Jump to content

Recommended Posts

Hi there helpful folks! I have a subscription on my own computer, but this is a different computer--did a housecall and now I have it with me.

  • --Was infected with Antispyware Soft. Keyboard was disabled so F8 and even F2/F12 wouldn't work, but somehow by going to F12 and then switching to F8, I got into safe mode & ran Malwarebytes.
  • --Ran & rebooted several times until scan came up clean.
  • --Then could not get on the Internet ("unable to query host name" on ipconfig), print spooler subsytem errors, etc. -- system files compromised???
  • --Left the computer running w/Ethernet plugged in. A day later I get a call that something has popped up indicating communication over the Internet (unfortunately she didn't give me the exact error message). I went to get the computer.
  • --Ran Malwarebytes again and it found. Now scans clean. I have not attempted to fix the TCP/IP or spooler issues yet, figuring if there is a lingering infection I should tackle it first.
  • --Txt files are zipped and attached. DDS.txt is below.

Thank you SO much in advance!

Hilary

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-16 11:16:53

Windows 5.1.2600 Service Pack 3

Running: 9hoepqk4.exe; Driver: C:\DOCUME~1\SUSQUE~1\LOCALS~1\Temp\kwtdypow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6E5B0B0]

---- Kernel code sections - GMER 1.0.15 ----

? fnwfbeo.sys The system cannot find the file specified. !

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74B0780]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs FStopW.sys (FPAV - RealTime Protector/FRISK Software International)

Device \Driver\atapi \Device\Ide\IdePort0 [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdePort1 [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \FileSystem\Fastfat \Fat FStopW.sys (FPAV - RealTime Protector/FRISK Software International)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

ark.zip

Attach.zip

Link to post
Share on other sites

Hello hcethatsme! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me I then I'll tell you what to do.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed of any changes.

Step 1

Please, uninstall the following applications:

  1. Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
  2. Adobe Reader 8.1.2
  3. Adobe Reader 8.1.2 Security Update 1 (KB403742)
  4. Korean Fonts Support For Adobe Reader 8

You can read, how to this here:

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Thanks so much, Borislav! I'm sorry, I forgot to copy in DDS.txt last time. Here is the new mbam log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4207

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/16/2010 3:07:44 PM

mbam-log-2010-06-16 (15-07-44).txt

Scan type: Quick scan

Objects scanned: 134861

Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

and dds.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Susquehanna Branch at 15:09:15.71 on Wed 06/16/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1493 [GMT -4:00]

AV: F-PROT Antivirus for Windows *On-access scanning enabled* (Updated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

svchost.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Susquehanna Branch\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://susqcolibrary.org/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"

mRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exe

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

uPolicies-system: RunStartupScriptSync = 1 (0x1)

mPolicies-explorer: <NO NAME> =

mPolicies-system: RunStartupScriptSync = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\micros~2\office\1033\phdintl.dll/phdContext.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim95_c2\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: microsoftofficeonline.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab

DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\susque~1\applic~1\mozilla\firefox\profiles\dx2sbl1f.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.susqcolibrary.org/|http://www.susqcolibrary.org/|http://www.susqcolibrary.org/

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\susquehanna branch\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\susquehanna branch\application data\mozilla\firefox\profiles\dx2sbl1f.default\extensions\support@ancestry.com\plugins\npImgCtl.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2008-2-6 682840]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 74480]

R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2009-8-27 75424]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-12 24652]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

S0 wmrtlayg;wmrtlayg;c:\windows\system32\drivers\ifkwfvog.dat --> c:\windows\system32\drivers\ifkwfvog.dat [?]

S2 gluatqjk;Brother USB Mass-Storage Upper Filter Controller;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2003-3-26 2944]

S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\drivers\BrFiltLo.sys [2003-3-26 12160]

S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\drivers\BrFiltUp.sys [2003-3-26 3968]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2003-3-26 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2003-3-26 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2003-3-26 10368]

=============== Created Last 30 ================

2010-06-16 12:50:44 0 ----a-w- c:\documents and settings\susquehanna branch\defogger_reenable

2010-06-15 17:42:07 0 d-----w- c:\docume~1\susque~1\applic~1\FRISK Software

2010-06-15 17:22:51 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-06-15 17:22:51 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-06-07 19:29:22 0 d-----w- C:\spoolerlogs

2010-06-07 18:48:19 0 d-----w- c:\docume~1\susque~1\applic~1\Malwarebytes

2010-06-07 18:41:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 18:41:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-07 18:41:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 18:41:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-04-13 13:44:12 4938120 ----a-w- c:\program files\Silverlight.exe

2010-03-10 15:20:22 8558600 ----a-w- c:\program files\yahoo_firefox_3.6_setup_us.exe

2010-02-16 17:36:16 38808920 ----a-w- c:\program files\FileFormatConverters.exe

2010-01-29 17:17:28 4384320 ----a-w- c:\program files\Shockwave_Installer_Slim.exe

2010-01-28 16:26:31 209624 ----a-w- c:\program files\uninstall_flash_player.exe

2010-01-28 15:12:10 1924200 ----a-w- c:\program files\install_flash_player.exe

2007-12-11 16:05:23 372520 ----a-w- c:\program files\ymjsetup_29.exe

2006-10-12 20:58:08 782898 ----a-w- c:\program files\defs.ref

2005-11-16 14:41:23 203061 ----a-w- c:\program files\AIM+Setup.exe

2005-11-16 14:38:26 8715352 ----a-w- c:\program files\Install_AIM.exe

2005-03-04 19:29:22 533904 ----a-w- c:\program files\psa2011se_DLM_us_full.exe

2003-11-12 20:47:07 267472 ----a-w- c:\program files\NSSetup.exe

2003-03-10 12:30:06 207758 ----a-w- c:\program files\INSTALL.LOG

============= FINISH: 15:10:18.46 ===============

Attach.txt is attached. Thanks again!

Attach.zip

Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

Thanks again, Borislav. Here is the log:

17:04:49:984 2260 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

17:04:49:984 2260 ================================================================================

17:04:49:984 2260 SystemInfo:

17:04:49:984 2260 OS Version: 5.1.2600 ServicePack: 3.0

17:04:49:984 2260 Product type: Workstation

17:04:49:984 2260 ComputerName: MUFASA

17:04:49:984 2260 UserName: Susquehanna Branch

17:04:49:984 2260 Windows directory: C:\WINDOWS

17:04:49:984 2260 Processor architecture: Intel x86

17:04:49:984 2260 Number of processors: 1

17:04:49:984 2260 Page size: 0x1000

17:04:49:984 2260 Boot type: Normal boot

17:04:49:984 2260 ================================================================================

17:04:50:250 2260 Initialize success

17:04:50:265 2260

17:04:50:265 2260 Scanning Services ...

