Urania Posted May 20, 2010 ID:253080 Share Posted May 20, 2010 Thank you in advance for your assistance...Started having trouble with Google redirect a few days ago and it seems to have snow-balled from there. Have also recently experienced several "unexpected errors by Java Runtime Environment" (generating hs_err_pid log files each time). Tried going back to various Restore points, but Google redirect never goes away.Began to generate required log files to submit here. Clicked to download DDS and immediately got Fake Alert msgs & several process instances of iexplore.exe showed up in Task Manager (but no additional instances of the application). Ran MBAM -> 3 findings: 2 Fake Alert & 1 Backdoor Sinowal. Restart required. All startup processes failed to execute. Restart again. All normal autostart applications seemed to start ok.Defogger: checkDDS: checkGMER... locked up computer after an hour or so. Hard shutdown then restart.GMER again... 2+ hours. Stop. Cancel. Computer lock up. Hard shutdown. Restart. Nothing (normal autostarts) seems to load right now. Unable to generate full GMER log.Another symptom I've noticed is what I think to be a new User Profile recently created called something like Network Services. It has has all the usual profile folders including Temporary Internet Files, which I noticed was quite full. I deleted all the files from that folder. I opened IE (home page is yahoo) and didn't surf anywhere, but immediately the Temporary Internet Files folder under the Network Services profile filled up again with files, including many that seemed to have a China theme.Finally, I tried posting this message to the forum last night from the infected computer, but each time I got an IE error stating that the command could not be completed. I'm now trying to post this message from a different computer that is definately not infected with anything.Help!---Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4118Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187025/19/2010 7:54:42 PMmbam-log-2010-05-19 (19-54-42).txtScan type: Quick scanObjects scanned: 162082Time elapsed: 17 minute(s), 6 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iaanotif (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\l3Dy45uq.exe (Backdoor.Sinowal) -> Quarantined and deleted successfully.---DDS (Ver_10-03-17.01) - NTFSx86 Run by The Papa at 20:13:38.07 on Wed 05/19/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.368 [GMT -4:00]AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\Java\jre6\bin\jqs.exec:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exesvchost.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\UPHClean\uphclean.exeC:\WINDOWS\system32\svchost.exe -k netsvcsC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\Nikon\PictureProject\NkbMonitor.exeC:\QUICKENW\QWDLLS.EXEC:\WINDOWS\eHome\ehmsas.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM .exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher .exeC:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .exeC:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB .exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray .exeC:\WINDOWS\system32\CTHELPER .exeC:\Program Files\Common Files\Real\Update_OB\realsched .exeC:\Program Files\DellSupport\DSAgnt .exeC:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exeC:\Program Files\SBC Self Support Tool\bin\mpbtn.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exeC:\Documents and Settings\The Papa\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://yahoo.sbc.com/dsluDefault_Page_URL = hxxp://www.dell4me.com/mywayuURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dllBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dllBHO: dlexpertclick Class: {a6927151-f5b4-11d4-ae7a-00d00925cf52} - c:\progra~1\dlexpert\dll\iehelper.dllBHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dllTB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\toolbar.dlluRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startupuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [Yahoo! Pager] 1uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenteruRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [ehTray] c:\windows\ehome\ehtray.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exemRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /rmRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"mRun: [CTHelper] CTHELPER.EXEmRun: [updReg] c:\windows\UpdReg.EXEmRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /rmRun: [dla] c:\windows\system32\dla\tfswctrl.exemRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exemRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exemRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkeymRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCentermRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exemRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osbootmRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottimemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -tStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXEuPolicies-explorer: NoThemesTab = 0 (0x0)uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)uPolicies-system: NoDispAppearancePage = 0 (0x0)uPolicies-system: NoColorChoice = 0 (0x0)uPolicies-system: NoSizeChoice = 0 (0x0)uPolicies-system: NoVisualStyleChoice = 0 (0x0)uPolicies-system: NoDispSettingsPage = 0 (0x0)IE: &Download by DLExpert (Faster) - c:\program files\dlexpert\get.htmIE: Download &All by DLExpert (Faster) - c:\program files\dlexpert\getall.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000IE: {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - c:\program files\dlexpert\DLExpert.exeIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLLTrusted Zone: intuit.com\ttlcTrusted Zone: turbotax.comTrusted Zone: musicmatch.com\onlineDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dllDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112466113106DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144456609703DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabHandler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dllHandler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll============= SERVICES / DRIVERS ===============R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-3 214664]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-3-6 93320]R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-30 359952]R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-3 144704]R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\nikon\wireless camera setup utility\NkPtpEnum.exe [2005-6-17 24064]R3 Angel;Angel MPEG Device;c:\windows\system32\drivers\Angel.sys [1980-1-1 376320]R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-3 606736]R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-3 79816]R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-3 35272]R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-3 40552]R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [2005-6-17 17664]S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-3 34248]S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 19712]S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]=============== Created Last 30 ================2010-05-20 00:12:28 0 ----a-w- c:\documents and settings\the papa\defogger_reenable2010-05-19 22:47:20 0 ----a-w- C:\debug2010-05-19 22:47:16 112 ----a-w- c:\docume~1\alluse~1\applic~1\uxD6L4l.dat2010-05-17 01:14:48 0 d-----w- c:\windows\system32\wbem\Repository2010-05-13 23:14:07 0 d-----w- c:\docume~1\thepap~1\applic~1\0D7F7613DBA08591BDDFE91BCEB5C2B22010-05-05 20:55:21 0 d-----w- c:\docume~1\thepap~1\applic~1\Helper==================== Find3M ====================2010-05-19 22:45:11 35332 ----a-w- c:\windows\UpdReg.EXE2010-05-19 22:45:10 35332 ----a-w- c:\windows\system32\CTHELPER.EXE2010-05-19 22:44:58 35328 ----a-w- c:\windows\fonts\x2i8L.com2010-05-09 18:08:23 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll2010-03-07 22:35:37 20546 ----a-w- c:\docume~1\thepap~1\applic~1\wklnhst.dat2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe2005-04-23 21:29:33 251 ----a-w- c:\program files\wt3d.ini2008-09-08 15:30:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080909\index.dat============= FINISH: 20:15:25.20 ===============Attach.zip Link to post Share on other sites More sharing options...
