Jump to content

random popups/redirecting via google.com


Recommended Posts

I believe I have an undetected malware running because I continuously keep getting random popups and redirecting in google on firefox. I have Malwarebytes helping me out, but popups still get through. Can I please get help on my situation? Thanks. :P

I followed instructions from http://forums.malwarebytes.org/index.php?showtopic=9573.

My Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.44

Database version: 3874

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/16/2010 11:30:34 PM

mbam-log-2010-03-16 (23-30-34).txt

Scan type: Quick Scan

Objects scanned: 2

Time elapsed: 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=========================================

My DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 17:42:35.10 on Wed 03/17/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.312 [GMT -7:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HPQ\SHARED\HPQWMI.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Owner\My Documents\Downloads\Defogger.exe

C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim6]

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC}

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll

Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\0qaug6fq.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-3-16 236368]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-2-17 104000]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-16 19160]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-2-17 72264]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-2-17 34152]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-2-17 168776]

S2 pciinfo;HP Pci Information;\??\c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2010-03-18 00:41:20 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-03-16 07:01:11 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

2010-03-16 07:01:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-16 07:01:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-16 07:01:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-16 07:01:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-16 03:31:57 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-03-16 03:31:57 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-03-16 03:31:57 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-03-16 03:31:56 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-03-10 03:21:23 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-15 10:31:35 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-15 10:31:35 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

2010-03-11 10:48:11 91509 -c--a-w- c:\windows\War3Unin.dat

2010-01-27 08:03:27 1510 ----a-w- c:\windows\Sketchpad Preferences.dat

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

============= FINISH: 17:44:16.76 ===============

Attach.zip

Link to post
Share on other sites

Hello brainst0rm

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=======================

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

==========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hey, thanks for helping me out. This backdoor trojan sounds scary. I did everything in the previous post. Here are my two logs.

My TDSSKiller Log:

09:10:28:984 2924 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20

09:10:28:984 2924 ================================================================================

09:10:28:984 2924 SystemInfo:

09:10:28:984 2924 OS Version: 5.1.2600 ServicePack: 3.0

09:10:28:984 2924 Product type: Workstation

09:10:28:984 2924 ComputerName: YOUR-4105E587B6

09:10:28:984 2924 UserName: Owner

09:10:28:984 2924 Windows directory: C:\WINDOWS

09:10:29:000 2924 Processor architecture: Intel x86

09:10:29:000 2924 Number of processors: 1

09:10:29:000 2924 Page size: 0x1000

09:10:29:062 2924 Boot type: Normal boot

09:10:29:062 2924 ================================================================================

09:10:29:062 2924 UnloadDriverW: NtUnloadDriver error 2

09:10:29:062 2924 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

09:10:29:218 2924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

09:10:29:218 2924 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

09:10:29:218 2924 wfopen_ex: Trying to KLMD file open

09:10:29:218 2924 wfopen_ex: File opened ok (Flags 2)

09:10:29:218 2924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

09:10:29:218 2924 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

09:10:29:218 2924 wfopen_ex: Trying to KLMD file open

09:10:29:218 2924 wfopen_ex: File opened ok (Flags 2)

09:10:29:218 2924 Initialize success

09:10:29:218 2924

09:10:29:218 2924 Scanning Services ...

09:10:29:812 2924 GetAdvancedServicesInfo: Raw services enum returned 342 services

09:10:29:812 2924

09:10:29:812 2924 Scanning Kernel memory ...

