Jump to content

Recommended Posts

I've followed the initial steps, seems like I've got all kinds of problems. I do want to note a couple of items before starting:

1. After running a Malwarebytes scan and removing checked items, after the reboot I can no longer boot up in Safe Mode. All 3 Safe Mode options now give me the blue screen of death, after a bunch of lines saying something in regards to partitioning the harddrive or something. I just wanted to point that out in case a suggested step requires me to be in safe mode. Weird thing is, I can boot normally into Windows (which I am now doing). Just not safe mode.

2. When running the GMER Rootkit Scanner, it seems to run normally. I've tried it twice, and both times after over an hour I have to leave the computer and have come back to found that my computer has restarted itself (it's on the Windows login screen). Thus, I'm posting the GMER log from the quick scan it performs when you open the program, but haven't been able to successfully run the full scan based on the above issue. I will try again after making this post, but does that seem normal (does it reboot if idle after a scan with the GMER Rootkit Scanner)?

That said, here we go. Thanks in advance for any help -

DDS.txt copy and paste:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Raynes at 9:02:36.67 on Sat 02/13/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2413 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Windows Live OneCare *On-access scanning disabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\stsystra.exe

C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Raynes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uInternet Settings,ProxyServer = proxy2.chapman.edu:3128

uInternet Settings,ProxyOverride = <local>;*.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\ATIPTAXX.EXE

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [DXDllRegExe] dxdllreg.exe

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\raynes\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg311v3\wlancfg5.exe

mPolicies-system: EnableLUA = 0 (0x0)

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: buy-internetsecurity10.com

Trusted Zone: buy-is2010.com

Trusted Zone: is-software-download.com

Trusted Zone: is-software-download25.com

Trusted Zone: is10-soft-download.com

Trusted Zone: buy-internetsecurity10.com

Trusted Zone: buy-is2010.com

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.0.0971.8/WinSSWebAgent.CAB

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab

DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/21.13/uploader2.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx

DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://gameadvisor.futuremark.com/global/msc37.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

AppInit_DLLs: volorume.dll c:\windows\system32\kelarozo.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: hikeputaf - {f00f77dc-b017-40ac-88ee-d3f79f2aee3b} - c:\windows\system32\kelarozo.dll

STS: gahurihor: {f00f77dc-b017-40ac-88ee-d3f79f2aee3b} - c:\windows\system32\kelarozo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\raynes\applic~1\mozilla\firefox\profiles\v0yusxk9.default\

FF - prefs.js: browser.search.selectedEngine - weather.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox

FF - plugin: c:\documents and settings\raynes\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\raynes\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\raynes\application data\move networks\plugins\npqmp071705000014.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-12 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-12 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-12 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-12 55656]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-3-22 24936]

S3 ATICDSDr;ATICDSDr;c:\program files\ati technologies\ati control panel\atiicdxx.sys [2005-12-5 6144]

S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2007-2-5 175232]

S3 ATICXTUN;ATI TV Wonder 200 Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2007-2-5 29184]

S3 ATICXXBR;ATI TV Wonder 200 A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2007-2-5 9088]

S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2008-3-1 53168]

=============== Created Last 30 ================

2010-02-13 17:01:38 0 ----a-w- c:\documents and settings\raynes\defogger_reenable