Maniac Posted May 20, 2010 ID:253129 Share Posted May 20, 2010 Hello Urania! Welcome to MalwareBytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Step 1:Please, uninstall the following applications:Adobe Reader 9.3You can read, how to this in:Windows XPWindows VistaWindows 7Step 2:Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVAThen run this tool to help cleanup any left over JavaYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it back when you replyThen look for the following Java folders and if found delete them.C:\Program Files\JavaC:\Program Files\Common Files\JavaC:\Windows\SunC:\Documents and Settings\All Users\Application Data\JavaC:\Documents and Settings\All Users\Application Data\Sun\JavaC:\Documents and Settings\username\Application Data\JavaC:\Documents and Settings\username\Application Data\Sun\JavaStep 3:I also see you have Viewpoint installed...Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.ViewpointViewpoint ManagerViewpoint Media PlayerStep 4:**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**In your next reply, please include these log(s) in this sequence:JavaRa logComboFix log Link to post Share on other sites More sharing options...
Urania Posted May 20, 2010 Author ID:253330 Share Posted May 20, 2010 Hi Borislav! Thank you again for your assistance. This has become a maddening experience...I've followed your instructions as prescribed; however, Combo-Fix is crashing the computer each time I try to run it. Here's what I've done:1. Uninstalled Adobe Reader 9.32. Removed all versions of JAVA; ran JavaRa.exe (see log below); deleted the subject Java folders3. Removed Viewpoint Media Player (Viewpoint & Viewpoint Manager were not loaded)4. Downloaded and saved Combo-Fix.exe to desktop; closed all open browsers; disabled McAfee active protections via Security Center; lauched Combo-FixShortly after launching Combo-Fix, an error box appeared: "Windows cannot find grpconv. Click Start to search for the file..." This msg box disappeared within seconds and Combo-Fix seemed to load as expected. A restore point was saved and the registry was backed up. Windows Recovery Console was then loaded successfully. I clicked Yes to continue the scan.At this point the AutoScan window indicated the scan was in progress, typically taking no more than 10 minutes. However, before Combo-Fix was then supposed to indicate that the clock settings were changed, I got the BSOD!The BSOD had the following message:"A problem has been detected and windows has been shut down to prevent damage to your computer.BAD_POOL_CALLERetc....*** STOP: 0x000000C2 (0x00000007, 0x00000CD4, 0x15FFF44D, 0x80535819)Beginning dump of physical memory.Physical memory dump complete.Contact your system administrator..."Hard shutdown.Restart. Everything seemed to start up ok. Got the expected Windows message that something unexpected happened and would I like to send the event info to Microsoft.Tried Combo-Fix again. Same result.Upon starting up again got a giant Active Desktop Recovery warning. (See attached jpg.) I clicked on Restore my Active Desktop and a dialog opened up indicating there was a script error.What should I do next?Regards,Urania (Astronomy is a-MUSE-ing!)---JavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Thu May 20 16:52:49 2010Found and removed: C:\Documents and Settings\The Papa\Application Data\Sun\Java\jre1.6.0_12Found and removed: C:\Documents and Settings\The Papa\Application Data\Sun\Java\jre1.6.0_14Found and removed: C:\Documents and Settings\The Papa\Application Data\Sun\Java\jre1.6.0_15Found and removed: Software\JavaSoft\Java2D\1.5.0_04Found and removed: Software\JavaSoft\Java2D\1.5.0_06Found and removed: Software\JavaSoft\Java2D\1.5.0_09Found and removed: SOFTWARE\Classes\JavaPlugin.150_04Found and removed: SOFTWARE\Classes\JavaPlugin.150_06Found and removed: SOFTWARE\Classes\JavaPlugin.150_09Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}Found and removed: SOFTWARE\Classes\JavaPlugin.142_03Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}------------------------------------Finished reporting. Link to post Share on other sites More sharing options...
Urania Posted May 20, 2010 Author ID:253349 Share Posted May 20, 2010 BTW, I searched for grpconv on the C: drive and found 3 instances: See attached jpg.Urania (Irania, WErania!) Link to post Share on other sites More sharing options...
Maniac Posted May 22, 2010 ID:254044 Share Posted May 22, 2010 Please archive ComboFix folder, which is located in your main hard drive C:\ and attach it to your next post in this topic. Link to post Share on other sites More sharing options...
Urania Posted May 22, 2010 Author ID:254096 Share Posted May 22, 2010 I couldn't find a folder called ComboFix or Combo-Fix or anything else similar. The only folder on C: that was near the time I first ran ComboFix was Qoobox. I know that's probably not the right stuff, but here it is anyway (archived & attached).Qoobox.zip Link to post Share on other sites More sharing options...
Maniac Posted May 22, 2010 ID:254202 Share Posted May 22, 2010 Please make a screenshot of your main hard drive C:\ . Link to post Share on other sites More sharing options...
Urania Posted May 22, 2010 Author ID:254294 Share Posted May 22, 2010 Borislav, thank you for your patience with me! In the process of capturing a screen shot of the C: drive, I found the Combo-Fix folder that was generated this morning when I tried to run the program from a different profile. (I'm embarrassed!)Anyway, here's the archived Combo-Fix folder. I'm assuming you don't need the screen shot...Urania (my brain really is out there...)Combo_Fix.zip Link to post Share on other sites More sharing options...
Maniac Posted May 22, 2010 ID:254299 Share Posted May 22, 2010 Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -vIf it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.It may ask you to reboot the computer to complete the process. Allow it to do so.When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here. Link to post Share on other sites More sharing options...