17:04:50:671 2260 Raw services enum returned 350 services

17:04:50:671 2260

17:04:50:671 2260 Scanning Drivers ...

17:04:51:390 2260 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS

17:04:51:531 2260 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

17:04:51:703 2260 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

17:04:51:906 2260 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys

17:04:52:062 2260 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

17:04:52:234 2260 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

17:04:52:406 2260 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

17:04:52:578 2260 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

17:04:52:734 2260 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys

17:04:52:890 2260 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys

17:04:53:031 2260 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys

17:04:53:203 2260 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys

17:04:53:312 2260 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys

17:04:53:468 2260 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys

17:04:53:609 2260 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys

17:04:53:765 2260 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys

17:04:53:937 2260 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys

17:04:54:062 2260 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys

17:04:54:218 2260 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

17:04:54:343 2260 atapi (75fefb18207dd203140e991b4d2b86ff) C:\WINDOWS\system32\DRIVERS\atapi.sys

17:04:54:343 2260 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 75fefb18207dd203140e991b4d2b86ff, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674

17:04:54:343 2260 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 17:04:56:421 2260 Backup copy found, using it..

17:04:56:437 2260 will be cured on next reboot

17:04:56:718 2260 ati2mtaa (075e091eebb450eedae9da74f5b46494) C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys

17:04:56:890 2260 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

17:04:57:031 2260 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

17:04:57:156 2260 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

17:04:57:281 2260 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys

17:04:57:453 2260 BrFiltLo (50cd33fcc147ae70dfa398f6a3bc7075) C:\WINDOWS\system32\DRIVERS\BrFiltLo.sys

17:04:57:609 2260 BrFiltUp (d6738653286d51bb9286cb579814046b) C:\WINDOWS\system32\DRIVERS\BrFiltUp.sys

17:04:57:765 2260 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys

17:04:57:906 2260 BrUsbMdm (37e2d0b12ddf536cd64af6eb3b580ef8) C:\WINDOWS\system32\Drivers\BrUsbMdm.sys

17:04:58:062 2260 BrUsbScn (1c5f014048e5b2748c1a8ad297c50b6f) C:\WINDOWS\system32\Drivers\BrUsbScn.sys

17:04:58:359 2260 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys

17:04:58:500 2260 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

17:04:58:625 2260 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys

17:04:58:796 2260 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

17:04:58:968 2260 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

17:04:59:140 2260 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys

17:04:59:312 2260 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys

17:04:59:468 2260 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

17:04:59:609 2260 cdudf_xp (072070a498d5fad70c3a99a5f0b1331b) C:\WINDOWS\system32\drivers\cdudf_xp.sys

17:04:59:890 2260 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys

17:05:00:046 2260 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys

17:05:00:187 2260 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys

17:05:00:343 2260 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys

17:05:00:500 2260 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys

17:05:00:687 2260 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

17:05:00:859 2260 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

17:05:01:031 2260 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys

17:05:01:171 2260 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

17:05:01:343 2260 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

17:05:01:515 2260 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys

17:05:01:750 2260 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

17:05:02:078 2260 dvd_2K (a3997baab606caa92f27e07bc4f070f0) C:\WINDOWS\system32\drivers\dvd_2K.sys

17:05:02:390 2260 E100B (98ed0bea10477b0f252cca35eb50f838) C:\WINDOWS\system32\DRIVERS\e100b325.sys

17:05:02:609 2260 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

17:05:02:750 2260 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

17:05:02:875 2260 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

17:05:03:015 2260 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

17:05:03:156 2260 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

17:05:03:359 2260 FPAV_RTP (ba50532419b00de2e99b8913a5abf3f6) C:\WINDOWS\system32\DRIVERS\FStopW.sys

17:05:03:531 2260 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

17:05:03:578 2260 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

17:05:03:718 2260 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

17:05:03:843 2260 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

17:05:04:015 2260 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

17:05:04:187 2260 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys

17:05:04:359 2260 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

17:05:04:546 2260 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

17:05:04:671 2260 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys

17:05:04:796 2260 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

17:05:04:937 2260 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys

17:05:05:078 2260 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys

17:05:05:218 2260 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys

17:05:05:343 2260 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys

17:05:05:484 2260 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys

17:05:05:625 2260 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys

17:05:05:781 2260 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys

17:05:05:921 2260 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys

17:05:06:093 2260 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys

17:05:06:265 2260 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys

17:05:06:421 2260 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

17:05:06:593 2260 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys

17:05:06:750 2260 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys

17:05:06:921 2260 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

17:05:07:093 2260 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

17:05:07:250 2260 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

17:05:07:453 2260 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

17:05:07:656 2260 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

17:05:07:875 2260 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

17:05:08:031 2260 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

17:05:08:156 2260 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

17:05:08:296 2260 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

17:05:08:421 2260 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

17:05:08:515 2260 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

17:05:08:656 2260 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

17:05:08:812 2260 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys

17:05:08:906 2260 mmc_2K (e97e3fe03b6f271336cb2fbb24734989) C:\WINDOWS\system32\drivers\mmc_2K.sys

17:05:09:000 2260 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

17:05:09:078 2260 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

17:05:09:203 2260 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

17:05:09:328 2260 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

17:05:09:453 2260 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

17:05:09:578 2260 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys

17:05:09:687 2260 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

17:05:09:875 2260 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

17:05:10:078 2260 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

17:05:10:203 2260 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

17:05:10:359 2260 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

17:05:10:515 2260 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

17:05:10:687 2260 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

17:05:10:875 2260 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

17:05:11:078 2260 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

17:05:11:250 2260 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

17:05:11:437 2260 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

17:05:11:593 2260 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

17:05:11:781 2260 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

17:05:11:953 2260 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

17:05:12:078 2260 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

17:05:12:265 2260 NMSCFG (1d3bb79a0035077297779c8c52ca3c01) C:\WINDOWS\System32\drivers\NMSCFG.SYS

17:05:12:406 2260 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

17:05:12:593 2260 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

17:05:12:796 2260 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

17:05:13:062 2260 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

17:05:13:328 2260 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

17:05:13:453 2260 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

17:05:13:593 2260 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys

17:05:13:781 2260 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys

17:05:13:968 2260 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys

17:05:14:109 2260 omci (1d98907d80461371437a7c898c58c8ae) C:\WINDOWS\system32\DRIVERS\omci.sys

17:05:14:281 2260 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys

17:05:14:500 2260 P16X (e433c553d00d76fbc616294b60a7a530) C:\WINDOWS\system32\drivers\P16X.sys

17:05:14:734 2260 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys

17:05:14:906 2260 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

17:05:15:031 2260 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

17:05:15:203 2260 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

17:05:15:343 2260 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

17:05:15:578 2260 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

17:05:15:718 2260 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

17:05:16:109 2260 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys

17:05:16:234 2260 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys

17:05:16:328 2260 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\System32\PfModNT.sys

