2010-01-04 21:34:41 0 d-----w- c:\program files\McAfee.com

2010-01-04 21:34:28 0 d-----w- c:\program files\McAfee

2010-01-04 21:27:50 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-01-02 04:35:27 0 dc-h--w- c:\windows\ie8

2009-12-26 04:57:29 0 d-----w- c:\program files\common files\L&H

2009-12-25 05:29:24 0 d-----w- c:\documents and settings\jimmy yarbrough\Tracing

2009-12-25 05:28:26 0 d-----w- c:\program files\Windows Live SkyDrive

2009-12-25 05:25:42 0 d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll

2009-11-12 20:51:30 4199784 ----a-w- c:\windows\system32\cdintf400.dll

2009-11-12 20:51:18 1721784 ----a-w- c:\windows\system32\inetclnt.dll

2009-11-01 00:00:16 107520 --sha-r- c:\windows\system32\qrqyum.dll

2009-09-06 15:22:36 336 ----a-w- c:\program files\temp995.bat

2004-09-11 15:30:08 480 -c--a-w- c:\program files\eBayItem.vcs

============= FINISH: 19:19:29.96 ===============

Attach.zip

Link to post
Share on other sites

Hello, I am getting a "DCOM Server Terminated unexpectedly" error. I have followed the directions and have post my logs, however I get about 25 minutes into the "GMER Rootkit Scanner" and get a blue screen error and the computer reboots immediatly. Please advise.

Thank you.

Malwarebytes' Anti-Malware 1.44

Database version: 3631

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/24/2010 9:08:37 PM

mbam-log-2010-01-24 (21-08-37).txt

Scan type: Quick Scan

Objects scanned: 123576

Time elapsed: 16 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86

Run by Jimmy Yarbrough at 19:17:24.45 on Sat 01/23/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.419 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Jimmy Yarbrough\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uURLSearchHooks: H - No File

mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"

mRun: [hpWirelessAssistant] "c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe"

mRun: [eabconfg.cpl] "c:\program files\hpq\quick launch buttons\EabServr.exe" /Start

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [DetectorApp] "c:\program files\sonic\digitalmedia plus v7\mydvd plus\DetectorApp.exe"

mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} - hxxp://10.169.0.147/apps/common/includes/PC-CONFIG-CHECK.CAB

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-4 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-4 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-4 144704]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-4 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-4 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-4 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-4 40552]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-11 135664]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-4 34248]

S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-8-12 15576]

=============== Created Last 30 ================

2010-01-24 00:09:32 0 ----a-w- c:\documents and settings\jimmy yarbrough\defogger_reenable

2010-01-23 00:59:09 0 d-sha-r- C:\cmdcons

2010-01-23 00:55:49 77312 ----a-w- c:\windows\MBR.exe

2010-01-23 00:55:48 98816 ----a-w- c:\windows\sed.exe

2010-01-23 00:55:48 261632 ----a-w- c:\windows\PEV.exe

2010-01-23 00:55:48 161792 ----a-w- c:\windows\SWREG.exe

2010-01-21 21:09:21 3245 ----a-w- c:\windows\system32\wbem\Outlook_01ca9ade004bf2b8.mof

2010-01-21 13:44:00 181120 ------w- c:\windows\system32\MpSigStub.exe

2010-01-05 15:49:44 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-01-05 15:49:44 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2010-01-05 15:49:35 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-01-05 15:49:35 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-01-04 22:02:07 11873 ----a-w- c:\windows\system32\Config.MPF

2010-01-04 21:35:17 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-01-04 21:35:17 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-01-04 21:35:17 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-01-04 21:35:12 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-01-04 21:34:42 0 d-----w- c:\program files\common files\McAfee

2010-01-04 21:34:41 0 d-----w- c:\program files\McAfee.com

2010-01-04 21:34:28 0 d-----w- c:\program files\McAfee

2010-01-04 21:27:50 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-01-02 04:35:27 0 dc-h--w- c:\windows\ie8

2009-12-26 04:57:29 0 d-----w- c:\program files\common files\L&H

2009-12-25 05:29:24 0 d-----w- c:\documents and settings\jimmy yarbrough\Tracing

2009-12-25 05:28:26 0 d-----w- c:\program files\Windows Live SkyDrive

2009-12-25 05:25:42 0 d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll

2009-11-12 20:51:30 4199784 ----a-w- c:\windows\system32\cdintf400.dll

2009-11-12 20:51:18 1721784 ----a-w- c:\windows\system32\inetclnt.dll

2009-11-01 00:00:16 107520 --sha-r- c:\windows\system32\qrqyum.dll

2009-09-06 15:22:36 336 ----a-w- c:\program files\temp995.bat

2004-09-11 15:30:08 480 -c--a-w- c:\program files\eBayItem.vcs

============= FINISH: 19:19:29.96 ===============

[/quote

Hello, I haven't heard anything on this. Can someone please help.