Urania Posted May 23, 2010 Author ID:254415 Share Posted May 23, 2010 Here's the content of the TDSSKiller.txt file:21:45:47:156 0156 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:1721:45:47:156 0156 ================================================================================21:45:47:156 0156 SystemInfo:21:45:47:156 0156 OS Version: 5.1.2600 ServicePack: 3.021:45:47:156 0156 Product type: Workstation21:45:47:156 0156 ComputerName: GANDALF21:45:47:156 0156 UserName: The Papa21:45:47:156 0156 Windows directory: C:\WINDOWS21:45:47:156 0156 Processor architecture: Intel x8621:45:47:156 0156 Number of processors: 221:45:47:156 0156 Page size: 0x100021:45:47:171 0156 Boot type: Normal boot21:45:47:171 0156 ================================================================================21:45:47:187 0156 UnloadDriverW: NtUnloadDriver error 221:45:47:187 0156 ForceUnloadDriverW: UnloadDriverW(klmd23) error 221:45:47:343 0156 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system21:45:47:343 0156 wfopen_ex: MyNtCreateFileW error 32 (C0000043)21:45:47:343 0156 wfopen_ex: Trying to KLMD file open21:45:47:343 0156 wfopen_ex: File opened ok (Flags 2)21:45:47:343 0156 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software21:45:47:343 0156 wfopen_ex: MyNtCreateFileW error 32 (C0000043)21:45:47:343 0156 wfopen_ex: Trying to KLMD file open21:45:47:343 0156 wfopen_ex: File opened ok (Flags 2)21:45:47:343 0156 KLAVA engine initialized21:45:47:796 0156 Initialize success21:45:47:812 0156 21:45:47:812 0156 Scanning Services ...21:45:49:062 0156 Raw services enum returned 414 services21:45:49:109 0156 21:45:49:109 0156 Scanning Drivers ...21:45:49:296 0156 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys21:45:49:468 0156 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS21:45:49:625 0156 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys21:45:49:687 0156 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys21:45:49:703 0156 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys21:45:49:812 0156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys21:45:49:859 0156 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys21:45:49:890 0156 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys21:45:49:906 0156 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys21:45:49:921 0156 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys21:45:50:015 0156 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys21:45:50:093 0156 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys21:45:50:187 0156 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys21:45:50:265 0156 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys21:45:50:281 0156 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys21:45:50:296 0156 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys21:45:50:390 0156 Angel (2d1c6ff086b8091f8fd897dbb1a2e432) C:\WINDOWS\system32\DRIVERS\Angel.sys21:45:50:484 0156 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys21:45:50:531 0156 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys21:45:50:609 0156 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys21:45:50:687 0156 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys21:45:50:750 0156 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys21:45:50:781 0156 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys21:45:50:812 0156 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys21:45:50:828 0156 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys21:45:50:859 0156 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys21:45:50:906 0156 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys21:45:51:031 0156 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys21:45:51:125 0156 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys21:45:51:156 0156 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys21:45:51:187 0156 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys21:45:51:203 0156 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys21:45:51:296 0156 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys21:45:51:312 0156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys21:45:51:343 0156 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys21:45:51:359 0156 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys21:45:51:406 0156 COMMONFX.DLL (1ef05b641e9a67ded74ac8ad40055dbf) C:\WINDOWS\system32\COMMONFX.DLL21:45:51:500 0156 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys21:45:51:562 0156 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL21:45:51:687 0156 ctac32k (8ac5f77e30e37d2d11bd99eff0c53d8c) C:\WINDOWS\system32\drivers\ctac32k.sys21:45:51:859 0156 ctaud2k (673241d314e932f4890509ae8ebf26db) C:\WINDOWS\system32\drivers\ctaud2k.sys21:45:51:890 0156 CTAUDFX.DLL (472b82d7e549e7fab428852e4d16f21d) C:\WINDOWS\system32\CTAUDFX.DLL21:45:52:046 0156 ctdvda2k (ed316d4c3d39c5b6c23de067e275c183) C:\WINDOWS\system32\drivers\ctdvda2k.sys21:45:52:640 0156 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL21:45:52:765 0156 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL21:45:52:875 0156 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL21:45:52:968 0156 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL21:45:53:078 0156 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL21:45:53:234 0156 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL21:45:53:406 0156 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL21:45:53:593 0156 ctprxy2k (34e7f8a499fd8361df14fedb724c0ad3) C:\WINDOWS\system32\drivers\ctprxy2k.sys21:45:53:687 0156 CTSBLFX.DLL (679ae21eb7f48a08184813aebabdec7c) C:\WINDOWS\system32\CTSBLFX.DLL21:45:53:796 0156 ctsfm2k (32098497cb4dfe9ea7660fa62dd91060) C:\WINDOWS\system32\drivers\ctsfm2k.sys21:45:53:875 0156 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys21:45:53:906 0156 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys21:45:54:000 0156 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys21:45:54:031 0156 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys21:45:54:078 0156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys21:45:54:093 0156 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys21:45:54:109 0156 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys21:45:54:140 0156 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys21:45:54:156 0156 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys21:45:54:203 0156 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys21:45:54:281 0156 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys21:45:54:453 0156 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys21:45:54:640 0156 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys21:45:54:687 0156 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys21:45:54:781 0156 emupia (2885f72d2daffd0329272f12e16d6579) C:\WINDOWS\system32\drivers\emupia2k.sys21:45:54:906 0156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys21:45:54:937 0156 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys21:45:55:109 0156 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys21:45:55:234 0156 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys21:45:55:281 0156 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys21:45:55:359 0156 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys21:45:55:390 0156 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys21:45:55:437 0156 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys21:45:55:453 0156 