2010-02-13 15:58:54 0 ----a-w- c:\windows\system32\18716.exe

2010-02-13 15:38:54 0 ----a-w- c:\windows\system32\17421.exe

2010-02-13 15:18:54 0 ----a-w- c:\windows\system32\12382.exe

2010-02-13 14:58:54 0 ----a-w- c:\windows\system32\292.exe

2010-02-13 14:38:54 0 ----a-w- c:\windows\system32\153.exe

2010-02-13 14:18:54 0 ----a-w- c:\windows\system32\3902.exe

2010-02-13 13:58:54 0 ----a-w- c:\windows\system32\14604.exe

2010-02-13 13:38:54 0 ----a-w- c:\windows\system32\32391.exe

2010-02-13 13:18:54 0 ----a-w- c:\windows\system32\5436.exe

2010-02-13 12:58:54 0 ----a-w- c:\windows\system32\4827.exe

2010-02-13 12:38:54 0 ----a-w- c:\windows\system32\11942.exe

2010-02-13 12:18:54 0 ----a-w- c:\windows\system32\2995.exe

2010-02-13 11:58:54 0 ----a-w- c:\windows\system32\491.exe

2010-02-13 11:38:54 0 ----a-w- c:\windows\system32\9961.exe

2010-02-13 11:18:54 0 ----a-w- c:\windows\system32\16827.exe

2010-02-13 10:58:54 0 ----a-w- c:\windows\system32\23281.exe

2010-02-13 10:38:54 0 ----a-w- c:\windows\system32\28145.exe

2010-02-13 10:18:54 0 ----a-w- c:\windows\system32\5705.exe

2010-02-13 09:58:54 0 ----a-w- c:\windows\system32\24464.exe

2010-02-13 09:38:54 0 ----a-w- c:\windows\system32\26962.exe

2010-02-13 09:18:54 0 ----a-w- c:\windows\system32\29358.exe

2010-02-13 08:58:54 0 ----a-w- c:\windows\system32\11478.exe

2010-02-13 08:38:54 0 ----a-w- c:\windows\system32\15724.exe

2010-02-13 06:49:45 0 ----a-w- c:\windows\system32\19169.exe

2010-02-13 06:29:45 0 ----a-w- c:\windows\system32\26500.exe

2010-02-13 06:09:45 0 ----a-w- c:\windows\system32\6334.exe

2010-02-13 05:49:45 0 ----a-w- c:\windows\system32\18467.exe

2010-02-13 03:55:55 0 d-----w- c:\docume~1\raynes\applic~1\Malwarebytes

2010-02-13 03:54:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-13 03:54:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-13 03:54:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-13 03:54:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-13 03:44:20 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-13 03:44:17 0 d-----w- c:\program files\Avira

2010-02-13 03:44:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

==================== Find3M ====================

2010-02-13 04:08:33 29231 ----a-w- c:\windows\hpoins03.dat

2010-01-01 01:39:16 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2006-03-15 22:19:34 212992 ----a-w- c:\windows\inf\wg311v3\CopyWHQLDriver.exe

2006-01-27 01:55:10 280576 ----a-w- c:\windows\inf\wg311v3\WG311v3.sys

2005-12-06 02:28:30 3673932 ------w- c:\program files\Dec2005_MDX1_x86_Archive.cab

2005-12-06 02:28:04 1358864 ------w- c:\program files\Dec2005_d3dx9_28_x64.cab

2005-12-06 02:28:02 86925 ------w- c:\program files\Oct2005_xinput_x64.cab

2005-12-06 02:28:02 46247 ------w- c:\program files\Oct2005_xinput_x86.cab

2005-12-06 02:28:02 41888 ------w- c:\program files\dxdllreg_x86.cab

2005-12-06 02:28:00 916806 ------w- c:\program files\Dec2005_MDX1_x86.cab

2005-12-06 02:27:58 1080344 ------w- c:\program files\Dec2005_d3dx9_28_x86.cab

2005-10-06 23:17:34 280576 ----a-w- c:\windows\inf\wg311v3\WG311v3XP.sys

2001-11-10 10:49:46 113480648 ----a-w- c:\program files\rsb.uha

2001-11-10 10:23:46 15873229 ----a-w- c:\program files\myth.pak

2001-09-29 05:16:24 19748 ----a-w- c:\program files\ReadMe.txt

2001-09-21 01:42:44 3434 ----a-w- c:\program files\IgorHelp.txt

2001-09-19 04:24:56 31678 ----a-r- c:\program files\IgorScripting.txt

2001-09-19 04:24:56 24708 ----a-r- c:\program files\ike.sdf

1998-09-01 23:28:18 297984 ----a-w- c:\program files\myth.acm

2007-10-05 02:06:39 104 --sh--r- c:\windows\system32\5D2E710AE2.sys

2007-10-05 02:06:39 4288 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:04:14.93 ===============