Thanks!

Link to post
Share on other sites

Hello Jimmymason

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    %SYSTEMDRIVE%\*.exe

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    ahcix86.sys

    KR10N.sys

    nvstor32.sys

    ahcix86s.sys

    nvrd32.sys

    /md5stop

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • Sections

  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

Got the OTL to finish, however the GMER still runs for about 50 min. the I get a blue screen and the computer reboots. Here are the OTL files. Thanks!

OTL logfile created on: 1/31/2010 12:24:56 PM - Run 1

OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Jimmy Yarbrough\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 365.00 Mb Available Physical Memory | 36.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 73.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 65.22 Gb Total Space | 14.13 Gb Free Space | 21.67% Space Free | Partition Type: NTFS

Drive D: | 8.29 Gb Total Space | 1.32 Gb Free Space | 15.88% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JIMMY

Current User Name: Jimmy Yarbrough

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Jimmy Yarbrough\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe (The Weather Channel Interactive, Inc.)

PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)

PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)

PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\McAfee\MSK\msksrver.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\McAfee\MSM\McSmtFwk.exe (McAfee, Inc.)

PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

PRC - C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\Motive\McciCMService.exe (Motive Communications, Inc.)

PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Windows Media Player\wmplayer.exe (Microsoft Corporation)

PRC - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)

PRC - C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe (Hewlett-Packard )

PRC - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P.)

PRC - C:\Program Files\HPQ\Shared\HpqToaster.exe ()

PRC - C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)

PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)

PRC - C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

PRC - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)

PRC - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe ()

PRC - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe ()

PRC - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (Broadcom Corporation.)

PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)

PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)

PRC - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Jimmy Yarbrough\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (gupdate) Google Update Service (gupdate) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)

SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)

SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)

SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

SRV - (MSK80Service) -- C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)

SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

SRV - (SNMP) -- C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)

SRV - (McciCMService) -- C:\Program Files\Common Files\Motive\McciCMService.exe (Motive Communications, Inc.)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

SRV - (hpqwmiex) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P.)

SRV - (LightScribeService) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)

SRV - (USBDeviceService) -- C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe ()

SRV - (btwdins) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (Broadcom Corporation.)

SRV - (hpqwmi) -- C:\Program Files\HPQ\Shared\hpqwmi.exe (Hewlett-Packard Development Company, L.P.)

SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

SRV - (LPDSVC) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)

SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)

DRV - (AX88772) -- C:\WINDOWS\system32\drivers\ax88772.sys (ASIX Electronics Corp.)

DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)

DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)

DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)

DRV - (usb_rndisx) -- C:\WINDOWS\system32\drivers\usb8023x.sys (Microsoft Corporation)

DRV - (61883) -- C:\WINDOWS\system32\drivers\61883.sys (Microsoft Corporation)

DRV - (Avc) -- C:\WINDOWS\system32\drivers\avc.sys (Microsoft Corporation)

DRV - (MSDV) -- C:\WINDOWS\system32\drivers\msdv.sys (Microsoft Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (MCSTRM) -- C:\WINDOWS\system32\drivers\mcstrm.sys (RealNetworks, Inc.)

DRV - (xnacc) -- C:\WINDOWS\system32\drivers\xnacc.sys (Microsoft Corporation)

DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel

Link to post
Share on other sites

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

====================

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

Link to post
Share on other sites

Here is the TDSS log:

17:48:58:276 2628 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25

17:48:58:276 2628 ================================================================================

17:48:58:276 2628 SystemInfo:

17:48:58:276 2628 OS Version: 5.1.2600 ServicePack: 3.0

17:48:58:276 2628 Product type: Workstation

17:48:58:276 2628 ComputerName: JIMMY

17:48:58:276 2628 UserName: Jimmy Yarbrough

17:48:58:276 2628 Windows directory: C:\WINDOWS

17:48:58:276 2628 Processor architecture: Intel x86

17:48:58:276 2628 Number of processors: 2

17:48:58:276 2628 Page size: 0x1000

17:48:58:276 2628 Boot type: Normal boot

17:48:58:276 2628 ================================================================================

