Jump to content

Recommended Posts

I picked up a virus a couple months ago - had a computer shop remove it (it was a bugger!)

Now I've got this (probably residual) infection.

Computer boots slow at times - sometimes just to black screen.

Installation of programs often returns an error of : 'Installation already if progress, stop other installation before proceeding'

But, I was able to install MBAM, Spybot, and SuperAntiSpyware. HUH!

I run Avast.

Any help greatly appreciated - this is a ^%$#ing nuisance!

Here's the log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Charles at 14:12:21.01 on Fri 06/18/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1272 [GMT -7:00]

AV: avast! Internet Security *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Internet Security *enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\WTouch\WTouchService.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\WTouch\WTouchUser.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\afwServ.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe

C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\Charles\Application Data\Dropbox\bin\Dropbox.exe

C:\Documents and Settings\Charles\My Documents\Downloads\ProcessExplorer\procexp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Charles\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start

mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32

StartupFolder: c:\docume~1\charles\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\charles\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\charles\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\charles\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\charles\my documents\downloads\processexplorer\procexp.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: {D0F3C7CD-E7F4-441C-B700-346CF554732B} = 8.8.8.8,8.8.4.4

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\charles\applic~1\mozilla\firefox\profiles\03noie0j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\charles\application data\mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\tabletplugins\npwacom.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2010-6-13 12112]

R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2010-6-13 190416]

R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2010-6-13 99280]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-6-13 307280]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-13 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-13 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-13 40384]

R2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe [2010-6-13 119200]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-4-14 4497704]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-4-30 5010288]

R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-4-14 113448]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-13 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-13 40384]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-27 16168]

=============== Created Last 30 ================

2010-06-18 21:03:32 0 ----a-w- c:\documents and settings\charles\defogger_reenable

2010-06-18 20:52:49 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-18 20:52:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-18 19:54:35 0 d-----w- c:\docume~1\charles\applic~1\SUPERAntiSpyware.com

2010-06-18 19:54:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-18 19:54:18 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-17 22:07:37 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-06-17 22:07:37 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-16 22:06:22 0 d-----w- C:\Dropbox

2010-06-16 21:22:41 0 d-----w- c:\docume~1\charles\applic~1\Dropbox

2010-06-15 23:04:20 0 d-----w- c:\docume~1\charles\applic~1\Foxit Software

2010-06-14 00:11:52 307280 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2010-06-14 00:11:50 99280 ----a-w- c:\windows\system32\drivers\aswFW.sys

2010-06-14 00:11:25 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys

2010-06-14 00:10:48 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys

2010-06-13 23:41:58 0 d-----w- C:\avastun

2010-06-13 06:23:09 0 d-----w- c:\windows\system32\wbem\Repository

2010-06-12 18:29:18 409731 ----a-w- C:\Img4541-2.jpg

2010-06-12 18:28:48 0 d-----w- C:\small

2010-06-03 21:01:25 0 d-----w- c:\windows\pss

2010-05-28 18:57:08 376 ----a-w- c:\windows\ODBC.INI

2010-05-25 13:14:56 0 d-----w- c:\program files\SoftLogica

2010-05-25 01:01:28 44544 ----a-w- c:\windows\system32\msxml4a.dll

2010-05-25 01:01:26 0 d-----w- c:\program files\File Recover

==================== Find3M ====================

2010-06-12 20:07:55 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdy.DAT

2010-05-25 14:26:13 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLbx.DAT

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-21 20:42:21 60819 ----a-w- c:\windows\hpwins03.dat

2010-04-03 23:00:38 165407 ----a-w- c:\windows\ProSelect Uninstaller.exe

2010-03-19 21:10:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010031920100320\index.dat

============= FINISH: 14:14:29.06 ===============

Attach.zip

Link to post
Share on other sites

Hello chuckwa! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed of any changes.

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4219

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/20/2010 12:27:42 PM

mbam-log-2010-06-20 (12-27-42).txt

Scan type: Quick scan

Objects scanned: 132392

Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 12:31 on 20/06/2010 (Charles)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Hello chuckwa! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed of any changes.

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

BTW: Defogger never asked to reboot the machine, I am doing that manaully now, then will run DDS

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4219

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/20/2010 12:27:42 PM

mbam-log-2010-06-20 (12-27-42).txt

Scan type: Quick scan

Objects scanned: 132392

Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 12:31 on 20/06/2010 (Charles)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

DDS (Ver_10-03-17.01) - NTFSx86

Run by Charles at 12:48:24.07 on Sun 06/20/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1428 [GMT -7:00]

AV: avast! Internet Security *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Internet Security *enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\WTouch\WTouchService.exe

svchost.exe

C:\Program Files\WTouch\WTouchUser.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\afwServ.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe

C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\Charles\Application Data\Dropbox\bin\Dropbox.exe