I'll attempt to attach the zip file and Malware Log.

mbam_log_2010_02_13__08_07_35_.txt

attach.zip

Link to post
Share on other sites

Hi, chackattack :D

;)

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quote marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

The contents of the txt file are as follows:

17:37:46:187 2064 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00

17:37:46:187 2064 ================================================================================

17:37:46:187 2064 SystemInfo:

17:37:46:187 2064 OS Version: 5.1.2600 ServicePack: 3.0

17:37:46:187 2064 Product type: Workstation

17:37:46:187 2064 ComputerName: PIRATE

17:37:46:187 2064 UserName: Raynes

17:37:46:187 2064 Windows directory: C:\WINDOWS

17:37:46:187 2064 Processor architecture: Intel x86

17:37:46:187 2064 Number of processors: 2

17:37:46:187 2064 Page size: 0x1000

17:37:46:187 2064 Boot type: Normal boot

17:37:46:187 2064 ================================================================================

17:37:46:203 2064 UnloadDriverW: NtUnloadDriver error 2

17:37:46:203 2064 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

17:37:46:234 2064 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

17:37:46:281 2064 UtilityInit: KLMD drop and load success

17:37:46:281 2064 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)

17:37:46:281 2064 UtilityInit: KLMD open success

17:37:46:281 2064 UtilityInit: Initialize success

17:37:46:281 2064

17:37:46:281 2064 Scanning Services ...

17:37:46:281 2064 CreateRegParser: Registry parser init started

17:37:46:281 2064 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127

17:37:46:281 2064 CreateRegParser: DisableWow64Redirection error

17:37:46:281 2064 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

17:37:46:281 2064 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043

17:37:46:281 2064 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:37:46:281 2064 wfopen_ex: Trying to KLMD file open

17:37:46:281 2064 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system

17:37:46:281 2064 wfopen_ex: File opened ok (Flags 2)

17:37:46:281 2064 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 274D50

17:37:46:281 2064 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

17:37:46:281 2064 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043

17:37:46:281 2064 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:37:46:281 2064 wfopen_ex: Trying to KLMD file open

17:37:46:281 2064 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software

17:37:46:281 2064 wfopen_ex: File opened ok (Flags 2)

17:37:46:281 2064 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 274C40

17:37:46:281 2064 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127

17:37:46:296 2064 CreateRegParser: EnableWow64Redirection error

17:37:46:296 2064 CreateRegParser: RegParser init completed

17:37:46:921 2064 GetAdvancedServicesInfo: Raw services enum returned 384 services

17:37:46:921 2064 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

17:37:46:921 2064 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

17:37:46:921 2064

17:37:46:921 2064 Scanning Kernel memory ...

17:37:46:921 2064 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

17:37:46:921 2064 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AFFEA08

17:37:46:921 2064 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects

17:37:46:921 2064

17:37:46:921 2064 DetectCureTDL3: DEVICE_OBJECT: 8AFDBC68

17:37:46:921 2064 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AFDBC68

17:37:46:921 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AFDBC68[0x38]

17:37:46:921 2064 DetectCureTDL3: DRIVER_OBJECT: 8AFFEA08

17:37:46:921 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AFFEA08[0xA8]

17:37:46:921 2064 KLMD_ReadMem: Trying to ReadMemory 0xE1978258[0x18]

17:37:46:921 2064 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

17:37:46:921 2064 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0

17:37:46:921 2064 DetectCureTDL3: IrpHandler (1) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0

17:37:46:921 2064 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F

17:37:46:921 2064 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F

17:37:46:921 2064 DetectCureTDL3: IrpHandler (5) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (6) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (7) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (8) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2

17:37:46:921 2064 DetectCureTDL3: IrpHandler (10) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (11) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (12) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (13) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB

17:37:46:921 2064 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28

17:37:46:921 2064 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2

17:37:46:921 2064 DetectCureTDL3: IrpHandler (17) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (18) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (19) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (20) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (21) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82