17:48:58:291 2628 UnloadDriverW: NtUnloadDriver error 2

17:48:58:291 2628 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

17:48:58:291 2628 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

17:48:58:447 2628 UtilityInit: KLMD drop and load success

17:48:58:447 2628 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)

17:48:58:447 2628 UtilityInit: KLMD open success

17:48:58:447 2628 UtilityInit: Initialize success

17:48:58:447 2628

17:48:58:447 2628 Scanning Services ...

17:48:58:447 2628 CreateRegParser: Registry parser init started

17:48:58:447 2628 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127

17:48:58:447 2628 CreateRegParser: DisableWow64Redirection error

17:48:58:447 2628 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

17:48:58:447 2628 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043

17:48:58:447 2628 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:48:58:447 2628 wfopen_ex: Trying to KLMD file open

17:48:58:447 2628 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system

17:48:58:447 2628 wfopen_ex: File opened ok (Flags 2)

17:48:58:447 2628 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: A549C0

17:48:58:447 2628 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

17:48:58:447 2628 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043

17:48:58:447 2628 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:48:58:447 2628 wfopen_ex: Trying to KLMD file open

17:48:58:447 2628 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software

17:48:58:447 2628 wfopen_ex: File opened ok (Flags 2)

17:48:58:447 2628 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: A54A68

17:48:58:447 2628 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127

17:48:58:447 2628 CreateRegParser: EnableWow64Redirection error

17:48:58:447 2628 CreateRegParser: RegParser init completed

17:48:58:729 2628 GetAdvancedServicesInfo: Raw services enum returned 404 services

17:48:58:729 2628 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

17:48:58:729 2628 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

17:48:58:729 2628

17:48:58:729 2628 Scanning Kernel memory ...

17:48:58:729 2628 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

17:48:58:729 2628 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86D4CA48

17:48:58:729 2628 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects

17:48:58:729 2628

17:48:58:729 2628 DetectCureTDL3: DEVICE_OBJECT: 86D448A0

17:48:58:729 2628 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86D448A0

17:48:58:729 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D448A0[0x38]

17:48:58:729 2628 DetectCureTDL3: DRIVER_OBJECT: 86D4CA48

17:48:58:729 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D4CA48[0xA8]

17:48:58:729 2628 KLMD_ReadMem: Trying to ReadMemory 0xE184C668[0x18]

17:48:58:729 2628 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

17:48:58:729 2628 DetectCureTDL3: IrpHandler (0) addr: F7696BB0

17:48:58:729 2628 DetectCureTDL3: IrpHandler (1) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (2) addr: F7696BB0

17:48:58:729 2628 DetectCureTDL3: IrpHandler (3) addr: F7690D1F

17:48:58:729 2628 DetectCureTDL3: IrpHandler (4) addr: F7690D1F

17:48:58:729 2628 DetectCureTDL3: IrpHandler (5) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (6) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (7) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (8) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (9) addr: F76912E2

17:48:58:729 2628 DetectCureTDL3: IrpHandler (10) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (11) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (12) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (13) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (14) addr: F76913BB

17:48:58:729 2628 DetectCureTDL3: IrpHandler (15) addr: F7694F28

17:48:58:729 2628 DetectCureTDL3: IrpHandler (16) addr: F76912E2

17:48:58:729 2628 DetectCureTDL3: IrpHandler (17) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (18) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (19) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (20) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (21) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (22) addr: F7692C82

17:48:58:729 2628 DetectCureTDL3: IrpHandler (23) addr: F769799E

17:48:58:729 2628 DetectCureTDL3: IrpHandler (24) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (25) addr: 804F4562

17:48:58:729 2628 DetectCureTDL3: IrpHandler (26) addr: 804F4562

17:48:58:729 2628 TDL3_FileDetect: Processing driver: Disk

17:48:58:729 2628 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

17:48:58:729 2628 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

17:48:58:744 2628 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:48:58:744 2628

17:48:58:744 2628 DetectCureTDL3: DEVICE_OBJECT: 86D44C68

17:48:58:744 2628 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86D44C68

17:48:58:744 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D44C68[0x38]

17:48:58:744 2628 DetectCureTDL3: DRIVER_OBJECT: 86D4CA48

17:48:58:744 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D4CA48[0xA8]