17:05:16:484 2260 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

17:05:16:656 2260 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

17:05:16:828 2260 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

17:05:17:000 2260 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

17:05:17:187 2260 pwd_2k (070eddd0e4a5be55dd590d8b30dbff22) C:\WINDOWS\system32\drivers\pwd_2k.sys

17:05:17:312 2260 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys

17:05:17:453 2260 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys

17:05:17:593 2260 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys

17:05:17:750 2260 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys

17:05:17:859 2260 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys

17:05:17:968 2260 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys

17:05:18:125 2260 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

17:05:18:234 2260 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

17:05:18:406 2260 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

17:05:18:546 2260 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

17:05:18:671 2260 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

17:05:18:843 2260 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

17:05:18:953 2260 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

17:05:19:125 2260 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

17:05:19:296 2260 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

17:05:19:406 2260 SASDIFSV (bfbc4be8d6ac6d33ad93f3f5f2e11499) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

17:05:19:453 2260 SASENUM (7f1085895e499907f68df7731924122b) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

17:05:19:546 2260 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

17:05:19:734 2260 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

17:05:19:859 2260 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

17:05:20:031 2260 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

17:05:20:187 2260 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

17:05:20:375 2260 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys

17:05:20:515 2260 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys

17:05:20:625 2260 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

17:05:20:765 2260 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

17:05:20:921 2260 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

17:05:21:062 2260 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

17:05:21:203 2260 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

17:05:21:468 2260 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys

17:05:21:593 2260 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys

17:05:21:734 2260 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys

17:05:21:843 2260 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys

17:05:21:984 2260 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

17:05:22:156 2260 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

17:05:22:296 2260 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

17:05:22:453 2260 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

17:05:22:609 2260 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

17:05:22:765 2260 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys

17:05:22:906 2260 UdfReadr_xp (27e66e79fd742c107fdb23280e17d869) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

17:05:23:046 2260 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

17:05:23:187 2260 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys

17:05:23:328 2260 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

17:05:23:500 2260 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

17:05:23:625 2260 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

17:05:23:750 2260 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

17:05:23:906 2260 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

17:05:24:046 2260 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

17:05:24:171 2260 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

17:05:24:296 2260 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

17:05:24:453 2260 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

17:05:24:640 2260 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys

17:05:24:765 2260 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys

17:05:24:906 2260 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

17:05:25:000 2260 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

17:05:25:125 2260 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

17:05:25:296 2260 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

17:05:25:484 2260 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

17:05:25:609 2260 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

17:05:25:750 2260 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

17:05:25:765 2260 Reboot required for cure complete..

17:05:26:203 2260 Cure on reboot scheduled successfully

17:05:26:203 2260

17:05:26:203 2260 Completed

17:05:26:203 2260

17:05:26:203 2260 Results:

17:05:26:203 2260 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

17:05:26:203 2260 File objects infected / cured / cured on reboot: 1 / 0 / 1

17:05:26:203 2260

17:05:26:218 2260 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Hi Borislav,

Well, I'm not sure if the virus hosed the system or if there is still something going on.

There's no Internet access. Ipconfig gives unable to query host name; Windows Firewall/ICS service can't be started w/ Error 2, cannot find file; etc. I had run a TCP/IP repair tool before coming here and it did nothing; tried various other fixes but haven't yet completely uninstalled & reinstalled TCP/IP, which I also saw recommended. (ipnat.sys & ipnathlp.dll are present; system WAS at SP3 (I think) but I have to double-check when I'm back in front of it (on the road right now). Network connections look normal, there is no proxy server.

The other issue is printing: Spooler Subsytem App errors, no printers, can't add any.

I haven't run sfc; should I do that? (I hadn't moved to those steps in case there was still infection...)

thanks SO MUCH!

Hilary

Link to post
Share on other sites

Thanks!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Thanks again! Here is the CF log:

ComboFix 10-06-17.02 - Susquehanna Branch 06/17/2010 19:43:04.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1658 [GMT -4:00]

Running from: c:\documents and settings\Susquehanna Branch\Desktop\Combo-Fix.exe

AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Outdated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\INSTALL.LOG

c:\windows\system32\Data

c:\windows\system32\Temp

c:\windows\system32\win.com

c:\windows\xpsp1hfm.log

.

((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))

.

2010-06-17 14:21 . 2010-06-17 14:21 -------- d-----w- C:\ERDNT

2010-06-15 17:42 . 2010-06-15 17:42 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\FRISK Software

2010-06-15 17:22 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-06-15 17:22 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-06-07 19:29 . 2010-06-07 19:29 -------- d-----w- C:\spoolerlogs

2010-06-07 18:48 . 2010-06-07 18:48 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\Malwarebytes

2010-06-07 18:41 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 18:41 . 2010-06-07 18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 18:41 . 2010-06-07 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-07 18:41 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-03 18:20 . 2010-06-07 18:58 -------- d-----w- c:\documents and settings\Susquehanna Branch\Local Settings\Application Data\gykhaqjxy

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-17 23:35 . 2007-03-09 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-06-16 21:12 . 2002-08-29 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-06-08 15:20 . 2007-01-29 18:26 -------- d-----w- c:\program files\AIM

2010-06-08 15:02 . 2008-08-26 17:43 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-03 18:59 . 2006-11-20 17:46 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-01 14:38 . 2010-06-01 14:38 12 ----a-w- c:\windows\system32\config\systemprofile\Application Data\czyiwa.dat

2010-05-26 16:28 . 2008-08-26 17:43 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\Thunderbird

2010-05-06 13:10 . 2009-05-06 15:02 117760 ----a-w- c:\documents and settings\Susquehanna Branch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-04-21 19:16 . 2010-04-21 19:16 -------- d-----w- c:\program files\3ivx

2010-04-21 19:16 . 2010-04-21 19:16 -------- d-----w- c:\program files\Flip Video

2010-04-21 19:16 . 2010-04-21 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video

2010-04-13 13:44 . 2010-04-13 13:43 4938120 ----a-w- c:\program files\Silverlight.exe

2010-03-10 15:20 . 2010-03-10 15:19 8558600 ----a-w- c:\program files\yahoo_firefox_3.6_setup_us.exe

2010-02-16 17:36 . 2010-02-16 17:36 38808920 ----a-w- c:\program files\FileFormatConverters.exe

2010-01-29 17:17 . 2010-01-29 17:15 4384320 ----a-w- c:\program files\Shockwave_Installer_Slim.exe

2010-01-28 16:26 . 2010-01-28 16:26 209624 ----a-w- c:\program files\uninstall_flash_player.exe

2010-01-28 15:12 . 2010-01-28 15:12 1924200 ----a-w- c:\program files\install_flash_player.exe