09:10:29:812 2924 Devices to scan: 3

09:10:29:812 2924

09:10:29:812 2924 Driver Name: Disk

09:10:29:812 2924 IRP_MJ_CREATE : F7622BB0

09:10:29:812 2924 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

09:10:29:812 2924 IRP_MJ_CLOSE : F7622BB0

09:10:29:812 2924 IRP_MJ_READ : F761CD1F

09:10:29:812 2924 IRP_MJ_WRITE : F761CD1F

09:10:29:812 2924 IRP_MJ_QUERY_INFORMATION : 804F355A

09:10:29:812 2924 IRP_MJ_SET_INFORMATION : 804F355A

09:10:29:812 2924 IRP_MJ_QUERY_EA : 804F355A

09:10:29:812 2924 IRP_MJ_SET_EA : 804F355A

09:10:29:812 2924 IRP_MJ_FLUSH_BUFFERS : F761D2E2

09:10:29:812 2924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

09:10:29:812 2924 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

09:10:29:812 2924 IRP_MJ_DIRECTORY_CONTROL : 804F355A

09:10:29:812 2924 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

09:10:29:812 2924 IRP_MJ_DEVICE_CONTROL : F761D3BB

09:10:29:812 2924 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28

09:10:29:812 2924 IRP_MJ_SHUTDOWN : F761D2E2

09:10:29:812 2924 IRP_MJ_LOCK_CONTROL : 804F355A

09:10:29:812 2924 IRP_MJ_CLEANUP : 804F355A

09:10:29:812 2924 IRP_MJ_CREATE_MAILSLOT : 804F355A

09:10:29:812 2924 IRP_MJ_QUERY_SECURITY : 804F355A

09:10:29:812 2924 IRP_MJ_SET_SECURITY : 804F355A

09:10:29:812 2924 IRP_MJ_POWER : F761EC82

09:10:29:812 2924 IRP_MJ_SYSTEM_CONTROL : F762399E

09:10:29:812 2924 IRP_MJ_DEVICE_CHANGE : 804F355A

09:10:29:812 2924 IRP_MJ_QUERY_QUOTA : 804F355A

09:10:29:812 2924 IRP_MJ_SET_QUOTA : 804F355A

09:10:29:828 2924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

09:10:29:828 2924

09:10:29:828 2924 Driver Name: Disk

09:10:29:828 2924 IRP_MJ_CREATE : F7622BB0

09:10:29:828 2924 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

09:10:29:828 2924 IRP_MJ_CLOSE : F7622BB0

09:10:29:828 2924 IRP_MJ_READ : F761CD1F

09:10:29:828 2924 IRP_MJ_WRITE : F761CD1F

09:10:29:828 2924 IRP_MJ_QUERY_INFORMATION : 804F355A

09:10:29:828 2924 IRP_MJ_SET_INFORMATION : 804F355A

09:10:29:828 2924 IRP_MJ_QUERY_EA : 804F355A

09:10:29:828 2924 IRP_MJ_SET_EA : 804F355A

09:10:29:828 2924 IRP_MJ_FLUSH_BUFFERS : F761D2E2

09:10:29:828 2924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

09:10:29:828 2924 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

09:10:29:828 2924 IRP_MJ_DIRECTORY_CONTROL : 804F355A

09:10:29:828 2924 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

09:10:29:828 2924 IRP_MJ_DEVICE_CONTROL : F761D3BB

09:10:29:828 2924 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7620F28

09:10:29:828 2924 IRP_MJ_SHUTDOWN : F761D2E2

09:10:29:828 2924 IRP_MJ_LOCK_CONTROL : 804F355A

09:10:29:828 2924 IRP_MJ_CLEANUP : 804F355A

09:10:29:828 2924 IRP_MJ_CREATE_MAILSLOT : 804F355A

09:10:29:828 2924 IRP_MJ_QUERY_SECURITY : 804F355A

09:10:29:828 2924 IRP_MJ_SET_SECURITY : 804F355A

09:10:29:828 2924 IRP_MJ_POWER : F761EC82

09:10:29:828 2924 IRP_MJ_SYSTEM_CONTROL : F762399E

09:10:29:828 2924 IRP_MJ_DEVICE_CHANGE : 804F355A

09:10:29:828 2924 IRP_MJ_QUERY_QUOTA : 804F355A

09:10:29:828 2924 IRP_MJ_SET_QUOTA : 804F355A

09:10:29:859 2924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

09:10:29:859 2924

09:10:29:859 2924 Driver Name: atapi

09:10:29:859 2924 IRP_MJ_CREATE : 864BBCA1

09:10:29:859 2924 IRP_MJ_CREATE_NAMED_PIPE : 864BBCA1

09:10:29:859 2924 IRP_MJ_CLOSE : 864BBCA1

09:10:29:859 2924 IRP_MJ_READ : 864BBCA1

09:10:29:859 2924 IRP_MJ_WRITE : 864BBCA1

09:10:29:859 2924 IRP_MJ_QUERY_INFORMATION : 864BBCA1

09:10:29:859 2924 IRP_MJ_SET_INFORMATION : 864BBCA1

09:10:29:859 2924 IRP_MJ_QUERY_EA : 864BBCA1

09:10:29:859 2924 IRP_MJ_SET_EA : 864BBCA1

09:10:29:859 2924 IRP_MJ_FLUSH_BUFFERS : 864BBCA1

09:10:29:859 2924 IRP_MJ_QUERY_VOLUME_INFORMATION : 864BBCA1

09:10:29:859 2924 IRP_MJ_SET_VOLUME_INFORMATION : 864BBCA1

09:10:29:859 2924 IRP_MJ_DIRECTORY_CONTROL : 864BBCA1

09:10:29:859 2924 IRP_MJ_FILE_SYSTEM_CONTROL : 864BBCA1

09:10:29:859 2924 IRP_MJ_DEVICE_CONTROL : 864BBCA1

09:10:29:859 2924 IRP_MJ_INTERNAL_DEVICE_CONTROL : 864BBCA1

09:10:29:859 2924 IRP_MJ_SHUTDOWN : 864BBCA1

09:10:29:859 2924 IRP_MJ_LOCK_CONTROL : 864BBCA1

09:10:29:859 2924 IRP_MJ_CLEANUP : 864BBCA1

09:10:29:859 2924 IRP_MJ_CREATE_MAILSLOT : 864BBCA1

09:10:29:859 2924 IRP_MJ_QUERY_SECURITY : 864BBCA1

09:10:29:859 2924 IRP_MJ_SET_SECURITY : 864BBCA1

09:10:29:859 2924 IRP_MJ_POWER : 864BBCA1

09:10:29:859 2924 IRP_MJ_SYSTEM_CONTROL : 864BBCA1

09:10:29:859 2924 IRP_MJ_DEVICE_CHANGE : 864BBCA1

09:10:29:859 2924 IRP_MJ_QUERY_QUOTA : 864BBCA1

09:10:29:859 2924 IRP_MJ_SET_QUOTA : 864BBCA1

09:10:29:859 2924 Driver "atapi" infected by TDSS rootkit!