17:48:58:744 2628 KLMD_ReadMem: Trying to ReadMemory 0xE184C668[0x18]

17:48:58:744 2628 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

17:48:58:744 2628 DetectCureTDL3: IrpHandler (0) addr: F7696BB0

17:48:58:744 2628 DetectCureTDL3: IrpHandler (1) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (2) addr: F7696BB0

17:48:58:744 2628 DetectCureTDL3: IrpHandler (3) addr: F7690D1F

17:48:58:744 2628 DetectCureTDL3: IrpHandler (4) addr: F7690D1F

17:48:58:744 2628 DetectCureTDL3: IrpHandler (5) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (6) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (7) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (8) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (9) addr: F76912E2

17:48:58:744 2628 DetectCureTDL3: IrpHandler (10) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (11) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (12) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (13) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (14) addr: F76913BB

17:48:58:744 2628 DetectCureTDL3: IrpHandler (15) addr: F7694F28

17:48:58:744 2628 DetectCureTDL3: IrpHandler (16) addr: F76912E2

17:48:58:744 2628 DetectCureTDL3: IrpHandler (17) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (18) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (19) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (20) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (21) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (22) addr: F7692C82

17:48:58:744 2628 DetectCureTDL3: IrpHandler (23) addr: F769799E

17:48:58:744 2628 DetectCureTDL3: IrpHandler (24) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (25) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (26) addr: 804F4562

17:48:58:744 2628 TDL3_FileDetect: Processing driver: Disk

17:48:58:744 2628 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

17:48:58:744 2628 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

17:48:58:744 2628 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:48:58:744 2628

17:48:58:744 2628 DetectCureTDL3: DEVICE_OBJECT: 86D44030

17:48:58:744 2628 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86D44030

17:48:58:744 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D44030[0x38]

17:48:58:744 2628 DetectCureTDL3: DRIVER_OBJECT: 86D4CA48

17:48:58:744 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D4CA48[0xA8]

17:48:58:744 2628 KLMD_ReadMem: Trying to ReadMemory 0xE184C668[0x18]

17:48:58:744 2628 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

17:48:58:744 2628 DetectCureTDL3: IrpHandler (0) addr: F7696BB0

17:48:58:744 2628 DetectCureTDL3: IrpHandler (1) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (2) addr: F7696BB0

17:48:58:744 2628 DetectCureTDL3: IrpHandler (3) addr: F7690D1F

17:48:58:744 2628 DetectCureTDL3: IrpHandler (4) addr: F7690D1F

17:48:58:744 2628 DetectCureTDL3: IrpHandler (5) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (6) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (7) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (8) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (9) addr: F76912E2

17:48:58:744 2628 DetectCureTDL3: IrpHandler (10) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (11) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (12) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (13) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (14) addr: F76913BB

17:48:58:744 2628 DetectCureTDL3: IrpHandler (15) addr: F7694F28

17:48:58:744 2628 DetectCureTDL3: IrpHandler (16) addr: F76912E2

17:48:58:744 2628 DetectCureTDL3: IrpHandler (17) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (18) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (19) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (20) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (21) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (22) addr: F7692C82

17:48:58:744 2628 DetectCureTDL3: IrpHandler (23) addr: F769799E

17:48:58:744 2628 DetectCureTDL3: IrpHandler (24) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (25) addr: 804F4562

17:48:58:744 2628 DetectCureTDL3: IrpHandler (26) addr: 804F4562

17:48:58:744 2628 TDL3_FileDetect: Processing driver: Disk

17:48:58:744 2628 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

17:48:58:744 2628 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

17:48:58:744 2628 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:48:58:744 2628

17:48:58:744 2628 DetectCureTDL3: DEVICE_OBJECT: 86D7DAB8

17:48:58:760 2628 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86D7DAB8

17:48:58:760 2628 DetectCureTDL3: DEVICE_OBJECT: 86D30A28

17:48:58:760 2628 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86D30A28

17:48:58:760 2628 DetectCureTDL3: DEVICE_OBJECT: 86D46030

17:48:58:760 2628 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86D46030

17:48:58:760 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D46030[0x38]

17:48:58:760 2628 DetectCureTDL3: DRIVER_OBJECT: 861149D0

17:48:58:760 2628 KLMD_ReadMem: Trying to ReadMemory 0x861149D0[0xA8]