2007-12-11 16:05 . 2007-12-11 16:04 372520 ----a-w- c:\program files\ymjsetup_29.exe

2006-10-12 20:58 . 2006-10-12 20:58 782898 ----a-w- c:\program files\defs.ref

2005-11-16 14:41 . 2005-11-16 14:41 203061 ----a-w- c:\program files\AIM+Setup.exe

2005-11-16 14:38 . 2004-09-17 15:26 8715352 ----a-w- c:\program files\Install_AIM.exe

2005-03-04 19:29 . 2005-03-04 19:29 533904 ----a-w- c:\program files\psa2011se_DLM_us_full.exe

2003-11-12 20:47 . 2003-08-26 14:40 267472 ----a-w- c:\program files\NSSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-26 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2008-04-21 1597832]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-01-26 21:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]

@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]

autontsd REG_SZ c:\windows\system32\comp3216.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Millennium\\iiirunner.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\AIM95_c2\\aim.exe"=

"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

R0 FPAV_RTP;FPAV_RTP;c:\windows\SYSTEM32\DRIVERS\FStopW.sys [2/6/2008 12:30 PM 682840]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 2:53 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 74480]

R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [8/27/2009 4:26 PM 75424]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2007 12:25 PM 24652]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 4096]

S0 wmrtlayg;wmrtlayg;c:\windows\system32\drivers\ifkwfvog.dat --> c:\windows\system32\drivers\ifkwfvog.dat [?]

S2 gluatqjk;Brother USB Mass-Storage Upper Filter Controller;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 8:00 AM 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 10:25 AM 135664]

S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [3/26/2003 4:52 PM 2944]

S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFiltLo.sys [3/26/2003 4:52 PM 12160]

S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFiltUp.sys [3/26/2003 4:52 PM 3968]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [3/26/2003 4:52 PM 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [3/26/2003 4:52 PM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [3/26/2003 4:52 PM 10368]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

gluatqjk

.

Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 14:15]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:25]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:25]

2010-06-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-723013921-2880170018-1470282893-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-723013921-2880170018-1470282893-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://susqcolibrary.org/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm

Trusted Zone: microsoftofficeonline.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Susquehanna Branch\Application Data\Mozilla\Firefox\Profiles\dx2sbl1f.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.susqcolibrary.org/|http://www.susqcolibrary.org/|http://www.susqcolibrary.org/

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\Susquehanna Branch\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Susquehanna Branch\Application Data\Mozilla\Firefox\Profiles\dx2sbl1f.default\extensions\support@ancestry.com\plugins\npImgCtl.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

SafeBoot-klmdb.sys

MSConfigStartUp-kq08s7rxxt - c:\windows\system32\kq08s7rxxt.exe

AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Susquehanna Branch\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-17 19:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wmrtlayg]

"ImagePath"="system32\drivers\ifkwfvog.dat"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-723013921-2880170018-1470282893-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-17 19:50:07

ComboFix-quarantined-files.txt 2010-06-17 23:49

ComboFix2.txt 2008-03-28 19:21

ComboFix3.txt 2008-03-28 18:44

ComboFix4.txt 2008-03-28 17:16

Pre-Run: 41,757,196,288 bytes free

Post-Run: 41,721,335,808 bytes free

- - End Of File - - 211BA065A39BBBF120B9D610B824B9DC

Link to post
Share on other sites

Hi Borislav,

I can't find that file, either in system32 or by doing a disk search.

Here's a weird thing--after running ComboFix on Thursday, the Windows Firewall turned itself back on. This morning, it's off again and the service can't start. My instinct is to run ComboFix again & see if comp3216.dll shows up right afterward--maybe it re-infected itself and hid/renamed it?--but I won't do that until I hear from you.

The printer window was empty Thursday but I didn't have time to investigate further. This morning I tried to add a printer, get service not running, start it successfully, but immediately get a Spooler SubSystem App error.

I ran updated mbam this morning too, but it still comes up clear.

Thank you for your patience with this nasty infection!

Hilary

Link to post
Share on other sites

Sorry, the file is still not there! And this time the firewall did not turn on and the service can't be started. Here is the fresh ComboFix log:

ComboFix 10-06-20.06 - Susquehanna Branch 06/21/2010 10:53:51.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1527 [GMT -4:00]

Running from: c:\documents and settings\Susquehanna Branch\Desktop\Combo-Fix.exe

AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Outdated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

.

((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))

.

2010-06-21 14:16 . 2010-06-21 14:16 -------- d--h--w- c:\windows\system32\GroupPolicy

2010-06-17 23:40 . 2010-06-17 23:50 -------- d-----w- C:\Combo-Fix

2010-06-17 14:21 . 2010-06-17 14:21 -------- d-----w- C:\ERDNT

2010-06-15 17:42 . 2010-06-15 17:42 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\FRISK Software

2010-06-15 17:22 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-06-15 17:22 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-06-07 19:29 . 2010-06-07 19:29 -------- d-----w- C:\spoolerlogs

2010-06-07 18:48 . 2010-06-07 18:48 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\Malwarebytes

2010-06-07 18:41 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 18:41 . 2010-06-07 18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 18:41 . 2010-06-07 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-07 18:41 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-03 18:20 . 2010-06-07 18:58 -------- d-----w- c:\documents and settings\Susquehanna Branch\Local Settings\Application Data\gykhaqjxy

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-21 13:03 . 2007-03-09 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-06-16 21:12 . 2002-08-29 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-06-08 15:20 . 2007-01-29 18:26 -------- d-----w- c:\program files\AIM

2010-06-08 15:02 . 2008-08-26 17:43 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-03 18:59 . 2006-11-20 17:46 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-26 16:28 . 2008-08-26 17:43 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\Thunderbird

2010-05-06 13:10 . 2009-05-06 15:02 117760 ----a-w- c:\documents and settings\Susquehanna Branch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-04-13 13:44 . 2010-04-13 13:43 4938120 ----a-w- c:\program files\Silverlight.exe

2010-03-10 15:20 . 2010-03-10 15:19 8558600 ----a-w- c:\program files\yahoo_firefox_3.6_setup_us.exe

2010-02-16 17:36 . 2010-02-16 17:36 38808920 ----a-w- c:\program files\FileFormatConverters.exe

2010-01-29 17:17 . 2010-01-29 17:15 4384320 ----a-w- c:\program files\Shockwave_Installer_Slim.exe

2010-01-28 16:26 . 2010-01-28 16:26 209624 ----a-w- c:\program files\uninstall_flash_player.exe

2010-01-28 15:12 . 2010-01-28 15:12 1924200 ----a-w- c:\program files\install_flash_player.exe

2007-12-11 16:05 . 2007-12-11 16:04 372520 ----a-w- c:\program files\ymjsetup_29.exe