09:10:29:859 2924 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1

09:10:29:859 2924 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 09:10:29:875 2924 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

09:10:29:875 2924 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

09:12:15:375 2924 vfvi6

09:12:15:625 2924 !dsvbh1

09:12:17:750 2924 dsvbh2

09:12:17:750 2924 fdfb2

09:12:17:750 2924 Backup copy found, using it..

09:12:17:765 2924 will be cured on next reboot

09:12:17:765 2924 Reboot required for cure complete..

09:12:17:781 2924 Cure on reboot scheduled successfully

09:12:17:781 2924

09:12:17:781 2924 Completed

09:12:17:781 2924

09:12:17:781 2924 Results:

09:12:17:781 2924 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

09:12:17:781 2924 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

09:12:17:781 2924 File objects infected / cured / cured on reboot: 1 / 0 / 1

09:12:17:781 2924

09:12:17:781 2924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

09:12:17:781 2924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

09:12:17:781 2924 UnloadDriverW: NtUnloadDriver error 1

09:12:17:781 2924 KLMD_Unload: UnloadDriverW(klmd21) error 1

09:12:17:781 2924 KLMD(ARK) unloaded successfully

====================================================================

My ComboFix Log:

ComboFix 10-03-17.07 - Owner 03/18/2010 9:37.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.581 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003

c:\recycler\S-1-5-21-3288127050-197847358-126776011-1003

.

((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))

.

2010-03-16 07:01 . 2010-03-16 07:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-03-16 07:01 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-16 07:01 . 2010-03-16 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-16 07:01 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-16 07:01 . 2010-03-16 07:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-03-16 03:06 . 2010-03-16 03:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-15 08:47 . 2010-03-15 08:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-03-10 03:21 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-18 16:15 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-17 08:06 . 2006-07-16 22:32 -------- d-----w- c:\program files\Warcraft III

2010-03-17 06:01 . 2009-09-20 17:33 -------- d-----w- c:\program files\CCleaner

2010-03-17 05:58 . 2007-03-04 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-16 05:26 . 2007-03-04 22:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-11 10:48 . 2006-07-16 22:36 91509 -c--a-w- c:\windows\War3Unin.dat

2010-01-27 08:03 . 2009-10-27 07:17 1510 ----a-w- c:\windows\Sketchpad Preferences.dat

2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-04 67128]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]

"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-01 271672]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-4 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-9-20 438272]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

2008-10-21 17:09 50472 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 23:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Warcraft III\\war3.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/16/2010 12:01 AM 236368]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 8:14 PM 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/16/2010 12:01 AM 19160]

S2 pciinfo;HP Pci Information;\??\c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmdb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 05:51]

2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 20:15]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0qaug6fq.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-18 09:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?2?3?6??P???? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3616)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-03-18 09:43:43

ComboFix-quarantined-files.txt 2010-03-18 16:43

Pre-Run: 69,785,174,016 bytes free

Post-Run: 69,777,117,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 4F635BE59856CEEE6E43EDB8B63DFEFD

Link to post
Share on other sites

Great

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Okay, I did all of the steps in the previous post. Nothing was found. I think the TDSSKiller solved the issue. Should I do anything else? Thanks for your awesome help by the way.

My MBAM Log:

Malwarebytes' Anti-Malware 1.44

Database version: 3883

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/18/2010 11:00:11 AM

mbam-log-2010-03-18 (11-00-11).txt

Scan type: Quick Scan

Objects scanned: 119800

Time elapsed: 9 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

===========================================================

My ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=5de5e72dcca56345bf52539295e4e8c9

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-03-18 06:30:18

# local_time=2010-03-18 11:30:18 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=7538

# found=0

# cleaned=0

# scan_time=1442

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=5de5e72dcca56345bf52539295e4e8c9

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-03-18 08:38:24

# local_time=2010-03-18 01:38:24 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=44846

# found=0

# cleaned=0

# scan_time=7627

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=5de5e72dcca56345bf52539295e4e8c9

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-03-19 12:01:19

# local_time=2010-03-18 05:01:19 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=69343

# found=0

# cleaned=0

# scan_time=11580

Link to post
Share on other sites

You are welcome :)

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 18...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Hey kahdah,

Thank you so much for helping me. Also, I noticed in the TDSSKiller Log that:

09:12:17:781 2924 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

09:12:17:781 2924 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

09:12:17:781 2924 File objects infected / cured / cured on reboot: 1 / 0 / 1

Does that imply I still have an infected object that cannot be cured? Or should I not worry about that?

Link to post
Share on other sites

Does that imply I still have an infected object that cannot be cured? Or should I not worry about that?
No that means there was a driver that was infected but the other number 1 is saying that it was successfully healed or replaced rather on reboot.

You are welcome. :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.