17:37:46:921 2064 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E

17:37:46:921 2064 DetectCureTDL3: IrpHandler (24) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (25) addr: 804F4562

17:37:46:921 2064 DetectCureTDL3: IrpHandler (26) addr: 804F4562

17:37:46:921 2064 TDL3_FileDetect: Processing driver: Disk

17:37:46:921 2064 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

17:37:46:921 2064 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

17:37:46:953 2064 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:37:46:953 2064

17:37:46:953 2064 DetectCureTDL3: DEVICE_OBJECT: 8B03FC68

17:37:46:953 2064 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B03FC68

17:37:46:953 2064 KLMD_ReadMem: Trying to ReadMemory 0x8B03FC68[0x38]

17:37:46:953 2064 DetectCureTDL3: DRIVER_OBJECT: 8AFFEA08

17:37:46:953 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AFFEA08[0xA8]

17:37:46:953 2064 KLMD_ReadMem: Trying to ReadMemory 0xE1978258[0x18]

17:37:46:953 2064 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

17:37:46:953 2064 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0

17:37:46:953 2064 DetectCureTDL3: IrpHandler (1) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0

17:37:46:953 2064 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F

17:37:46:953 2064 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F

17:37:46:953 2064 DetectCureTDL3: IrpHandler (5) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (6) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (7) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (8) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2

17:37:46:953 2064 DetectCureTDL3: IrpHandler (10) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (11) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (12) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (13) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB

17:37:46:953 2064 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28

17:37:46:953 2064 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2

17:37:46:953 2064 DetectCureTDL3: IrpHandler (17) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (18) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (19) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (20) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (21) addr: 804F4562

17:37:46:953 2064 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82

17:37:46:968 2064 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E

17:37:46:968 2064 DetectCureTDL3: IrpHandler (24) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (25) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (26) addr: 804F4562

17:37:46:968 2064 TDL3_FileDetect: Processing driver: Disk

17:37:46:968 2064 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

17:37:46:968 2064 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

17:37:46:968 2064 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:37:46:968 2064

17:37:46:968 2064 DetectCureTDL3: DEVICE_OBJECT: 8AFE7C68

17:37:46:968 2064 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AFE7C68

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AFE7C68[0x38]

17:37:46:968 2064 DetectCureTDL3: DRIVER_OBJECT: 8AFFEA08

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AFFEA08[0xA8]

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0xE1978258[0x18]

17:37:46:968 2064 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

17:37:46:968 2064 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0

17:37:46:968 2064 DetectCureTDL3: IrpHandler (1) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0

17:37:46:968 2064 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F

17:37:46:968 2064 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F

17:37:46:968 2064 DetectCureTDL3: IrpHandler (5) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (6) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (7) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (8) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2

17:37:46:968 2064 DetectCureTDL3: IrpHandler (10) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (11) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (12) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (13) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB

17:37:46:968 2064 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28

17:37:46:968 2064 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2

17:37:46:968 2064 DetectCureTDL3: IrpHandler (17) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (18) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (19) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (20) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (21) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82

17:37:46:968 2064 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E

17:37:46:968 2064 DetectCureTDL3: IrpHandler (24) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (25) addr: 804F4562

17:37:46:968 2064 DetectCureTDL3: IrpHandler (26) addr: 804F4562

17:37:46:968 2064 TDL3_FileDetect: Processing driver: Disk

17:37:46:968 2064 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

17:37:46:968 2064 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

17:37:46:968 2064 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:37:46:968 2064

17:37:46:968 2064 DetectCureTDL3: DEVICE_OBJECT: 8B045AB8

17:37:46:968 2064 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B045AB8

17:37:46:968 2064 DetectCureTDL3: DEVICE_OBJECT: 8AFECB00

17:37:46:968 2064 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AFECB00

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AFECB00[0x38]

17:37:46:968 2064 DetectCureTDL3: DRIVER_OBJECT: 8AF2D910

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AF2D910[0xA8]