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys21:45:55:546 0156 ha10kx2k (da2c735b66d2e7b739f9a46146581a9d) C:\WINDOWS\system32\drivers\ha10kx2k.sys21:45:55:671 0156 hap16v2k (5c7d6d68796e4621b4168c879908dae0) C:\WINDOWS\system32\drivers\hap16v2k.sys21:45:55:765 0156 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys21:45:55:875 0156 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys21:45:55:921 0156 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys21:45:56:015 0156 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys21:45:56:187 0156 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys21:45:56:218 0156 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys21:45:56:265 0156 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys21:45:56:296 0156 iaStor (d7731536e183b4397402ca6f9e1d52f7) C:\WINDOWS\system32\drivers\iaStor.sys21:45:56:312 0156 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys21:45:56:343 0156 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys21:45:56:453 0156 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys21:45:56:640 0156 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys21:45:56:781 0156 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys21:45:56:890 0156 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys21:45:56:937 0156 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys21:45:56:968 0156 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys21:45:57:015 0156 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys21:45:57:031 0156 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys21:45:57:062 0156 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys21:45:57:093 0156 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys21:45:57:140 0156 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys21:45:57:187 0156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys21:45:57:203 0156 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys21:45:57:234 0156 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys21:45:57:250 0156 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys21:45:57:296 0156 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys21:45:57:390 0156 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys21:45:57:484 0156 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys21:45:57:625 0156 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys21:45:57:750 0156 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys21:45:57:859 0156 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys21:45:57:953 0156 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys21:45:58:125 0156 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys21:45:58:171 0156 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys21:45:58:203 0156 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys21:45:58:281 0156 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys21:45:58:406 0156 motccgp (c741717b0a18813dd7d12085937cee72) C:\WINDOWS\system32\DRIVERS\motccgp.sys21:45:58:562 0156 motccgpfl (b812da6605caf02641312f1f65c75419) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys21:45:58:671 0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys21:45:58:703 0156 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys21:45:58:734 0156 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys21:45:58:781 0156 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys21:45:58:937 0156 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys21:45:59:000 0156 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys21:45:59:031 0156 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys21:45:59:296 0156 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys21:45:59:375 0156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys21:45:59:421 0156 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys21:45:59:453 0156 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys21:45:59:484 0156 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys21:45:59:546 0156 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys21:45:59:640 0156 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys21:45:59:734 0156 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys21:45:59:765 0156 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys21:45:59:843 0156 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys21:45:59:937 0156 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys21:46:00:000 0156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys21:46:00:125 0156 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys21:46:00:171 0156 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys21:46:00:203 0156 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys21:46:00:250 0156 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys21:46:00:296 0156 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys21:46:00:328 0156 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys21:46:00:343 0156 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys21:46:00:375 0156 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys21:46:00:437 0156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys21:46:00:593 0156 nv (aaa6daac20c08fda35498515ad6c69c3) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys21:46:01:062 0156 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys21:46:01:078 0156 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys21:46:01:125 0156 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys21:46:01:156 0156 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys21:46:01:250 0156 ossrv (61c85afeaa6ef0c1b32d43f84f7bfbcf) C:\WINDOWS\system32\drivers\ctoss2k.sys21:46:01:343 0156 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys21:46:01:359 0156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys21:46:01:390 0156 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys21:46:01:406 0156 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys21:46:01:437 0156 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys21:46:01:468 0156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys21:46:01:515 0156 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys21:46:01:593 0156 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys21:46:01:625 0156 PfModNT (6dabb70783ef470492adb7b9a6e60bf3) C:\WINDOWS\system32\drivers\PfModNT.sys21:46:01:734 0156 ppa3 (c740d0cb238670629af1b740414a8f3c) C:\WINDOWS\system32\DRIVERS\ppa3.sys21:46:01:765 0156 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys21:46:01:796 0156 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys21:46:01:828 0156 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys21:46:01:859 0156 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys21:46:01:875 0156 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys21:46:01:890 0156 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys21:46:01:921 0156 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys21:46:01:937 0156 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys21:46:01:953 0156 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys21:46:01:984 0156 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys21:46:02:046 0156 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys21:46:02:062 0156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys21:46:02:078 0156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys21:46:02:093 0156 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys21:46:02:109 0156 