C:\Documents and Settings\Charles\My Documents\Downloads\ProcessExplorer\procexp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Charles\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start

mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32

StartupFolder: c:\docume~1\charles\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\charles\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\charles\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\charles\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\charles\my documents\downloads\processexplorer\procexp.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: {D0F3C7CD-E7F4-441C-B700-346CF554732B} = 8.8.8.8,8.8.4.4

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\charles\applic~1\mozilla\firefox\profiles\03noie0j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\charles\application data\mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\tabletplugins\npwacom.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2010-6-13 12112]

R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2010-6-13 190416]

R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2010-6-13 99280]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-6-13 307280]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-13 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-13 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-13 40384]

R2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe [2010-6-13 119200]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-4-14 4497704]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-4-30 5010288]

R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-4-14 113448]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-13 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-13 40384]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-27 16168]

=============== Created Last 30 ================

2010-06-20 19:40:12 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS

2010-06-20 19:31:55 0 ----a-w- c:\documents and settings\charles\defogger_reenable

2010-06-18 22:52:18 0 d-----w- c:\windows\system32\appmgmt

2010-06-18 20:52:49 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-18 20:52:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-18 19:54:35 0 d-----w- c:\docume~1\charles\applic~1\SUPERAntiSpyware.com

2010-06-18 19:54:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-18 19:54:18 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-17 22:07:37 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-06-17 22:07:37 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-16 22:06:22 0 d-----w- C:\Dropbox

2010-06-16 21:22:41 0 d-----w- c:\docume~1\charles\applic~1\Dropbox

2010-06-15 23:04:20 0 d-----w- c:\docume~1\charles\applic~1\Foxit Software

2010-06-14 00:11:52 307280 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2010-06-14 00:11:50 99280 ----a-w- c:\windows\system32\drivers\aswFW.sys

2010-06-14 00:11:25 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys

2010-06-14 00:10:48 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys

2010-06-13 23:41:58 0 d-----w- C:\avastun

2010-06-13 06:23:09 0 d-----w- c:\windows\system32\wbem\Repository

2010-06-12 18:29:18 409731 ----a-w- C:\Img4541-2.jpg

2010-06-12 18:28:48 0 d-----w- C:\small

2010-06-03 21:01:25 0 d-----w- c:\windows\pss

2010-05-28 18:57:08 376 ----a-w- c:\windows\ODBC.INI

2010-05-25 13:14:56 0 d-----w- c:\program files\SoftLogica

2010-05-25 01:01:28 44544 ----a-w- c:\windows\system32\msxml4a.dll

2010-05-25 01:01:26 0 d-----w- c:\program files\File Recover

==================== Find3M ====================

2010-06-18 22:52:11 0 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdy.DAT

2010-05-25 14:26:13 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLbx.DAT

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-21 20:42:21 60819 ----a-w- c:\windows\hpwins03.dat

2010-04-03 23:00:38 165407 ----a-w- c:\windows\ProSelect Uninstaller.exe

2010-03-19 21:10:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010031920100320\index.dat

============= FINISH: 12:49:50.21 ===============

Attach.zip

Link to post
Share on other sites

Here's the TDSS log file:

Also, when I ran GMER, it rebooted my computer and there was no log file.

??

14:56:22:187 3624 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

14:56:22:187 3624 ================================================================================

14:56:22:187 3624 SystemInfo:

14:56:22:187 3624 OS Version: 5.1.2600 ServicePack: 3.0

14:56:22:187 3624 Product type: Workstation

14:56:22:187 3624 ComputerName: CHARLES-8BF7B3D

14:56:22:187 3624 UserName: Charles

14:56:22:187 3624 Windows directory: C:\WINDOWS

14:56:22:187 3624 Processor architecture: Intel x86

14:56:22:187 3624 Number of processors: 2

14:56:22:187 3624 Page size: 0x1000

14:56:22:187 3624 Boot type: Normal boot

14:56:22:187 3624 ================================================================================

14:56:22:343 3624 Initialize success

14:56:22:343 3624

14:56:22:343 3624 Scanning Services ...

14:56:22:718 3624 Raw services enum returned 351 services

14:56:22:734 3624

14:56:22:734 3624 Scanning Drivers ...

14:56:23:234 3624 Aavmker4 (a5246ed2586aa807af0bcf63165a71cc) C:\WINDOWS\system32\drivers\Aavmker4.sys

14:56:23:281 3624 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

14:56:23:312 3624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

14:56:23:343 3624 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

14:56:23:390 3624 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

14:56:23:437 3624 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

14:56:23:484 3624 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\WINDOWS\system32\drivers\aswFsBlk.sys

14:56:23:531 3624 aswFW (50bb1e65de922ce96c61cd5fc23ce59e) C:\WINDOWS\system32\drivers\aswFW.sys

14:56:23:562 3624 aswMon2 (81432b1a4b31036c822eb967decf613c) C:\WINDOWS\system32\drivers\aswMon2.sys

14:56:23:578 3624 aswNdis (7b948e3657bea62e437bc46ca6ef6012) C:\WINDOWS\system32\DRIVERS\aswNdis.sys