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0x8B049D98[0x38]

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AFFFC28[0xA8]

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0xE19488D8[0x1A]

17:37:46:968 2064 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

17:37:46:968 2064 DetectCureTDL3: IrpHandler (0) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (1) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (2) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (3) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (4) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (5) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (6) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (7) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (8) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (9) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (10) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (11) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (12) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (13) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (14) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (15) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (16) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (17) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (18) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (19) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (20) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (21) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (22) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (23) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (24) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (25) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: IrpHandler (26) addr: 8AF6D856

17:37:46:968 2064 DetectCureTDL3: All IRP handlers pointed to one addr: 8AF6D856

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AF6D856[0x400]

17:37:46:968 2064 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109

17:37:46:968 2064 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:37:46:968 2064 KLMD_WriteMem: Trying to WriteMemory 0x8AF6D8CF[0xD]

17:37:46:968 2064 cured

17:37:46:968 2064 KLMD_ReadMem: Trying to ReadMemory 0x8AF6D701[0x400]

17:37:46:968 2064 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1

17:37:46:968 2064 Driver "atapi" StartIo handler infected by TDSS rootkit ... 17:37:46:968 2064 TDL3_StartIoHookCure: Number of patches 1

17:37:46:968 2064 KLMD_WriteMem: Trying to WriteMemory 0x8AF6D80A[0x6]

17:37:46:968 2064 cured

17:37:46:968 2064 TDL3_FileDetect: Processing driver: atapi

17:37:46:968 2064 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

17:37:46:968 2064 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys

17:37:46:984 2064 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected

17:37:46:984 2064 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:37:46:984 2064 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

17:37:46:984 2064 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

17:37:47:000 2064 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab

17:37:47:109 2064 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab

17:37:47:125 2064 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab

17:37:47:156 2064 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..

17:37:47:203 2064 CabinetCallback: File extracted successfully: C:\DOCUME~1\Raynes\LOCALS~1\Temp\bckD.tmp

17:37:47:203 2064 ValidateDriverFile: Stage 1 passed

17:37:47:203 2064 ValidateDriverFile: Stage 2 passed

17:37:47:281 2064 DigitalSignVerifyByHandle: Embedded DS result: 800B0100

17:37:47:468 2064 DigitalSignVerifyByHandle: Cat DS result: 00000000

17:37:47:468 2064 ValidateDriverFile: Stage 3 passed

17:37:47:468 2064 CabinetCallback: File validated successfully, restore information prepared

17:37:47:468 2064 FindDriverFileBackup: Backup copy found in cab-file

17:37:47:468 2064 TDL3_FileCure: Backup copy found, using it..

17:37:47:468 2064 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tskE.tmp

17:37:47:500 2064 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskE.tmp, system32\drivers\atapi.sys)

17:37:47:500 2064 TDL3_FileCure: KLMD jobs schedule success

17:37:47:500 2064 will be cured on next reboot

17:37:47:500 2064 UtilityBootReinit: Reboot required for cure complete..

17:37:47:500 2064 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000

17:37:47:500 2064 UtilityBootReinit: KLMD drop success

17:37:47:500 2064 KLMD_ApplyPendList: Pending buffer(311A_1966, 600) dropped successfully

17:37:47:500 2064 UtilityBootReinit: Cure on reboot scheduled successfully

17:37:47:500 2064

17:37:47:500 2064 Completed

17:37:47:500 2064

17:37:47:500 2064 Results:

17:37:47:500 2064 Memory objects infected / cured / cured on reboot: 2 / 2 / 0

17:37:47:500 2064 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

17:37:47:500 2064 File objects infected / cured / cured on reboot: 1 / 0 / 1

17:37:47:500 2064

17:37:47:500 2064 UnloadDriverW: NtUnloadDriver error 1

17:37:47:500 2064 KLMD_Unload: UnloadDriverW(klmd21) error 1

17:37:47:500 2064 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

17:37:47:500 2064 UtilityDeinit: KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Super!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combofix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" .