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys21:46:02:125 0156 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys21:46:02:156 0156 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys21:46:02:187 0156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys21:46:02:218 0156 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys21:46:02:250 0156 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys21:46:02:281 0156 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys21:46:02:296 0156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys21:46:02:343 0156 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys21:46:02:390 0156 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys21:46:02:421 0156 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys21:46:02:453 0156 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys21:46:02:484 0156 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys21:46:02:515 0156 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys21:46:02:625 0156 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys21:46:02:750 0156 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys21:46:02:843 0156 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys21:46:02:859 0156 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys21:46:02:906 0156 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys21:46:02:921 0156 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys21:46:03:015 0156 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys21:46:03:093 0156 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys21:46:03:125 0156 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys21:46:03:218 0156 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys21:46:03:265 0156 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys21:46:03:296 0156 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys21:46:03:328 0156 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys21:46:03:328 0156 TermDD (6bbab7c9f82fa2ea6dbe2cf656d2ea3f) C:\WINDOWS\system32\DRIVERS\termdd.sys21:46:03:343 0156 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: 6bbab7c9f82fa2ea6dbe2cf656d2ea3f, Fake md5: 88155247177638048422893737429d9e21:46:03:343 0156 File "C:\WINDOWS\system32\DRIVERS\termdd.sys" infected by TDSS rootkit ... 21:46:03:937 0156 Backup copy found, using it..21:46:03:937 0156 will be cured on next reboot21:46:04:015 0156 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys21:46:04:140 0156 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys21:46:04:265 0156 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys21:46:04:453 0156 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys21:46:04:546 0156 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys21:46:04:640 0156 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys21:46:04:750 0156 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys21:46:04:828 0156 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys21:46:04:968 0156 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys21:46:05:093 0156 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys21:46:05:140 0156 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys21:46:05:171 0156 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys21:46:05:296 0156 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys21:46:05:328 0156 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys21:46:05:343 0156 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys21:46:05:359 0156 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys21:46:05:406 0156 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys21:46:05:437 0156 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys21:46:05:531 0156 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS21:46:05:562 0156 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys21:46:05:609 0156 VBus (2f819aa4b3171efc050b648430800dc2) C:\WINDOWS\system32\DRIVERS\NkVBus.sys21:46:05:671 0156 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys21:46:05:687 0156 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys21:46:05:734 0156 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys21:46:05:750 0156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys21:46:05:765 0156 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys21:46:05:828 0156 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys21:46:06:046 0156 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys21:46:06:078 0156 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys21:46:06:109 0156 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS21:46:06:156 0156 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys21:46:06:218 0156 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys21:46:06:234 0156 Reboot required for cure complete..21:46:06:390 0156 Cure on reboot scheduled successfully21:46:06:390 0156 21:46:06:390 0156 Completed21:46:06:390 0156 21:46:06:390 0156 Results:21:46:06:390 0156 Registry objects infected / cured / cured on reboot: 0 / 0 / 021:46:06:390 0156 File objects infected / cured / cured on reboot: 1 / 0 / 121:46:06:390 0156 21:46:06:390 0156 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system21:46:06:390 0156 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software21:46:06:390 0156 UnloadDriverW: NtUnloadDriver error 121:46:06:390 0156 KLMD(ARK) unloaded successfully Link to post Share on other sites More sharing options...
Maniac Posted May 23, 2010 ID:254523 Share Posted May 23, 2010 Please delete your copy of ComboFix and:**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
Urania Posted May 23, 2010 Author ID:254664 Share Posted May 23, 2010 Woohoo! ComboFix ran with no BSOD!Here's the resulting log file:ComboFix 10-05-22.03 - The Papa 05/23/2010 9:22.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.461 [GMT -4:00]Running from: c:\documents and settings\The Papa\Desktop\Combo-Fix.exeAV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\l3Dy45uq.exec:\documents and settings\All Users\Application Data\l3Dy45uq.exe_c:\documents and settings\LocalService\Application Data\Microsoft\HTML Help\hh.datc:\documents and settings\The Mama\Application Data\Microsoft\HTML Help\hh.datc:\documents and settings\The Mama\GoToAssistDownloadHelper.exec:\documents and settings\The Papa\Application Data\0D7F7613DBA08591BDDFE91BCEB5C2B2c:\documents and settings\The Papa\Application Data\0D7F7613DBA08591BDDFE91BCEB5C2B2\enemies-names.txtc:\documents and settings\The Papa\Application Data\Microsoft\HTML Help\hh.datc:\documents and settings\The Papa\Application Data\shb.datc:\progra~1\MUSICM~1\MUSICM~3\mimboot.exec:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask.exeC:\Thumbs.dbc:\windows\jestertb.dllc:\windows\msv1_0.dllc:\windows\system32\win.inic:\windows\UpdReg.EXE <pre>c:\program files\QuickTime\qttask .exe --->c:\program files\QuickTime\qttask.exec:\windows\UpdReg .exe --->c:\windows\UpdReg.exe</pre>.c:\windows\system32\grpconv.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe.((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 ))))))))))))))))))))))))))))))).2010-05-23 13:29 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe2010-05-23 13:29 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe2010-05-22 20:46 . 2010-05-22 20:46 7314716 ----a-w- C:\Combo-Fix.zip2010-05-22 12:16 . 2010-05-22 12:16 6961 ----a-w- C:\Qoobox.zip2010-05-19 23:08 . 2010-05-19 23:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2010-05-19 22:48 . 