14:56:23:593 3624 aswNdis2 (bd5a889e5804d968301a414a0fda42b2) C:\WINDOWS\system32\drivers\aswNdis2.sys

14:56:23:609 3624 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\WINDOWS\system32\drivers\aswRdr.sys

14:56:23:640 3624 aswSnx (9da5b209d9843ebfbb3fd6bb197b276f) C:\WINDOWS\system32\drivers\aswSnx.sys

14:56:23:671 3624 aswSP (d78b644816db540e103d0b0766fd9967) C:\WINDOWS\system32\drivers\aswSP.sys

14:56:23:687 3624 aswTdi (606d731008d98b6ef946730c597c1642) C:\WINDOWS\system32\drivers\aswTdi.sys

14:56:23:703 3624 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

14:56:23:750 3624 atapi (30221779197af71ca07ab36e578f6e66) C:\WINDOWS\system32\DRIVERS\atapi.sys

14:56:23:750 3624 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 30221779197af71ca07ab36e578f6e66, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674

14:56:23:750 3624 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 14:56:25:484 3624 Backup copy found, using it..

14:56:25:500 3624 will be cured on next reboot

14:56:25:562 3624 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

14:56:25:578 3624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

14:56:25:625 3624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

14:56:25:656 3624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

14:56:25:671 3624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

14:56:25:703 3624 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

14:56:25:734 3624 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

14:56:25:781 3624 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

14:56:25:812 3624 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

14:56:25:906 3624 dfmirage (d8cd6a2a94f545858eec6117f0d5dff4) C:\WINDOWS\system32\DRIVERS\dfmirage.sys

14:56:25:937 3624 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

14:56:26:156 3624 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

14:56:26:343 3624 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

14:56:26:437 3624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

14:56:26:500 3624 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

14:56:26:640 3624 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

14:56:26:703 3624 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys

14:56:26:921 3624 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

14:56:27:031 3624 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

14:56:27:218 3624 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

14:56:27:281 3624 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

14:56:27:406 3624 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

14:56:27:671 3624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

14:56:27:796 3624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

14:56:27:859 3624 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

14:56:27:890 3624 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys

14:56:27:937 3624 HdAudAddService (a8bccb6ab8e43c39f4ef1bc4db8d6165) C:\WINDOWS\system32\drivers\CHDAud.sys

14:56:27:968 3624 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

14:56:28:000 3624 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

14:56:28:093 3624 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

14:56:28:375 3624 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

14:56:28:406 3624 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

14:56:28:437 3624 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

14:56:28:453 3624 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

14:56:28:578 3624 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

14:56:28:625 3624 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

14:56:28:656 3624 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

14:56:28:687 3624 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

14:56:28:734 3624 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

14:56:28:812 3624 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

14:56:28:906 3624 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

14:56:29:046 3624 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

14:56:29:156 3624 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

14:56:29:265 3624 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

14:56:29:421 3624 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

14:56:29:468 3624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

14:56:29:484 3624 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

14:56:29:546 3624 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

14:56:29:562 3624 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

14:56:29:593 3624 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

14:56:29:609 3624 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

14:56:29:656 3624 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

14:56:29:703 3624 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

14:56:29:718 3624 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

14:56:29:734 3624 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

14:56:29:750 3624 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

14:56:29:781 3624 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

14:56:29:812 3624 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

14:56:29:843 3624 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

14:56:29:875 3624 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

14:56:29:890 3624 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

14:56:29:937 3624 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

14:56:29:953 3624 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

14:56:29:968 3624 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

14:56:30:000 3624 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

14:56:30:031 3624 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

14:56:30:046 3624 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

14:56:30:078 3624 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

14:56:30:171 3624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

14:56:30:312 3624 nv (e955c80eeb77e809263b9c4443a1d188) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

14:56:30:484 3624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

14:56:30:484 3624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

14:56:30:531 3624 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

14:56:30:687 3624 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

14:56:30:812 3624 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

14:56:30:968 3624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

14:56:31:093 3624 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

14:56:31:312 3624 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

14:56:31:328 3624 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

14:56:31:390 3624 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

14:56:31:421 3624 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

14:56:31:437 3624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

14:56:31:468 3624 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

14:56:31:531 3624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

14:56:31:562 3624 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

14:56:31:593 3624 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

14:56:31:593 3624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

14:56:31:625 3624 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

14:56:31:640 3624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

14:56:31:671 3624 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

14:56:31:718 3624 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

14:56:31:750 3624 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

14:56:31:796 3624 rspndr (0e11b35e972796042044bc27ce13b065) C:\WINDOWS\system32\DRIVERS\rspndr.sys