2006-10-12 20:58 . 2006-10-12 20:58 782898 ----a-w- c:\program files\defs.ref

2005-11-16 14:41 . 2005-11-16 14:41 203061 ----a-w- c:\program files\AIM+Setup.exe

2005-11-16 14:38 . 2004-09-17 15:26 8715352 ----a-w- c:\program files\Install_AIM.exe

2005-03-04 19:29 . 2005-03-04 19:29 533904 ----a-w- c:\program files\psa2011se_DLM_us_full.exe

2003-11-12 20:47 . 2003-08-26 14:40 267472 ----a-w- c:\program files\NSSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-26 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2008-04-21 1597832]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-01-26 21:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Millennium\\iiirunner.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\AIM95_c2\\aim.exe"=

"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

R0 FPAV_RTP;FPAV_RTP;c:\windows\SYSTEM32\DRIVERS\FStopW.sys [2/6/2008 12:30 PM 682840]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 2:53 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 74480]

R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [8/27/2009 4:26 PM 75424]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2007 12:25 PM 24652]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [6/7/2010 2:41 PM 38224]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 4096]

S0 wmrtlayg;wmrtlayg;c:\windows\system32\drivers\ifkwfvog.dat --> c:\windows\system32\drivers\ifkwfvog.dat [?]

S2 gluatqjk;Brother USB Mass-Storage Upper Filter Controller;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 8:00 AM 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 10:25 AM 135664]

S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [3/26/2003 4:52 PM 2944]

S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFiltLo.sys [3/26/2003 4:52 PM 12160]

S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFiltUp.sys [3/26/2003 4:52 PM 3968]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [3/26/2003 4:52 PM 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [3/26/2003 4:52 PM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [3/26/2003 4:52 PM 10368]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

gluatqjk

.

Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 14:15]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:25]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:25]

2010-06-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-723013921-2880170018-1470282893-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-723013921-2880170018-1470282893-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://susqcolibrary.org/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm

Trusted Zone: microsoftofficeonline.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Susquehanna Branch\Application Data\Mozilla\Firefox\Profiles\dx2sbl1f.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.susqcolibrary.org/|http://www.susqcolibrary.org/|http://www.susqcolibrary.org/

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-21 10:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wmrtlayg]

"ImagePath"="system32\drivers\ifkwfvog.dat"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-723013921-2880170018-1470282893-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(384)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2352)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-21 10:59:33

ComboFix-quarantined-files.txt 2010-06-21 14:59

ComboFix2.txt 2010-06-17 23:50

ComboFix3.txt 2008-03-28 19:21

ComboFix4.txt 2008-03-28 18:44

ComboFix5.txt 2010-06-21 14:52

Pre-Run: 41,698,025,472 bytes free

Post-Run: 41,677,340,672 bytes free

- - End Of File - - FC9A07E81D35AE4D306CFA601998FAB7

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

NetSvc::
gluatqjk

Driver::
gluatqjk
wmrtlayg

File::
c:\windows\system32\drivers\ifkwfvog.dat

Folder::
c:\documents and settings\Susquehanna Branch\Local Settings\Application Data\gykhaqjxy

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wmrtlayg]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Oops--I forgot to disable the anti-virus. I'm sorry. Let me know if I should re-run it. Here is the new log:

ComboFix 10-06-20.06 - Susquehanna Branch 06/21/2010 12:50:37.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1652 [GMT -4:00]

Running from: c:\documents and settings\Susquehanna Branch\Desktop\Combo-Fix.exe

Command switches used :: F:\CFScript.txt

AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Outdated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

FILE ::

"c:\windows\system32\drivers\ifkwfvog.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Susquehanna Branch\Local Settings\Application Data\gykhaqjxy

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_GLUATQJK

-------\Legacy_WMRTLAYG

-------\Service_gluatqjk

((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))

.

2010-06-21 14:16 . 2010-06-21 14:16 -------- d--h--w- c:\windows\system32\GroupPolicy

2010-06-17 23:40 . 2010-06-17 23:50 -------- d-----w- C:\Combo-Fix

2010-06-17 14:21 . 2010-06-17 14:21 -------- d-----w- C:\ERDNT

2010-06-15 17:42 . 2010-06-15 17:42 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\FRISK Software

2010-06-15 17:22 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-06-15 17:22 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-06-07 19:29 . 2010-06-07 19:29 -------- d-----w- C:\spoolerlogs

2010-06-07 18:48 . 2010-06-07 18:48 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\Malwarebytes

2010-06-07 18:41 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 18:41 . 2010-06-07 18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 18:41 . 2010-06-07 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-07 18:41 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-21 13:03 . 2007-03-09 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-06-16 21:12 . 2002-08-29 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-06-08 15:20 . 2007-01-29 18:26 -------- d-----w- c:\program files\AIM

2010-06-08 15:02 . 2008-08-26 17:43 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-03 18:59 . 2006-11-20 17:46 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-26 16:28 . 2008-08-26 17:43 -------- d-----w- c:\documents and settings\Susquehanna Branch\Application Data\Thunderbird

2010-05-06 13:10 . 2009-05-06 15:02 117760 ----a-w- c:\documents and settings\Susquehanna Branch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-04-13 13:44 . 2010-04-13 13:43 4938120 ----a-w- c:\program files\Silverlight.exe

2010-03-10 15:20 . 2010-03-10 15:19 8558600 ----a-w- c:\program files\yahoo_firefox_3.6_setup_us.exe

2010-02-16 17:36 . 2010-02-16 17:36 38808920 ----a-w- c:\program files\FileFormatConverters.exe

2010-01-29 17:17 . 2010-01-29 17:15 4384320 ----a-w- c:\program files\Shockwave_Installer_Slim.exe

2010-01-28 16:26 . 2010-01-28 16:26 209624 ----a-w- c:\program files\uninstall_flash_player.exe

2010-01-28 15:12 . 2010-01-28 15:12 1924200 ----a-w- c:\program files\install_flash_player.exe

2007-12-11 16:05 . 2007-12-11 16:04 372520 ----a-w- c:\program files\ymjsetup_29.exe

2006-10-12 20:58 . 2006-10-12 20:58 782898 ----a-w- c:\program files\defs.ref

2005-11-16 14:41 . 2005-11-16 14:41 203061 ----a-w- c:\program files\AIM+Setup.exe

2005-11-16 14:38 . 2004-09-17 15:26 8715352 ----a-w- c:\program files\Install_AIM.exe

2005-03-04 19:29 . 2005-03-04 19:29 533904 ----a-w- c:\program files\psa2011se_DLM_us_full.exe

2003-11-12 20:47 . 2003-08-26 14:40 267472 ----a-w- c:\program files\NSSetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-26 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2008-04-21 1597832]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-01-26 21:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Millennium\\iiirunner.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\AIM95_c2\\aim.exe"=

"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

R0 FPAV_RTP;FPAV_RTP;c:\windows\SYSTEM32\DRIVERS\FStopW.sys [2/6/2008 12:30 PM 682840]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 2:53 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 74480]

R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [8/27/2009 4:26 PM 75424]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2007 12:25 PM 24652]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 4096]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 10:25 AM 135664]

S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [3/26/2003 4:52 PM 2944]

S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFiltLo.sys [3/26/2003 4:52 PM 12160]

S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFiltUp.sys [3/26/2003 4:52 PM 3968]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [3/26/2003 4:52 PM 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [3/26/2003 4:52 PM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [3/26/2003 4:52 PM 10368]

.

Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 14:15]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:25]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:25]

2010-06-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-723013921-2880170018-1470282893-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-723013921-2880170018-1470282893-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://susqcolibrary.org/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm

Trusted Zone: microsoftofficeonline.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Susquehanna Branch\Application Data\Mozilla\Firefox\Profiles\dx2sbl1f.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.susqcolibrary.org/|http://www.susqcolibrary.org/|http://www.susqcolibrary.org/

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-21 13:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-723013921-2880170018-1470282893-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(384)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3316)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\CTsvcCDA.exe

c:\program files\Flip Video\FlipShare\FlipShareService.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-06-21 13:07:19 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-21 17:07

ComboFix2.txt 2010-06-21 14:59

ComboFix3.txt 2010-06-17 23:50

ComboFix4.txt 2008-03-28 19:21

ComboFix5.txt 2010-06-21 16:49

Pre-Run: 41,803,362,304 bytes free

Post-Run: 41,705,832,448 bytes free

- - End Of File - - AA79AB8FFABBB1DA29A941BB98CD08B0

Link to post
Share on other sites

We need to repair some of windows' internal registration settings

  1. Please download Dial-A-Fix from one of the following mirrors:

[*]Extract the zip file to your desktop.

[*]Double click Dial-a-Fix.exe to start the program.

[*]Press the green double checkmark box (Looks like this: checkmark.png)

[*]UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:

toUncheck.png

[*]When the window looks like this, press the GO button in the bottom of the window.

mainWindow.png

[*]Exit/Close Dial-A-Fix

Link to post
Share on other sites

I ran it, but got some errors (see log file below at the top, then starting with iesetup.dll). Are they issues with IE8?

I think there is still an active infection though--unless something is making it unstable??? After running Dial-a-Fix I rebooted. The Windows Firewall turned on. I went into Security Center to double-check, and yes, it was showing green ON. About 1 minute later, it turned off. Now service can't be started, and Spooler SubSystem App error comes back after starting the print spooler.

BTW, I don't know if I made this clear: this computer hasn't been connected to anything this whole time. Ethernet unplugged and I transfer the files needed with a flash drive.

Thanks again so much for your time, Borislav!

2:08:20 PM | Dial-a-fix was unable to determine your version of Internet Explorer

Notes about this log:

1) "->" denotes an external command being executed, and "-> (number)" indicates

the return code from the previous command

2) Not all external command return codes are accurate, or useful

3) Sometimes commands return 0 (no error) even when they fail or crash

4) If an error occurs while registering an object, please send an email to:

dial-a-fix@DjLizard.net and include a copy of this log

DAF version: v0.60.0.24

--- System info ---

OS: Microsoft Windows XP Service Pack 3

IE version: 8.0.6001.18702

MPC: 55274-OEM

CPU: Intel® Pentium® 4 CPU 2.66GHz (~2660MHz)

BIOS: 1/27/2003

Memory (approx): 2047MB

Uptime: 1 hour(s)

Current directory: C:\Documents and Settings\Susquehanna Branch\Desktop\Dial-a-fix-v0.60.0.24

---

6/21/2010 2:08:20 PM -- Dial-a-fix : [v0.60.0.24] -- started

2:08:20 PM | Policy scan started

2:08:20 PM | Policy scan ended - no restrictive policies were found

--- MSI ---

2:08:52 PM | Registered: C:\WINDOWS\system32\msi.dll

--- Windows Update ---

--- Registration: Windows Update/Automatic Update DLLs ---

2:09:00 PM | Unregistered: C:\WINDOWS\system32\msxml.dll

2:09:00 PM | Registered: C:\WINDOWS\system32\msxml.dll

2:09:00 PM | Unregistered: C:\WINDOWS\system32\msxml2.dll

2:09:01 PM | Registered: C:\WINDOWS\system32\msxml2.dll

2:09:05 PM | Unregistered: C:\WINDOWS\system32\msxml3.dll

2:09:06 PM | Registered: C:\WINDOWS\system32\msxml3.dll

2:09:06 PM | Unregistered: C:\WINDOWS\system32\msxml4.dll

2:09:06 PM | Registered: C:\WINDOWS\system32\msxml4.dll

2:09:06 PM | Unregistered: C:\WINDOWS\system32\qmgr.dll

2:09:06 PM | Registered: C:\WINDOWS\system32\qmgr.dll

2:09:06 PM | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll

2:09:06 PM | Registered: C:\WINDOWS\system32\qmgrprxy.dll

2:09:06 PM | Unregistered: C:\WINDOWS\system32\muweb.dll

2:09:06 PM | Registered: C:\WINDOWS\system32\muweb.dll

2:09:06 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll

2:09:06 PM | Registered: C:\WINDOWS\system32\winhttp.dll

2:09:07 PM | Registered: C:\WINDOWS\system32\wuapi.dll

2:09:07 PM | Unregistered: C:\WINDOWS\system32\wuaueng.dll

2:09:08 PM | Registered: C:\WINDOWS\system32\wuaueng.dll

2:09:08 PM | Unregistered: C:\WINDOWS\system32\wuaueng1.dll

2:09:08 PM | Registered: C:\WINDOWS\system32\wuaueng1.dll

2:09:08 PM | Unregistered: C:\WINDOWS\system32\wucltui.dll

2:09:08 PM | Registered: C:\WINDOWS\system32\wucltui.dll

2:09:08 PM | Unregistered: C:\WINDOWS\system32\wups.dll

2:09:08 PM | Registered: C:\WINDOWS\system32\wups.dll

2:09:08 PM | Unregistered: C:\WINDOWS\system32\wups2.dll

2:09:08 PM | Registered: C:\WINDOWS\system32\wups2.dll

2:09:08 PM | Unregistered: C:\WINDOWS\system32\wuweb.dll

2:09:08 PM | Registered: C:\WINDOWS\system32\wuweb.dll

2:09:08 PM | Registered: C:\WINDOWS\system32\ole32.dll

--- SSL/HTTPS/Cryptography ---

2:09:20 PM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'