2010-05-19 22:48 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE2010-05-18 23:14 . 2010-05-18 23:14 -------- d-----w- c:\documents and settings\The Mama\Application Data\Malwarebytes2010-05-17 01:14 . 2010-05-17 01:14 -------- d-----w- c:\windows\system32\wbem\Repository2010-05-13 23:26 . 2010-05-13 23:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache2010-05-05 20:55 . 2010-05-05 20:55 -------- d-----w- c:\documents and settings\The Papa\Application Data\Helper.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-05-23 13:30 . 2006-10-16 23:14 -------- d-----w- c:\program files\QuickTime2010-05-23 13:18 . 2010-05-19 22:47 112 ----a-w- c:\documents and settings\All Users\Application Data\uxD6L4l.dat2010-05-23 01:47 . 2004-08-04 07:01 40840 ----a-w- c:\windows\system32\drivers\termdd.sys2010-05-20 22:14 . 2007-04-09 12:52 -------- d-----w- c:\program files\DellSupport2010-05-20 20:40 . 2005-03-25 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint2010-05-20 20:31 . 2005-04-07 01:10 -------- d-----w- c:\program files\Common Files\Adobe2010-05-20 00:05 . 2007-03-03 14:15 -------- d-----w- c:\program files\McAfee2010-05-19 23:58 . 2010-03-18 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-05-19 22:45 . 2005-03-25 19:46 35332 ----a-w- c:\windows\system32\CTHELPER.EXE2010-05-19 00:14 . 2010-03-08 23:10 439816 ----a-w- c:\documents and settings\The Papa\Application Data\Real\Update\setup3.10\setup.exe2010-05-09 18:08 . 2006-10-16 23:25 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT2010-05-04 15:08 . 2005-04-15 22:16 89560 ----a-w- c:\documents and settings\The Mama\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-05-02 22:14 . 2010-04-15 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Extreme Picture Finder2010-05-02 22:09 . 2010-04-15 23:56 -------- d-----w- c:\program files\Extreme Picture Finder 32010-04-29 19:39 . 2010-03-18 21:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-04-29 19:39 . 2010-03-18 21:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-04-11 01:07 . 2006-10-16 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer2010-04-11 01:06 . 2010-04-11 01:06 -------- d-----w- c:\program files\Common Files\Apple2010-04-11 01:06 . 2010-04-11 01:06 -------- d-----w- c:\program files\Apple Software Update2010-04-11 01:06 . 2010-04-11 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple2010-04-06 04:15 . 2005-10-23 21:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat2010-03-11 01:00 . 2010-01-20 00:40 1156736 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat2010-03-11 00:43 . 2005-04-02 20:37 89560 ----a-w- c:\documents and settings\The Papa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-03-10 06:15 . 2004-08-10 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll2010-03-07 22:35 . 2005-04-03 18:44 20546 ----a-w- c:\documents and settings\The Papa\Application Data\wklnhst.dat2010-02-25 06:24 . 2004-08-10 11:00 916480 ----a-w- c:\windows\system32\wininet.dll2010-02-24 13:11 . 2004-08-10 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2005-04-23 21:29 . 2005-04-23 21:29 251 ----a-w- c:\program files\wt3d.ini.<pre>c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exec:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exec:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exec:\program files\Common Files\Real\Update_OB\realsched .exec:\program files\Common Files\Sonic\Update Manager\sgtray .exec:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .exec:\program files\Critical Thinking Software\Word Roots A2\UninstallerData\Word Roots A2 Uninstall .exec:\program files\CyberLink\PowerDVD\DVDLauncher .exec:\program files\Dell Support Center\bin\sprtcmd .exec:\program files\Dell Support Center\gs_agent\custom\dsca .exec:\program files\DellSupport\DSAgnt .exec:\program files\Intel\Intel Application Accelerator\iaanotif .exec:\program files\Intel\Modem Event Monitor\IntelMEM .exec:\program files\Malwarebytes' Anti-Malware\mbam .exec:\program files\McAfee.com\Agent\mcagent .exec:\program files\Messenger\msmsgs .exec:\program files\MUSICMATCH\Musicmatch Jukebox\mimboot .exec:\program files\SBC Self Support Tool\SmartBridge\MotiveSB .exec:\windows\EHOME\ehtray .exec:\windows\SYSTEM32\CTHELPER .exe</pre>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Yahoo! Pager"="1" [X]"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [N/A]"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [N/A]"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [N/A]"CTHelper"="CTHELPER.EXE" [2010-05-19 35332]"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [N/A]"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [N/A]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [N/A]"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [N/A]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [N/A]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-05-19 35332]c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2005-7-14 217088]NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-10-16 118784]Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2005-4-8 27136][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)"DisableNotifications"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [3/6/2010 4:02 PM 93320]R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 11:11 AM 24064]R3 Angel;Angel MPEG Device;c:\windows\SYSTEM32\DRIVERS\Angel.sys [1/1/1980 2:00 AM 376320]R3 VBus;Virtual Bus;c:\windows\SYSTEM32\DRIVERS\NkVBus.sys [6/17/2005 11:11 AM 17664]S3 motccgp;Motorola USB Composite Device Driver;c:\windows\SYSTEM32\DRIVERS\motccgp.sys [8/22/2008 12:49 AM 19712]S3 motccgpfl;MotCcgpFlService;c:\windows\SYSTEM32\DRIVERS\motccgpfl.sys [8/22/2008 12:49 AM 8320]S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]--- Other Services/Drivers In Memory ---*Deregistered* - uphcleanhlp.Contents of the 'Scheduled Tasks' folder2010-05-23 c:\windows\Tasks\GlaryInitialize.job- c:\program files\Glary Utilities\initialize.exe [2010-01-15 17:09]2005-04-01 c:\windows\Tasks\ISP signup reminder 1.job- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-10 00:12]2007-03-03 c:\windows\Tasks\McDefragTask.job- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 16:22]2007-03-03 c:\windows\Tasks\McQcTask.job- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 16:22]..------- Supplementary Scan -------.uStart Page = hxxp://yahoo.sbc.com/dslIE: &Download by DLExpert (Faster) - c:\program files\DLExpert\get.htmIE: Download &All by DLExpert (Faster) - c:\program files\DLExpert\getall.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000IE: {{4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - c:\program files\DLExpert\DLExpert.exeTrusted Zone: intuit.com\ttlcTrusted Zone: turbotax.comTrusted Zone: musicmatch.com\onlineDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab.- - - - ORPHANS REMOVED - - - -SafeBoot-klmdb.sysAddRemove-Photo Finale Quick Start_is1 - c:\program files\Photo Finale\Photo Finale 4\unins000.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-05-23 09:30Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,98,bf,bc,67,59,29,4d,8c,08,5e,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,98,bf,bc,67,59,29,4d,8c,08,5e,\.Completion time: 2010-05-23 09:34:26ComboFix-quarantined-files.txt 2010-05-23 13:34Pre-Run: 32,776,097,792 bytes freePost-Run: 32,945,516,544 bytes free- - End Of File - - 2135D0FDA17CA679F4E9AA85B3BA839D Link to post Share on other sites More sharing options...