14:56:31:859 3624 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

14:56:31:875 3624 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

14:56:31:984 3624 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

14:56:32:015 3624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

14:56:32:031 3624 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

14:56:32:062 3624 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

14:56:32:093 3624 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

14:56:32:109 3624 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

14:56:32:140 3624 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

14:56:32:187 3624 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

14:56:32:218 3624 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

14:56:32:281 3624 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

14:56:32:328 3624 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

14:56:32:359 3624 TcUsb (bbb66f80b72932182d8015f80934e527) C:\WINDOWS\system32\Drivers\tcusb.sys

14:56:32:390 3624 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

14:56:32:421 3624 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

14:56:32:437 3624 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

14:56:32:453 3624 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys

14:56:32:500 3624 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

14:56:32:578 3624 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

14:56:32:625 3624 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

14:56:32:656 3624 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

14:56:32:703 3624 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

14:56:32:734 3624 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

14:56:32:812 3624 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

14:56:32:875 3624 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

14:56:32:906 3624 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

14:56:32:921 3624 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

14:56:32:968 3624 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

14:56:33:031 3624 w39n51 (4e7b07653f4f9937cf62ad2869fba520) C:\WINDOWS\system32\DRIVERS\w39n51.sys

14:56:33:125 3624 wacmoumonitor (17bdade5a09d0b0f85f6fd95e3a68ecd) C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys

14:56:33:171 3624 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys

14:56:33:187 3624 wacomvhid (846b58ea44bf8c92e4b59f4e2252c4c0) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys

14:56:33:203 3624 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

14:56:33:250 3624 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

14:56:33:265 3624 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

14:56:33:296 3624 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

14:56:33:343 3624 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

14:56:33:359 3624 Reboot required for cure complete..

14:56:33:640 3624 Cure on reboot scheduled successfully

14:56:33:640 3624

14:56:33:640 3624 Completed

14:56:33:640 3624

14:56:33:640 3624 Results:

14:56:33:640 3624 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

14:56:33:640 3624 File objects infected / cured / cured on reboot: 1 / 0 / 1

14:56:33:640 3624

14:56:33:640 3624 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

OH, boy....

Now i have a pop-up off of my Taskbar telling me that

'Malicious software was removed

from your computer. Click here to complete the removal process.

NO, I won't click on it unless you tell me to do so.

sigh...

But, MBAM started and updated fine - I'm having it run a full system scan

And, for fun, SuperAntiSpyware is running a scan

And, just for kicks, Avast is also running a scan

Link to post
Share on other sites

You wrote:

"Why take action without my instructions?"

Because I'm an inveterate fiddler.

:-)

I canceled the other scans.

And am running the Windows Malicious Software Removal full-system scan that the box told me to run when it was clicked.

Link to post
Share on other sites

Interesting.... we already clean it.

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix 10-06-20.06 - Charles 06/21/2010 11:16:57.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1577 [GMT -7:00]

Running from: c:\documents and settings\Charles\Desktop\Combo-Fix.exe

AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))

.

2010-06-21 15:42 . 2010-06-21 15:42 -------- d-----w- c:\windows\system32\MpEngineStore

2010-06-21 00:22 . 2010-04-20 05:30 285696 -c----w- c:\windows\system32\dllcache\atmfd.dll

2010-06-21 00:22 . 2010-03-05 14:37 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll

2010-06-20 21:56 . 2010-06-20 21:56 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys

2010-06-18 20:52 . 2010-06-21 17:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-18 20:52 . 2010-06-21 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-18 20:13 . 2010-06-18 20:13 -------- d-----w- c:\documents and settings\Charles\Local Settings\Application Data\Apple Computer

2010-06-18 19:57 . 2010-06-18 19:57 63488 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-18 19:57 . 2010-06-18 19:57 52224 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-18 19:57 . 2010-06-18 19:57 117760 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-18 19:54 . 2010-06-18 19:54 -------- d-----w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com

2010-06-18 19:54 . 2010-06-18 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-18 19:54 . 2010-06-18 19:54 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-17 22:07 . 2010-06-17 22:07 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-17 22:07 . 2010-06-17 22:07 -------- d-----w- c:\program files\Java

2010-06-16 22:06 . 2010-06-16 22:06 -------- d-----w- C:\Dropbox

2010-06-16 21:22 . 2010-06-16 21:22 89831 ----a-w- c:\documents and settings\Charles\Application Data\Dropbox\bin\Uninstall.exe

2010-06-16 21:22 . 2010-06-21 18:05 -------- d-----w- c:\documents and settings\Charles\Application Data\Dropbox

2010-06-15 23:04 . 2010-06-15 23:04 -------- d-----w- c:\documents and settings\Charles\Application Data\Foxit Software

2010-06-14 00:11 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-06-14 00:11 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-06-14 00:11 . 2010-05-06 20:41 307280 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2010-06-14 00:11 . 2010-05-06 20:41 99280 ----a-w- c:\windows\system32\drivers\aswFW.sys

2010-06-14 00:11 . 2010-05-06 20:40 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys

2010-06-14 00:11 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-06-14 00:11 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-06-14 00:11 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-06-14 00:11 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-06-14 00:11 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-06-14 00:10 . 2010-03-19 20:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys

2010-06-14 00:10 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-06-14 00:10 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-06-14 00:10 . 2010-06-14 00:10 -------- d-----w- c:\program files\Alwil Software

2010-06-13 23:41 . 2010-06-14 00:02 -------- d-----w- C:\avastun

2010-06-13 06:23 . 2010-06-13 06:23 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-13 06:08 . 2010-06-13 06:21 -------- d-s---w- c:\documents and settings\Administrator

2010-06-13 06:08 . 2010-06-13 06:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2010-06-12 18:36 . 2010-06-13 06:21 -------- d-----w- c:\documents and settings\Charles\Local Settings\Application Data\Google

2010-06-12 18:28 . 2010-06-12 18:28 -------- d-----w- C:\small

2010-06-11 21:10 . 2010-06-11 21:37 -------- d-----w- c:\documents and settings\Charles\Application Data\Download Manager

2010-05-28 22:23 . 2010-05-28 22:23 503808 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1c38f2cd-n\msvcp71.dll

2010-05-28 22:23 . 2010-05-28 22:23 499712 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1c38f2cd-n\jmc.dll

2010-05-28 22:23 . 2010-05-28 22:23 348160 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1c38f2cd-n\msvcr71.dll

2010-05-28 22:23 . 2010-05-28 22:23 61440 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ef03999-n\decora-sse.dll

2010-05-28 22:23 . 2010-05-28 22:23 12800 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ef03999-n\decora-d3d.dll

2010-05-28 18:48 . 2010-05-28 18:48 -------- d-----w- c:\documents and settings\Charles\Application Data\Microsoft Web Folders

2010-05-25 13:14 . 2010-05-25 13:17 -------- d-----w- c:\program files\SoftLogica

2010-05-25 01:03 . 2010-05-28 16:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-25 01:01 . 2009-07-17 06:12 44544 ----a-w- c:\windows\system32\msxml4a.dll

2010-05-25 01:01 . 2010-05-25 01:04 -------- d-----w- c:\program files\File Recover

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-21 16:46 . 2010-03-27 15:55 -------- d-----w- c:\documents and settings\Charles\Application Data\WTablet

2010-06-21 15:42 . 2004-08-04 10:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-06-21 14:09 . 2010-05-19 04:54 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-21 10:15 . 2010-03-19 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-20 21:56 . 2010-06-20 21:56 96512 ----a-w- c:\windows\system32\drivers\tsk3.tmp

2010-06-20 21:11 . 2010-04-09 22:24 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-20 19:36 . 2010-04-30 20:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-06-18 22:52 . 2010-03-19 20:40 -------- d-----w- c:\program files\Nikon-junk-added-at-end

2010-06-18 22:52 . 2010-03-19 22:24 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdy.DAT

2010-06-17 21:44 . 2010-04-22 15:36 -------- d-----w- c:\documents and settings\Charles\Application Data\Skype

2010-06-17 20:35 . 2010-04-22 15:37 -------- d-----w- c:\documents and settings\Charles\Application Data\skypePM

2010-06-17 19:54 . 2010-04-30 20:46 -------- d-----w- c:\documents and settings\Charles\Application Data\FileZilla

2010-06-16 21:13 . 2010-05-14 20:47 -------- d-----w- c:\documents and settings\Charles\Application Data\PrimoPDF

2010-06-14 00:10 . 2010-05-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-06-13 22:11 . 2010-03-19 21:22 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-28 19:32 . 2010-03-19 18:43 70408 ----a-w- c:\documents and settings\Charles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-28 18:50 . 2010-05-28 18:50 5058 ----a-w- c:\windows\Help\hhcolreg.dat

2010-05-25 14:26 . 2010-03-19 20:41 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT

2010-05-20 21:42 . 2010-04-22 15:35 -------- d-----r- c:\program files\Skype

2010-05-17 05:24 . 2010-05-17 05:24 -------- d-----w- c:\documents and settings\Charles\Application Data\Malwarebytes

2010-05-17 05:24 . 2010-05-17 05:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 05:24 . 2010-05-17 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-14 20:45 . 2010-05-14 20:45 -------- d-----w- c:\program files\Nitro PDF

2010-05-08 18:57 . 2010-05-08 18:57 -------- d-----w- c:\program files\Photodex Presenter

2010-05-08 18:57 . 2010-05-08 18:57 131072 ----a-w- c:\documents and settings\Charles\Application Data\Netscape\Plugins\npPxPlay.dll

2010-05-08 18:57 . 2010-05-08 18:57 131072 ----a-w- c:\documents and settings\Charles\Application Data\Mozilla\Plugins\npPxPlay.dll

2010-05-08 18:57 . 2010-05-08 18:57 -------- d-----w- c:\documents and settings\Charles\Application Data\Netscape

2010-05-08 18:56 . 2010-05-08 18:56 -------- d-----w- c:\program files\Photodex

2010-05-08 18:56 . 2010-05-08 18:56 -------- d-----w- c:\documents and settings\Charles\Application Data\Photodex