--- Registration: SSL/HTTPS/Cryptography ---

2:09:24 PM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll

2:09:24 PM | Registered: C:\WINDOWS\system32\cryptdlg.dll

2:09:25 PM | Unregistered: C:\WINDOWS\system32\cryptui.dll

2:09:25 PM | Registered: C:\WINDOWS\system32\cryptui.dll

2:09:25 PM | Unregistered: C:\WINDOWS\system32\cryptext.dll

2:09:25 PM | Registered: C:\WINDOWS\system32\cryptext.dll

2:09:25 PM | Unregistered: C:\WINDOWS\system32\dssenh.dll

2:09:25 PM | Registered: C:\WINDOWS\system32\dssenh.dll

2:09:25 PM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll

2:09:25 PM | Registered: C:\WINDOWS\system32\gpkcsp.dll

2:09:25 PM | Unregistered: C:\WINDOWS\system32\initpki.dll

2:10:18 PM | Registered: C:\WINDOWS\system32\initpki.dll

2:10:18 PM | Unregistered: C:\WINDOWS\system32\licdll.dll

2:10:18 PM | Registered: C:\WINDOWS\system32\licdll.dll

2:10:18 PM | Unregistered: C:\WINDOWS\system32\mssign32.dll

2:10:18 PM | Registered: C:\WINDOWS\system32\mssign32.dll

2:10:18 PM | Unregistered: C:\WINDOWS\system32\mssip32.dll

2:10:19 PM | Registered: C:\WINDOWS\system32\mssip32.dll

2:10:19 PM | Unregistered: C:\WINDOWS\system32\scardssp.dll

2:10:19 PM | Registered: C:\WINDOWS\system32\scardssp.dll

2:10:20 PM | Unregistered: C:\WINDOWS\system32\sccbase.dll

2:10:20 PM | Registered: C:\WINDOWS\system32\sccbase.dll

2:10:20 PM | Unregistered: C:\WINDOWS\system32\scecli.dll

2:10:20 PM | Registered: C:\WINDOWS\system32\scecli.dll

2:10:20 PM | Unregistered: C:\WINDOWS\system32\softpub.dll

2:10:20 PM | Registered: C:\WINDOWS\system32\softpub.dll

2:10:20 PM | Unregistered: C:\WINDOWS\system32\slbcsp.dll

2:10:20 PM | Registered: C:\WINDOWS\system32\slbcsp.dll

2:10:21 PM | Unregistered: C:\WINDOWS\system32\regwizc.dll

2:10:21 PM | Registered: C:\WINDOWS\system32\regwizc.dll

2:10:21 PM | Unregistered: C:\WINDOWS\system32\rsaenh.dll

2:10:21 PM | Registered: C:\WINDOWS\system32\rsaenh.dll

2:10:21 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll

2:10:21 PM | Registered: C:\WINDOWS\system32\winhttp.dll

2:10:21 PM | Unregistered: C:\WINDOWS\system32\wintrust.dll

2:10:21 PM | Registered: C:\WINDOWS\system32\wintrust.dll

--- Registration: ActiveX controls/codecs ---

2:10:22 PM | Registered: C:\WINDOWS\system32\acelpdec.ax

2:10:22 PM | Registered: C:\WINDOWS\system32\actxprxy.dll

2:10:22 PM | Registered: C:\WINDOWS\system32\asctrls.ocx

2:10:22 PM | Registered: C:\WINDOWS\system32\daxctle.ocx

2:10:22 PM | Registered: C:\WINDOWS\system32\hhctrl.ocx

2:10:22 PM | Registered: C:\WINDOWS\system32\l3codecx.ax

2:10:22 PM | Registered: C:\WINDOWS\system32\licmgr10.dll

2:10:22 PM | Registered: C:\WINDOWS\system32\mpg4ds32.ax

2:10:26 PM | Registered: C:\WINDOWS\system32\msdxm.ocx

2:10:26 PM | Registered: C:\WINDOWS\system32\proctexe.ocx

2:10:26 PM | Registered: C:\WINDOWS\system32\tdc.ocx

2:10:26 PM | Registered: C:\WINDOWS\system32\wshom.ocx

--- Registration: Control Panel applets ---

2:10:26 PM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl

2:10:27 PM | DllInstalled: C:\WINDOWS\system32\appwiz.cpl

2:10:27 PM | Registered: C:\WINDOWS\system32\appwiz.cpl

2:10:27 PM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl

2:10:27 PM | Registered: C:\WINDOWS\system32\nusrmgr.cpl

--- Registration: Direct[X|Draw|Show|Media] ---

2:10:27 PM | Registered: C:\WINDOWS\system32\quartz.dll

2:10:28 PM | Registered: C:\WINDOWS\system32\danim.dll

2:10:28 PM | Registered: C:\WINDOWS\system32\dmscript.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\dmstyle.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\dxmasf.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\dxtmsft.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\dxtrans.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\sbe.dll

--- Registration: Programming cores/runtimes ---

2:10:29 PM | Registered: C:\WINDOWS\system32\atl.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\corpol.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\jscript.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\dispex.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\scrrun.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\scrobj.dll

2:10:29 PM | Registered: C:\WINDOWS\system32\vbscript.dll

2:10:30 PM | Registered: C:\WINDOWS\system32\wshext.dll

--- Registration: Explorer/IE/OE/shell/WMP ---

2:10:30 PM | Registered: C:\WINDOWS\system32\activeds.dll

2:10:30 PM | Registered: C:\WINDOWS\system32\audiodev.dll

2:10:31 PM | DllInstalled: C:\WINDOWS\system32\browseui.dll

2:10:31 PM | Registered: C:\WINDOWS\system32\browseui.dll

2:10:31 PM | Registered: C:\WINDOWS\system32\browsewm.dll

2:10:31 PM | Registered: C:\WINDOWS\system32\cabview.dll

2:10:31 PM | Registered: C:\WINDOWS\system32\cdfview.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\clbcatex.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\clbcatq.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\comcat.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\cscui.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\credui.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\datime.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\devmgr.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\dfsshlex.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\dmdlgs.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\dmdskmgr.dll

2:10:32 PM | Registered: C:\WINDOWS\system32\dmloader.dll

2:10:33 PM | Registered: C:\WINDOWS\system32\dmocx.dll

2:10:33 PM | Registered: C:\WINDOWS\system32\dmview.ocx

2:10:33 PM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll

2:10:33 PM | Registered: C:\WINDOWS\system32\dsuiext.dll

2:10:33 PM | DllInstalled: C:\WINDOWS\system32\dsquery.dll

2:10:33 PM | Registered: C:\WINDOWS\system32\dsquery.dll

2:10:33 PM | Registered: C:\WINDOWS\system32\dskquoui.dll

2:10:33 PM | Registered: C:\WINDOWS\system32\els.dll

2:10:33 PM | Registered: C:\WINDOWS\system32\es.dll

2:10:34 PM | Registered: C:\WINDOWS\system32\fontext.dll

2:10:34 PM | Registered: C:\WINDOWS\system32\hlink.dll

2:10:34 PM | Registered: C:\WINDOWS\system32\hnetcfg.dll

2:10:34 PM | Registered: C:\WINDOWS\system32\iedkcs32.dll

2:10:34 PM | Registered: C:\WINDOWS\system32\iepeers.dll

2:10:34 PM | Error 127: C:\WINDOWS\system32\iesetup.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702