Maniac Posted May 23, 2010 ID:254675 Share Posted May 23, 2010 Open Notepad and copy and paste the text in the code box below into it:KillAll::RenV::c:\program files\QuickTime\qttask .exec:\windows\UpdReg .exec:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exec:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exec:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exec:\program files\Common Files\Real\Update_OB\realsched .exec:\program files\Common Files\Sonic\Update Manager\sgtray .exec:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .exec:\program files\Critical Thinking Software\Word Roots A2\UninstallerData\Word Roots A2 Uninstall .exec:\program files\CyberLink\PowerDVD\DVDLauncher .exec:\program files\Dell Support Center\bin\sprtcmd .exec:\program files\Dell Support Center\gs_agent\custom\dsca .exec:\program files\DellSupport\DSAgnt .exec:\program files\Intel\Intel Application Accelerator\iaanotif .exec:\program files\Intel\Modem Event Monitor\IntelMEM .exec:\program files\Malwarebytes' Anti-Malware\mbam .exec:\program files\McAfee.com\Agent\mcagent .exec:\program files\Messenger\msmsgs .exec:\program files\MUSICMATCH\Musicmatch Jukebox\mimboot .exec:\program files\SBC Self Support Tool\SmartBridge\MotiveSB .exec:\windows\EHOME\ehtray .exec:\windows\SYSTEM32\CTHELPER .exeRegLock::[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Link to post Share on other sites More sharing options...
Urania Posted May 23, 2010 Author ID:254758 Share Posted May 23, 2010 Here's the new CF log:ComboFix 10-05-22.03 - The Papa 05/23/2010 12:36:20.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.501 [GMT -4:00]Running from: c:\documents and settings\The Papa\Desktop\Combo-Fix.exeCommand switches used :: c:\documents and settings\The Papa\Desktop\CFScript.txtAV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}.((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 ))))))))))))))))))))))))))))))).2010-05-23 13:29 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe2010-05-23 13:29 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe2010-05-22 20:46 . 2010-05-22 20:46 7314716 ----a-w- C:\Combo-Fix.zip2010-05-22 12:16 . 2010-05-22 12:16 6961 ----a-w- C:\Qoobox.zip2010-05-19 23:08 . 2010-05-19 23:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2010-05-19 22:48 . 2010-05-19 22:48 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE2010-05-18 23:14 . 2010-05-18 23:14 -------- d-----w- c:\documents and settings\The Mama\Application Data\Malwarebytes2010-05-17 01:14 . 2010-05-17 01:14 -------- d-----w- c:\windows\system32\wbem\Repository2010-05-13 23:26 . 2010-05-13 23:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache2010-05-05 20:55 . 2010-05-05 20:55 -------- d-----w- c:\documents and settings\The Papa\Application Data\Helper.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-05-23 16:36 . 2010-03-18 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-05-23 16:36 . 2007-04-09 12:52 -------- d-----w- c:\program files\DellSupport2010-05-23 13:30 . 2006-10-16 23:14 -------- d-----w- c:\program files\QuickTime2010-05-23 13:18 . 2010-05-19 22:47 112 ----a-w- c:\documents and settings\All Users\Application Data\uxD6L4l.dat2010-05-23 01:47 . 2004-08-04 07:01 40840 ----a-w- c:\windows\system32\drivers\termdd.sys2010-05-20 20:40 . 2005-03-25 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint2010-05-20 20:31 . 2005-04-07 01:10 -------- d-----w- c:\program files\Common Files\Adobe2010-05-20 00:05 . 2007-03-03 14:15 -------- d-----w- c:\program files\McAfee2010-05-19 00:14 . 2010-03-08 23:10 439816 ----a-w- c:\documents and settings\The Papa\Application Data\Real\Update\setup3.10\setup.exe2010-05-09 18:08 . 2006-10-16 23:25 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT2010-05-04 15:08 . 2005-04-15 22:16 89560 ----a-w- c:\documents and settings\The Mama\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-05-02 22:14 . 2010-04-15 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Extreme Picture Finder2010-05-02 22:09 . 2010-04-15 23:56 -------- d-----w- c:\program files\Extreme Picture Finder 32010-04-29 19:39 . 2010-03-18 21:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-04-29 19:39 . 2010-03-18 21:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-04-11 01:07 . 2006-10-16 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer2010-04-11 01:06 . 2010-04-11 01:06 -------- d-----w- c:\program files\Common Files\Apple2010-04-11 01:06 . 2010-04-11 01:06 -------- d-----w- c:\program files\Apple Software Update2010-04-11 01:06 . 2010-04-11 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple2010-04-06 04:15 . 2005-10-23 21:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat2010-03-11 01:00 . 2010-01-20 00:40 1156736 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat2010-03-11 00:43 . 2005-04-02 20:37 89560 ----a-w- c:\documents and settings\The Papa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-03-10 06:15 . 2004-08-10 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll2010-03-07 22:35 . 2005-04-03 18:44 20546 ----a-w- c:\documents and settings\The Papa\Application Data\wklnhst.dat2010-02-25 06:24 . 2004-08-10 11:00 916480 ----a-w- c:\windows\system32\wininet.dll2010-02-24 13:11 . 2004-08-10 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2005-04-23 21:29 . 2005-04-23 21:29 251 ----a-w- c:\program files\wt3d.ini.((((((((((((((((((((((((((((( SnapShot@2010-05-23_13.30.16 ))))))))))))))))))))))))))))))))))))))))).- 2005-03-25 19:34 . 2010-03-23 16:25 72576 c:\windows\SYSTEM32\PERFC009.DAT+ 2005-03-25 19:34 . 2010-05-23 14:05 72576 c:\windows\SYSTEM32\PERFC009.DAT+ 2005-03-25 19:46 . 2007-04-09 16:32 19456 c:\windows\SYSTEM32\CTHELPER.exe+ 2005-03-25 19:34 . 2010-05-23 14:05 445370 c:\windows\SYSTEM32\PERFH009.DAT- 2005-03-25 19:34 . 2010-03-23 16:25 445370 c:\windows\SYSTEM32\PERFH009.DAT.