17:48:58:760 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D4A030[0x38]

17:48:58:760 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D67318[0xA8]

17:48:58:760 2628 KLMD_ReadMem: Trying to ReadMemory 0xE1837A40[0x1C]

17:48:58:760 2628 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor

17:48:58:760 2628 DetectCureTDL3: IrpHandler (0) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (1) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (2) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (3) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (4) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (5) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (6) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (7) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (8) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (9) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (10) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (11) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (12) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (13) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (14) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (15) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (16) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (17) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (18) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (19) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (20) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (21) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (22) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (23) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (24) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (25) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: IrpHandler (26) addr: 86D1050C

17:48:58:760 2628 DetectCureTDL3: All IRP handlers pointed to one addr: 86D1050C

17:48:58:760 2628 KLMD_ReadMem: Trying to ReadMemory 0x86D1050C[0x400]

17:48:58:760 2628 TDL3_IrpHookDetect: CheckParameters: 7, FFDF0308, 457, 99, 3, 88

17:48:58:760 2628 Driver "iaStor" Irp handler infected by TDSS rootkit ... 17:48:58:760 2628 KLMD_WriteMem: Trying to WriteMemory 0x86D1056F[0xD]

17:48:58:760 2628 cured

17:48:58:760 2628 TDL3_FileDetect: Processing driver: iaStor

17:48:58:760 2628 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys

17:48:58:760 2628 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\iaStor.sys

17:48:58:791 2628 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\iaStor.sys - Verdict: Infected

17:48:58:791 2628 File C:\WINDOWS\system32\DRIVERS\iaStor.sys infected by TDSS rootkit ... 17:48:58:791 2628 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys

17:48:58:791 2628 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

17:48:58:791 2628 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab

17:48:58:869 2628 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab

17:48:58:885 2628 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab

17:48:58:901 2628 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3

17:48:59:213 2628 TDL3_FileCure: Backup copy not found, trying to cure infected file..

17:48:59:213 2628 TDL3_FileCure: Cure success, using it..

17:48:59:213 2628 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk79.tmp

17:48:59:244 2628 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk79.tmp, system32\drivers\iaStor.sys)

17:48:59:244 2628 TDL3_FileCure: KLMD jobs schedule success

17:48:59:244 2628 will be cured on next reboot

17:48:59:244 2628 UtilityBootReinit: Reboot required for cure complete..

17:48:59:244 2628 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000

17:48:59:322 2628 UtilityBootReinit: KLMD drop success

17:48:59:322 2628 KLMD_ApplyPendList: Pending buffer(32CE_5731, 608) dropped successfully

17:48:59:322 2628 UtilityBootReinit: Cure on reboot scheduled successfully

17:48:59:322 2628

17:48:59:322 2628 Completed

17:48:59:322 2628

17:48:59:322 2628 Results:

17:48:59:322 2628 Memory objects infected / cured / cured on reboot: 1 / 1 / 0

17:48:59:322 2628 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

17:48:59:322 2628 File objects infected / cured / cured on reboot: 1 / 0 / 1

17:48:59:322 2628

17:48:59:322 2628 UnloadDriverW: NtUnloadDriver error 1

17:48:59:322 2628 KLMD_Unload: UnloadDriverW(klmd21) error 1

17:48:59:338 2628 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

17:48:59:338 2628 UtilityDeinit: KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Here is the malwarebytes log. When trying to download the ESET test I got this from the link I clicked on:

"Fatal error: Call to undefined function getLinkedPagesList() in /htdocs/buxus/includes/generate_functions.php(96) : eval()'d code on line 1290"

Malwarebytes' Anti-Malware 1.44

Database version: 3671

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/1/2010 8:05:24 AM

mbam-log-2010-02-01 (08-05-24).txt

Scan type: Quick Scan

Objects scanned: 123716

Time elapsed: 13 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ok please try this one then:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

Here is the ESET Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=e9903035e8b55446a5bffa9b8e065c9e

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-02-01 03:01:45

# local_time=2010-02-01 10:01:45 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5121 16776533 100 96 1428056 17035659 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=120375

# found=0

# cleaned=0

# scan_time=5992

Link to post
Share on other sites

Please submit the following file to one of these online file scanners.

(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

C:\WINDOWS\system32\qrqyum.dll

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Link to post
Share on other sites

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    C:\WINDOWS\system32\qrqyum.dll

    :Commands
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

==========

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.