3:25:53 PM | Error 127: C:\WINDOWS\system32\iesetup.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702

3:25:58 PM | Registered: C:\WINDOWS\system32\ils.dll

3:25:58 PM | Error 127: C:\WINDOWS\system32\imgutil.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702

3:26:23 PM | Registered: C:\WINDOWS\system32\inetcfg.dll

3:26:23 PM | Registered: C:\WINDOWS\system32\inetcomm.dll

3:26:23 PM | Error 127: C:\WINDOWS\system32\inseng.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702

3:26:43 PM | Error 127: C:\WINDOWS\system32\inseng.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702

3:26:53 PM | Registered: C:\WINDOWS\system32\laprxy.dll

3:26:54 PM | Registered: C:\WINDOWS\system32\lmrt.dll

3:26:54 PM | Registered: C:\WINDOWS\system32\mlang.dll

3:26:54 PM | Registered: C:\WINDOWS\system32\mmcndmgr.dll

3:26:55 PM | Registered: C:\WINDOWS\system32\mmcshext.dll

3:26:55 PM | Error 127: C:\WINDOWS\system32\mshtml.dll is not registerable or the file is corrupted. Version: 8.00.6001.18904

3:27:17 PM | Error 127: C:\WINDOWS\system32\mshtml.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18904

3:27:27 PM | Registered: C:\WINDOWS\system32\mshtmled.dll

3:27:27 PM | Registered: C:\WINDOWS\system32\msieftp.dll

3:27:27 PM | Registered: C:\WINDOWS\system32\msoeacct.dll

3:27:27 PM | Registered: C:\WINDOWS\system32\msr2c.dll

3:27:27 PM | Error 127: C:\WINDOWS\system32\msrating.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702

3:28:03 PM | DllInstalled: C:\WINDOWS\system32\mydocs.dll

3:28:03 PM | Registered: C:\WINDOWS\system32\mydocs.dll

3:28:03 PM | Registered: C:\WINDOWS\system32\mstime.dll

3:28:03 PM | Registered: C:\WINDOWS\system32\netcfgx.dll

3:28:03 PM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll

3:28:03 PM | Registered: C:\WINDOWS\system32\netplwiz.dll

3:28:03 PM | Registered: C:\WINDOWS\system32\netman.dll

3:28:04 PM | Registered: C:\WINDOWS\system32\netshell.dll

3:28:04 PM | Registered: C:\WINDOWS\system32\ntmsevt.dll

3:28:04 PM | Registered: C:\WINDOWS\system32\ntmsmgr.dll

3:28:04 PM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll

3:28:04 PM | Registered: C:\WINDOWS\system32\ntmssvc.dll

3:28:04 PM | Error 127: C:\WINDOWS\system32\occache.dll is not registerable or the file is corrupted. Version: 8.00.6001.18904

3:28:30 PM | Error 127: C:\WINDOWS\system32\occache.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18904

3:28:32 PM | Registered: C:\WINDOWS\system32\ole32.dll

3:28:32 PM | Registered: C:\WINDOWS\system32\oleaut32.dll

3:28:32 PM | Registered: C:\WINDOWS\system32\oleacc.dll

3:28:32 PM | Registered: C:\WINDOWS\system32\olepro32.dll

3:28:32 PM | DllInstalled: C:\WINDOWS\system32\photowiz.dll

3:28:32 PM | Registered: C:\WINDOWS\system32\photowiz.dll

3:28:32 PM | Error 127: C:\WINDOWS\system32\pngfilt.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702

3:28:54 PM | Registered: C:\WINDOWS\system32\remotepg.dll

3:28:54 PM | Registered: C:\WINDOWS\system32\rpcrt4.dll

3:28:54 PM | Registered: C:\WINDOWS\system32\rshx32.dll

3:28:54 PM | Registered: C:\WINDOWS\system32\sendmail.dll

3:28:54 PM | Registered: C:\WINDOWS\system32\slayerxp.dll

3:28:56 PM | DllInstalled: C:\WINDOWS\system32\shdocvw.dll

3:28:56 PM | Registered: C:\WINDOWS\system32\shdocvw.dll

3:28:56 PM | Registered: C:\WINDOWS\system32\shell32.dll

3:28:59 PM | DllInstalled: C:\WINDOWS\system32\shell32.dll

3:28:59 PM | Registered: C:\WINDOWS\system32\shmedia.dll

3:28:59 PM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll

3:28:59 PM | Registered: C:\WINDOWS\system32\shimgvw.dll

3:28:59 PM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll

3:29:00 PM | Registered: C:\WINDOWS\system32\shsvcs.dll

3:29:00 PM | Registered: C:\WINDOWS\system32\srclient.dll

3:29:00 PM | Unregistered: C:\WINDOWS\system32\stobject.dll

3:29:00 PM | Registered: C:\WINDOWS\system32\stobject.dll

3:29:00 PM | DllInstalled: C:\WINDOWS\system32\themeui.dll

3:29:00 PM | Registered: C:\WINDOWS\system32\themeui.dll

3:29:00 PM | Registered: C:\WINDOWS\system32\twext.dll

3:29:01 PM | DllInstalled: C:\WINDOWS\system32\urlmon.dll

3:29:01 PM | Registered: C:\WINDOWS\system32\urlmon.dll

3:29:02 PM | Registered: C:\WINDOWS\system32\userenv.dll

3:29:02 PM | Error 127: C:\WINDOWS\system32\webcheck.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702

3:29:14 PM | Error 127: C:\WINDOWS\system32\webcheck.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702

3:29:16 PM | Registered: C:\WINDOWS\system32\webvw.dll

3:29:16 PM | Registered: C:\WINDOWS\system32\winhttp.dll

3:29:16 PM | DllInstalled: C:\WINDOWS\system32\wininet.dll

3:29:17 PM | Registered: C:\WINDOWS\system32\zipfldr.dll

3:29:17 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll

3:29:17 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll

3:29:17 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll

3:29:17 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll

3:29:17 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll

3:29:17 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll

3:29:17 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll

3:29:17 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll

3:29:18 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll

3:29:18 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll

3:29:18 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll

3:29:18 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll

3:29:19 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll

3:29:19 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll

3:29:19 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll

3:29:19 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll

3:29:19 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll

3:29:19 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll

3:29:20 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll

3:29:20 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll

3:29:20 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll

3:29:20 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.