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Yahoo! Pager"="1" [X]"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-11-06 380928]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2005-7-14 217088]NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-10-16 118784]Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2005-4-8 27136][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)"DisableNotifications"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [3/6/2010 4:02 PM 93320]R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 11:11 AM 24064]R3 Angel;Angel MPEG Device;c:\windows\SYSTEM32\DRIVERS\Angel.sys [1/1/1980 2:00 AM 376320]R3 VBus;Virtual Bus;c:\windows\SYSTEM32\DRIVERS\NkVBus.sys [6/17/2005 11:11 AM 17664]S3 motccgp;Motorola USB Composite Device Driver;c:\windows\SYSTEM32\DRIVERS\motccgp.sys [8/22/2008 12:49 AM 19712]S3 motccgpfl;MotCcgpFlService;c:\windows\SYSTEM32\DRIVERS\motccgpfl.sys [8/22/2008 12:49 AM 8320]S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]--- Other Services/Drivers In Memory ---*Deregistered* - uphcleanhlp.Contents of the 'Scheduled Tasks' folder2010-05-23 c:\windows\Tasks\GlaryInitialize.job- c:\program files\Glary Utilities\initialize.exe [2010-01-15 17:09]2005-04-01 c:\windows\Tasks\ISP signup reminder 1.job- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-10 00:12]2007-03-03 c:\windows\Tasks\McDefragTask.job- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 16:22]2007-03-03 c:\windows\Tasks\McQcTask.job- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 16:22]..------- Supplementary Scan -------.uStart Page = hxxp://yahoo.sbc.com/dslIE: &Download by DLExpert (Faster) - c:\program files\DLExpert\get.htmIE: Download &All by DLExpert (Faster) - c:\program files\DLExpert\getall.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000IE: {{4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - c:\program files\DLExpert\DLExpert.exeTrusted Zone: intuit.com\ttlcTrusted Zone: turbotax.comTrusted Zone: musicmatch.com\onlineDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab.- - - - ORPHANS REMOVED - - - -HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeAddRemove-Word Roots A2 - c:\program files\Critical Thinking Software\Word Roots A2\UninstallerData\Word Roots A2 Uninstall .exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-05-23 12:49Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3792)c:\windows\system32\WININET.dllc:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\CTsvcCDA.EXEc:\windows\eHome\ehRecvr.exec:\windows\eHome\ehSched.exec:\program files\Intel\Intel Application Accelerator\iaantmon.exec:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exec:\progra~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\progra~1\McAfee\VIRUSS~1\mcshield.exec:\program files\McAfee\MPF\MPFSrv.exec:\windows\system32\nvsvc32.exec:\program files\Dell Support Center\bin\sprtsvc.exec:\program files\UPHClean\uphclean.exec:\windows\ehome\mcrdsvc.exec:\progra~1\mcafee.com\agent\mcagent.exec:\windows\system32\dllhost.exec:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exec:\program files\SBC Self Support Tool\bin\mpbtn.exec:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exec:\windows\eHome\ehmsas.exe.**************************************************************************.Completion time: 2010-05-23 12:54:41 - machine was rebootedComboFix-quarantined-files.txt 2010-05-23 16:54ComboFix2.txt 2010-05-23 13:34Pre-Run: 33,027,969,024 bytes freePost-Run: 32,919,797,760 bytes free- - End Of File - - 90C1EA8009A642404F72A4158FD95296 Link to post Share on other sites More sharing options...
Maniac Posted May 23, 2010 ID:254759 Share Posted May 23, 2010 How are things now? Link to post Share on other sites More sharing options...
Urania Posted May 23, 2010 Author ID:254790 Share Posted May 23, 2010 So far so good. I performed several searches via Google as well as Yahoo and clicked on several links of known (and trusted) web sites. I'll continue to monitor for a couple of days to be sure.Assuming I'm all clear, what steps should I follow now to restore some capability (i.e., Adobe Reader & Java)? More importantly, what steps should I take to better protect against these types of threats? I'm presently relying on McAfee virus/malware protection as well as personal firewall, and I've been using Malwarebytes to scan at least weekly. I've also been using McAfee Site Advisor to flag suspicious web sites. Obviously these measures haven't been enough. I'd like to do whatever necessary to prevent this from happening again. Any advice?Finally, what exactly did I have and what was the most likely source of infection?By the way, you're awesome and I'll do my part to make sure you can continue to be awesome!!Urania Link to post Share on other sites More sharing options...
Maniac Posted May 23, 2010 ID:254793 Share Posted May 23, 2010 I'll answer to your questions, but first want to make sure that your system is clean. Monitor your system to three days and tell me, then other details. Link to post Share on other sites More sharing options...
Urania Posted May 25, 2010 Author ID:256222 Share Posted May 25, 2010 So far so good. I performed several searches via Google as well as Yahoo and clicked on several links of known (and trusted) web sites. I'll continue to monitor for a couple of days to be sure.Assuming I'm all clear, what steps should I follow now to restore some capability (i.e., Adobe Reader & Java)? More importantly, what steps should I take to better protect against these types of threats? I'm presently relying on McAfee virus/malware protection as well as personal firewall, and I've been using Malwarebytes to scan at least weekly. I've also been using McAfee Site Advisor to flag suspicious web sites. Obviously these measures haven't been enough. I'd like to do whatever necessary to prevent this from happening again. Any advice?Finally, what exactly did I have and what was the most likely source of infection?By the way, you're awesome and I'll do my part to make sure you can continue to be awesome!!UraniaAll still seems to be ok. No obvious evidence of infection. What's next? Link to post Share on other sites More sharing options...
Maniac Posted May 25, 2010 ID:256238 Share Posted May 25, 2010 Last steps:Step 1* Go to start > run and copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Step 2Please manually delete DDS, TDSSKiller, JavaRa and GMER.Step 3Please download and install the latest version of Adobe Reader from:www.adobe.comAbout Java:www.java.com/enStep 4Some malware preventions:http://miekiemoes.blogspot.com/2008/02/how...nt-malware.htmlSafe surfing! Link to post Share on other sites More sharing options...
Recommended Posts