2010-05-08 18:45 . 2010-05-08 18:45 -------- d-----w- c:\program files\Lame for Audacity

2010-05-04 17:20 . 2008-11-04 22:42 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2008-11-04 22:41 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2008-11-04 22:41 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2008-05-30 09:16 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 20:46 . 2010-04-30 20:46 -------- d-----w- c:\program files\FileZilla FTP Client

2010-04-30 20:17 . 2010-03-27 15:54 -------- d-----w- c:\program files\Tablet

2010-04-29 22:39 . 2010-05-17 05:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2010-05-17 05:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-22 15:37 . 2010-04-22 15:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-04-21 20:42 . 2010-04-21 20:31 60819 ----a-w- c:\windows\hpwins03.dat

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-03 23:00 . 2010-04-03 22:51 165407 ----a-w- c:\windows\ProSelect Uninstaller.exe

.

------- Sigcheck -------

[-] 2010-06-21 15:42 . 5E272140A0941DEAC6DD4A7E91D3E824 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Charles\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Charles\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Charles\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]

@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"

[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]

2010-05-06 21:02 151648 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 61952]

"nwiz"="nwiz.exe" [2006-02-16 1519616]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-16 7557120]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]

"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2006-11-15 352256]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

c:\documents and settings\Charles\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

Dropbox.lnk - c:\documents and settings\Charles\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]

Shortcut to procexp.lnk - c:\documents and settings\Charles\My Documents\Downloads\ProcessExplorer\procexp.exe [2009-2-3 3550592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\TimeExposure\\ProSelect\\ProSelect.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\HP\\HP Officejet Pro K550 Series\\Toolbox\\HPWUTBX.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\FRONTPG.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Charles\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [6/13/2010 5:10 PM 12112]

R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [6/13/2010 5:11 PM 190416]

R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [6/13/2010 5:11 PM 99280]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/13/2010 5:11 PM 307280]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/13/2010 5:11 PM 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/13/2010 5:11 PM 19024]

R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [6/13/2010 5:10 PM 119200]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/30/2010 11:16 AM 1107336]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/14/2010 7:17 PM 4497704]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [4/30/2010 1:17 PM 5010288]

R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [4/14/2010 7:17 PM 113448]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]

S1 fpbgpcdn;fpbgpcdn;\??\c:\windows\system32\drivers\fpbgpcdn.sys --> c:\windows\system32\drivers\fpbgpcdn.sys [?]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [3/27/2010 8:54 AM 16168]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {1C62E8C7-5A7B-48BC-99F5-4448AB83D6D4} = 8.8.8.8,8.8.4.4

FF - ProfilePath - c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\03noie0j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\documents and settings\Charles\Application Data\Mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\TabletPlugins\npwacom.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

SafeBoot-klmdb.sys

AddRemove-Capture NX 2 - c:\program files\Nikon\Capture NX 2\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-21 11:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\atapi]

"ImagePath"="system32\drivers\tsk3.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1572)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(600)

c:\windows\system32\WININET.dll

c:\documents and settings\Charles\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

Completion time: 2010-06-21 11:32:08

ComboFix-quarantined-files.txt 2010-06-21 18:32

Pre-Run: 44,435,861,504 bytes free

Post-Run: 46,308,847,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8B4FD4BA84FAC9ACE367FDB31B7DAD91

Link to post
Share on other sites

Click on Start -> Run... and type REGEDIT and browse to the following keys and export them and paste back their contents.

HKEY_LOCAL_MACHINE\System\ControlSet005\Services\atapi

Just right click and choose EXPORT and save it on your desktop and save it as 1a65f4eab.REG

Right click over them one by one and choose EDIT and it should open in Notepad. Then select all and copy and paste them back on your next reply.

Link to post
Share on other sites

Thanks! :welcome:

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

Driver::
fpbgpcdn

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-06-20.06 - Charles 06/21/2010 12:58:33.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1248 [GMT -7:00]

Running from: c:\documents and settings\Charles\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Charles\Desktop\CFScript.txt

AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_fpbgpcdn

((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))

.

2010-06-21 15:42 . 2010-06-21 15:42 -------- d-----w- c:\windows\system32\MpEngineStore

2010-06-21 00:22 . 2010-04-20 05:30 285696 -c----w- c:\windows\system32\dllcache\atmfd.dll

2010-06-21 00:22 . 2010-03-05 14:37 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll

2010-06-20 21:56 . 2010-06-20 21:56 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys

2010-06-18 20:52 . 2010-06-21 17:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-18 20:52 . 2010-06-21 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-18 20:13 . 2010-06-18 20:13 -------- d-----w- c:\documents and settings\Charles\Local Settings\Application Data\Apple Computer

2010-06-18 19:54 . 2010-06-18 19:54 -------- d-----w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com