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

I'm posting from my work laptop... combofix is asking if I want to install Microsoft Windows Recovery Console, as my machine does not have it installed. Should I click YES to download/install it, or click NO?

Please advise.

It is recommended that you install the Recovery Console. New trends of infections may require the use of it.

Here is some information.

http://www.bleepingcomputer.com/tutorials/tutorial117.html

Link to post
Share on other sites

Thanks. Here's the log from ComboFix:

ComboFix 10-02-12.01 - Raynes 02/14/2010 9:53.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2394 [GMT -8:00]

Running from: c:\documents and settings\Raynes\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Windows Live OneCare *On-access scanning disabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\11478.exe

c:\windows\system32\11942.exe

c:\windows\system32\12382.exe

c:\windows\system32\14604.exe

c:\windows\system32\153.exe

c:\windows\system32\15724.exe

c:\windows\system32\16827.exe

c:\windows\system32\17421.exe

c:\windows\system32\18467.exe

c:\windows\system32\18716.exe

c:\windows\system32\19169.exe

c:\windows\system32\23281.exe

c:\windows\system32\24464.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\28145.exe

c:\windows\system32\292.exe

c:\windows\system32\29358.exe

c:\windows\system32\2995.exe

c:\windows\system32\32391.exe

c:\windows\system32\3902.exe

c:\windows\system32\4827.exe

c:\windows\system32\491.exe

c:\windows\system32\5436.exe

c:\windows\system32\5705.exe

c:\windows\system32\6334.exe

c:\windows\system32\9961.exe

c:\windows\system32\bszip.dll

c:\windows\system32\twain_32.dll

c:\windows\Tasks\abfsghsz.job

.

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))

.

2010-02-13 04:46 . 2010-01-08 00:07 236368 ----a-w- c:\documents and settings\Raynes\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe

2010-02-13 04:46 . 2010-01-08 00:07 429392 ----a-w- c:\documents and settings\Raynes\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe

2010-02-13 04:46 . 2010-01-08 00:07 46416 ----a-w- c:\documents and settings\Raynes\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\ssubtmr6.dll

2010-02-13 04:46 . 2010-01-08 00:07 79696 ----a-w- c:\documents and settings\Raynes\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\zlib.dll

2010-02-13 04:46 . 2010-02-13 04:46 702288 ----a-w- c:\documents and settings\Raynes\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\unins000.exe

2010-02-13 04:46 . 2010-01-08 00:07 167760 ----a-w- c:\documents and settings\Raynes\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam.dll

2010-02-13 04:46 . 2010-01-08 00:07 84816 ----a-w- c:\documents and settings\Raynes\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbamext.dll

2010-02-13 03:55 . 2010-02-13 03:55 -------- d-----w- c:\documents and settings\Raynes\Application Data\Malwarebytes

2010-02-13 03:54 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-13 03:54 . 2010-02-13 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-13 03:54 . 2010-02-13 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-13 03:54 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-13 03:44 . 2010-02-14 01:05 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-13 03:44 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-02-13 03:44 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-02-13 03:44 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-02-13 03:44 . 2010-02-13 03:44 -------- d-----w- c:\program files\Avira

2010-02-13 03:44 . 2010-02-13 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-01-28 04:02 . 2010-01-28 04:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-14 04:42 . 2009-05-14 23:45 -------- d-----w- c:\program files\Steam

2010-02-14 01:39 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-02-13 05:34 . 2008-03-01 18:58 -------- d-----w- c:\program files\Microsoft Windows OneCare Live

2010-02-13 05:28 . 2006-09-26 01:35 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-13 04:08 . 2008-03-14 21:56 29231 ----a-w- c:\windows\hpoins03.dat

2010-01-01 17:10 . 2009-10-03 22:23 -------- d-----w- c:\documents and settings\Raynes\Application Data\Move Networks

2010-01-01 17:10 . 2009-10-03 22:23 144160 ----a-w- c:\documents and settings\Raynes\Application Data\Move Networks\uninstall.exe