2010-06-18 19:54 . 2010-06-18 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-18 19:54 . 2010-06-18 19:54 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-17 22:07 . 2010-06-17 22:07 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-17 22:07 . 2010-06-17 22:07 -------- d-----w- c:\program files\Java

2010-06-16 22:06 . 2010-06-16 22:06 -------- d-----w- C:\Dropbox

2010-06-16 21:22 . 2010-06-21 20:18 -------- d-----w- c:\documents and settings\Charles\Application Data\Dropbox

2010-06-15 23:04 . 2010-06-15 23:04 -------- d-----w- c:\documents and settings\Charles\Application Data\Foxit Software

2010-06-14 00:11 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-06-14 00:11 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-06-14 00:11 . 2010-05-06 20:41 307280 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2010-06-14 00:11 . 2010-05-06 20:41 99280 ----a-w- c:\windows\system32\drivers\aswFW.sys

2010-06-14 00:11 . 2010-05-06 20:40 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys

2010-06-14 00:11 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-06-14 00:11 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-06-14 00:11 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-06-14 00:11 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-06-14 00:11 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-06-14 00:10 . 2010-03-19 20:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys

2010-06-14 00:10 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-06-14 00:10 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-06-14 00:10 . 2010-06-14 00:10 -------- d-----w- c:\program files\Alwil Software

2010-06-13 23:41 . 2010-06-14 00:02 -------- d-----w- C:\avastun

2010-06-13 06:23 . 2010-06-13 06:23 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-13 06:08 . 2010-06-13 06:21 -------- d-s---w- c:\documents and settings\Administrator

2010-06-13 06:08 . 2010-06-13 06:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2010-06-12 18:36 . 2010-06-13 06:21 -------- d-----w- c:\documents and settings\Charles\Local Settings\Application Data\Google

2010-06-12 18:28 . 2010-06-12 18:28 -------- d-----w- C:\small

2010-06-11 21:10 . 2010-06-11 21:37 -------- d-----w- c:\documents and settings\Charles\Application Data\Download Manager

2010-05-28 18:48 . 2010-05-28 18:48 -------- d-----w- c:\documents and settings\Charles\Application Data\Microsoft Web Folders

2010-05-25 13:14 . 2010-05-25 13:17 -------- d-----w- c:\program files\SoftLogica

2010-05-25 01:03 . 2010-05-28 16:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-25 01:01 . 2009-07-17 06:12 44544 ----a-w- c:\windows\system32\msxml4a.dll

2010-05-25 01:01 . 2010-05-25 01:04 -------- d-----w- c:\program files\File Recover

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-21 20:18 . 2010-03-27 15:55 -------- d-----w- c:\documents and settings\Charles\Application Data\WTablet

2010-06-21 15:42 . 2004-08-04 10:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-06-21 14:09 . 2010-05-19 04:54 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-21 10:15 . 2010-03-19 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-20 21:56 . 2010-06-20 21:56 96512 ----a-w- c:\windows\system32\drivers\tsk3.tmp

2010-06-20 21:11 . 2010-04-09 22:24 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-20 19:36 . 2010-04-30 20:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-06-18 22:52 . 2010-03-19 20:40 -------- d-----w- c:\program files\Nikon-junk-added-at-end

2010-06-18 22:52 . 2010-03-19 22:24 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdy.DAT

2010-06-18 19:57 . 2010-06-18 19:57 63488 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-18 19:57 . 2010-06-18 19:57 52224 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-18 19:57 . 2010-06-18 19:57 117760 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-17 21:44 . 2010-04-22 15:36 -------- d-----w- c:\documents and settings\Charles\Application Data\Skype

2010-06-17 20:35 . 2010-04-22 15:37 -------- d-----w- c:\documents and settings\Charles\Application Data\skypePM

2010-06-17 19:54 . 2010-04-30 20:46 -------- d-----w- c:\documents and settings\Charles\Application Data\FileZilla

2010-06-16 21:22 . 2010-06-16 21:22 89831 ----a-w- c:\documents and settings\Charles\Application Data\Dropbox\bin\Uninstall.exe

2010-06-16 21:13 . 2010-05-14 20:47 -------- d-----w- c:\documents and settings\Charles\Application Data\PrimoPDF

2010-06-14 00:10 . 2010-05-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-06-13 22:11 . 2010-03-19 21:22 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-28 22:23 . 2010-05-28 22:23 503808 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1c38f2cd-n\msvcp71.dll

2010-05-28 22:23 . 2010-05-28 22:23 499712 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1c38f2cd-n\jmc.dll

2010-05-28 22:23 . 2010-05-28 22:23 348160 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1c38f2cd-n\msvcr71.dll

2010-05-28 22:23 . 2010-05-28 22:23 61440 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ef03999-n\decora-sse.dll

2010-05-28 22:23 . 2010-05-28 22:23 12800 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ef03999-n\decora-d3d.dll

2010-05-28 19:32 . 2010-03-19 18:43 70408 ----a-w- c:\documents and settings\Charles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-28 18:50 . 2010-05-28 18:50 5058 ----a-w- c:\windows\Help\hhcolreg.dat

2010-05-25 14:26 . 2010-03-19 20:41 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT

2010-05-20 21:42 . 2010-04-22 15:35 -------- d-----r- c:\program files\Skype

2010-05-17 05:24 . 2010-05-17 05:24 -------- d-----w- c:\documents and settings\Charles\Application Data\Malwarebytes

2010-05-17 05:24 . 2010-05-17 05:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 05:24 . 2010-05-17 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-14 20:45 . 2010-05-14 20:45 -------- d-----w- c:\program files\Nitro PDF

2010-05-08 18:57 . 2010-05-08 18:57 -------- d-----w- c:\program files\Photodex Presenter

2010-05-08 18:57 . 2010-05-08 18:57 131072 ----a-w- c:\documents and settings\Charles\Application Data\Netscape\Plugins\npPxPlay.dll

2010-05-08 18:57 . 2010-05-08 18:57 131072 ----a-w- c:\documents and settings\Charles\Application Data\Mozilla\Plugins\npPxPlay.dll

2010-05-08 18:57 . 2010-05-08 18:57 -------- d-----w- c:\documents and settings\Charles\Application Data\Netscape

2010-05-08 18:56 . 2010-05-08 18:56 -------- d-----w- c:\program files\Photodex

2010-05-08 18:56 . 2010-05-08 18:56 -------- d-----w- c:\documents and settings\Charles\Application Data\Photodex

2010-05-08 18:45 . 2010-05-08 18:45 -------- d-----w- c:\program files\Lame for Audacity

2010-05-04 17:20 . 2008-11-04 22:42 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2008-11-04 22:41 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2008-11-04 22:41 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2008-05-30 09:16 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 20:46 . 2010-04-30 20:46 -------- d-----w- c:\program files\FileZilla FTP Client

2010-04-30 20:17 . 2010-03-27 15:54 -------- d-----w- c:\program files\Tablet

2010-04-29 22:39 . 2010-05-17 05:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2010-05-17 05:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-22 15:37 . 2010-04-22 15:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-04-21 20:42 . 2010-04-21 20:31 60819 ----a-w- c:\windows\hpwins03.dat

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-03 23:00 . 2010-04-03 22:51 165407 ----a-w- c:\windows\ProSelect Uninstaller.exe

.

------- Sigcheck -------

[-] 2010-06-21 15:42 . 5E272140A0941DEAC6DD4A7E91D3E824 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-06-21_18.30.41 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-21 20:17 . 2010-06-21 20:17 16384 c:\windows\temp\Perflib_Perfdata_3e0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Charles\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Charles\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Charles\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]

@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"

[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]

2010-05-06 21:02 151648 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 61952]

"nwiz"="nwiz.exe" [2006-02-16 1519616]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-16 7557120]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]

"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2006-11-15 352256]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

c:\documents and settings\Charles\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

Dropbox.lnk - c:\documents and settings\Charles\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]

Shortcut to procexp.lnk - c:\documents and settings\Charles\My Documents\Downloads\ProcessExplorer\procexp.exe [2009-2-3 3550592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\TimeExposure\\ProSelect\\ProSelect.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\HP\\HP Officejet Pro K550 Series\\Toolbox\\HPWUTBX.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\FRONTPG.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Charles\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [6/13/2010 5:10 PM 12112]

R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [6/13/2010 5:11 PM 190416]

R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [6/13/2010 5:11 PM 99280]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/13/2010 5:11 PM 307280]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/13/2010 5:11 PM 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/13/2010 5:11 PM 19024]

R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [6/13/2010 5:10 PM 119200]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/30/2010 11:16 AM 1107336]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/14/2010 7:17 PM 4497704]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [4/30/2010 1:17 PM 5010288]

R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [4/14/2010 7:17 PM 113448]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [3/27/2010 8:54 AM 16168]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {1C62E8C7-5A7B-48BC-99F5-4448AB83D6D4} = 8.8.8.8,8.8.4.4

FF - ProfilePath - c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\03noie0j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\documents and settings\Charles\Application Data\Mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\TabletPlugins\npwacom.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-21 13:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\atapi]

"ImagePath"="system32\drivers\tsk3.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1580)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1032)

c:\windows\system32\WININET.dll

c:\documents and settings\Charles\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\WTouch\WTouchUser.exe

c:\program files\FolderSize\FolderSizeSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Photodex\ProShowProducer\ScsiAccess.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\WTablet\Wacom_TabletUser.exe

c:\windows\system32\WTablet\Pen_TabletUser.exe

.

**************************************************************************

.

Completion time: 2010-06-21 13:23:06 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-21 20:23

ComboFix2.txt 2010-06-21 18:32

Pre-Run: 46,306,201,600 bytes free

Post-Run: 46,118,453,248 bytes free

- - End Of File - - F24B170838F7D00383ECA88751933741

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.