2010-01-01 17:10 . 2009-12-07 01:22 5603776 ----a-w- c:\documents and settings\Raynes\Application Data\Move Networks\plugins\npqmp071705000014.dll

2010-01-01 17:10 . 2010-01-01 17:10 1795704 ----a-w- c:\documents and settings\Raynes\Application Data\Move Networks\MoveMediaPlayerWin_071705000014.exe

2010-01-01 01:39 . 2010-01-01 01:39 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-01-01 01:39 . 2005-12-06 00:29 -------- d-----w- c:\program files\Java

2010-01-01 01:38 . 2010-01-01 01:38 152576 ----a-w- c:\documents and settings\Raynes\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-01-01 01:38 . 2010-01-01 01:38 79488 ----a-w- c:\documents and settings\Raynes\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\documents and settings\Raynes\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

2009-11-30 04:07 . 2009-11-30 04:07 1961720 ----a-w- c:\documents and settings\Raynes\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2005-12-06 02:28 . 2005-12-06 02:28 3673932 ------w- c:\program files\Dec2005_MDX1_x86_Archive.cab

2005-12-06 02:28 . 2005-12-06 02:28 1358864 ------w- c:\program files\Dec2005_d3dx9_28_x64.cab

2005-12-06 02:28 . 2005-12-06 02:28 86925 ------w- c:\program files\Oct2005_xinput_x64.cab

2005-12-06 02:28 . 2005-12-06 02:28 46247 ------w- c:\program files\Oct2005_xinput_x86.cab

2005-12-06 02:28 . 2005-12-06 02:28 41888 ------w- c:\program files\dxdllreg_x86.cab

2005-12-06 02:28 . 2005-12-06 02:28 916806 ------w- c:\program files\Dec2005_MDX1_x86.cab

2005-12-06 02:27 . 2005-12-06 02:27 1080344 ------w- c:\program files\Dec2005_d3dx9_28_x86.cab

2001-11-10 10:49 . 2006-03-16 22:20 113480648 ----a-w- c:\program files\rsb.uha

2001-11-10 10:23 . 2006-03-16 22:19 15873229 ----a-w- c:\program files\myth.pak

2001-09-29 05:16 . 2006-03-16 22:20 19748 ----a-w- c:\program files\ReadMe.txt

2001-09-21 01:42 . 2006-03-16 22:20 3434 ----a-w- c:\program files\IgorHelp.txt

2001-09-19 04:24 . 2006-03-16 22:20 31678 ----a-r- c:\program files\IgorScripting.txt

2001-09-19 04:24 . 2006-03-16 22:19 24708 ----a-r- c:\program files\ike.sdf

1998-09-01 23:28 . 2006-03-16 22:19 297984 ----a-w- c:\program files\myth.acm

2008-09-07 23:05 . 2008-09-07 23:05 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-09-07 23:05 . 2008-09-07 23:05 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2007-10-05 02:06 . 2005-12-17 06:51 104 --sh--r- c:\windows\system32\5D2E710AE2.sys

2007-10-05 02:06 . 2006-03-12 21:46 4288 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-01 149280]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2006-02-10 344064]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]

"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Raynes\Start Menu\Programs\Startup\

Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-12-15 3450608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-1-26 1486848]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk

backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk

backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Raynes^Start Menu^Programs^Startup^Product Registration.lnk]

path=c:\documents and settings\Raynes\Start Menu\Programs\Startup\Product Registration.lnk

backup=c:\windows\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2004-05-12 23:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2003-08-05 00:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-09-21 23:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2009-10-25 00:11 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war gold\\W40kWA.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war gold\\W40k.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\help.htm"=

"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=

"c:\\Program Files\\HP\\hpcoretech\\comp\\hptskmgr.exe"=

"c:\\WINDOWS\\system32\\wscntfy.exe"=

"c:\\Program Files\\Pandora\\Pandora.exe"=

"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3689:TCP"= 3689:TCP:itunes

"5353:UDP"= 5353:UDP:share

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/12/2010 7:44 PM 108289]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 9:59 AM 24936]

S3 ATICDSDr;ATICDSDr;c:\program files\ATI Technologies\ATI Control Panel\atiicdxx.sys [12/5/2005 4:34 PM 6144]

S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2/5/2007 5:35 PM 175232]

S3 ATICXTUN;ATI TV Wonder 200 Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2/5/2007 5:35 PM 29184]

S3 ATICXXBR;ATI TV Wonder 200 A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2/5/2007 5:35 PM 9088]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmdb

.

Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2007-05-30 c:\windows\Tasks\MP Scheduled Quick Scan.job

- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [2008-07-10 00:05]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyServer = proxy2.chapman.edu:3128

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: buy-internetsecurity10.com

Trusted Zone: buy-is2010.com

Trusted Zone: is-software-download.com

Trusted Zone: is-software-download25.com

Trusted Zone: is10-soft-download.com

Trusted Zone: buy-internetsecurity10.com

Trusted Zone: buy-is2010.com

FF - ProfilePath - c:\documents and settings\Raynes\Application Data\Mozilla\Firefox\Profiles\v0yusxk9.default\

FF - prefs.js: browser.search.selectedEngine - weather.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox

FF - plugin: c:\documents and settings\Raynes\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\Raynes\Application Data\Move Networks\plugins\npqmp071705000014.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe

SharedTaskScheduler-{f00f77dc-b017-40ac-88ee-d3f79f2aee3b} - c:\windows\system32\kelarozo.dll

SSODL-hikeputaf-{f00f77dc-b017-40ac-88ee-d3f79f2aee3b} - c:\windows\system32\kelarozo.dll

MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

AddRemove-MailFrontier Desktop - c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\UNWISE.EXE

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-14 09:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Raynes\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1171543304-3529937292-1806394944-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)

c:\windows\system32\MrvGINA.dll

.

Completion time: 2010-02-14 10:01:17

ComboFix-quarantined-files.txt 2010-02-14 18:01

Pre-Run: 2,547,875,840 bytes free

Post-Run: 2,549,063,680 bytes free

- - End Of File - - 6541957D198B19EA0AEB67A652B0D215

Link to post
Share on other sites

Good job!

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop. Once downloaded, RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Try now Malwarebytes as follows:

  • Launch Malwarebytes' Anti-Malware.
  • check for an update, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Link to post
Share on other sites

Good job!

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop. Once downloaded, RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

I'm sorry JSntgRvr, I downloaded DelDomains.inf successfully to my desktop, however when I RIGHT CLICK on it I do not see an option to Install. Please advise.

Link to post
Share on other sites

It is being saved as a text file. Follow these steps:

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as DelDomains.inf
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, right click on the DelDomains.inf file and select Install.

; DelDomains.inf � 11-28-04 | Revised 01-15-06

; Created by: Mike Burgess Microsoft MVP

; http://mvps.org/winhelp2002/

;

; Warning: Deletes all entries in the Restricted & Trusted Zone list

; http://mvps.org/winhelp2002/restricted.htm

;

; Revised to include the EscDomains key

;

; To execute this file: in Explorer - right-click (this file)

; Select Install from the Menu.

; Note: you will not see any onscreen action.

[version]

signature="$CHICAGO$"

[DefaultInstall]

DelReg=DelTemps

AddReg=AddTemps

[DelTemps]

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"

HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"

; Recreate the keys to avoid a restart

[AddTemps]

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"

HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"

Link to post
Share on other sites

I'm such an idiot, sorry about that and thanks for getting me on course. Here is the MBAM log per the above instructions:

Malwarebytes' Anti-Malware 1.44

Database version: 3739

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

2/14/2010 12:17:54 PM

mbam-log-2010-02-14 (12-17-54).txt

Scan type: Quick Scan

Objects scanned: 127701

Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Yes. Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

  • Click START then RUN
  • Now copy and paste Combofix /Uninstall in the runbox and click OK.

Create a Restore point:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  6. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  7. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  8. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! wavey.gif

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.