Jump to content

redirect and gmer does not run


FFF
 Share

Recommended Posts

Hello,

I was following the directions to get information so that i can have help in eliminating a redirect virus. I already have malware on my computer as well as symantec antivirus and my computer is set up to do automatic updates. When I got to the stepof running gmer I got the "Windows has encountered an error and GMER cannot run. Do you want to report this error. mpcmwe6e1.exe has encountered a problm. When I went to run the GMER it skipped the first several steps and went straight to the "Then click the scan button and wait for it to finish step. So I am guessing I have this on my computer already?

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 6:52:24.12 on Sat 07/24/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1817 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q853B75H\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://forecast.weather.gov/MapClick.php?CityName=Brandon&state=MS&site=JAN&textField1=32.2805&textField2=-90.0038&e=0

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uInternet Settings,ProxyOverride = <local>

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.nabiscoworld.com/games/game_large.aspx?gameid=10036"

mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

mRun: [Mixersel] c:\program files\realtek\installshield\mixersel.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Tberacufotizici] rundll32.exe "c:\windows\acufozuz.dll",Startup

dRun: [gukxppaf] c:\documents and settings\networkservice\local settings\application data\cqepqxxsw\iacnhuptssd.exe

dRunOnce: [RunNarrator] Narrator.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Filter: text/html - {2432e172-59a1-4a73-96c4-fcb0fba2c84f} -

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100723.002\naveng.sys [2010-7-23 85424]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100723.002\navex15.sys [2010-7-23 1362608]

S0 ftnwj;ftnwj; [x]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\d.tmp --> c:\windows\system32\D.tmp [?]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2010-07-24 11:50:50 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-07-08 13:52:46 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-03-23 20:40:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010032320100324\index.dat

2010-04-24 04:16:05 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010042320100424\index.dat

============= FINISH: 6:53:28.22 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 7/25/2009 12:37:01 PM

System Uptime: 7/18/2010 8:53:18 PM (130 hours ago)

Motherboard: Intel Corporation | | D915GAG

Processor: Intel® Pentium® 4 CPU 2.93GHz | | 2933/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 186 GiB total, 166.392 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP266: 4/25/2010 6:28:03 AM - Software Distribution Service 3.0

RP267: 4/26/2010 7:42:13 AM - System Checkpoint

RP268: 4/27/2010 8:12:06 AM - System Checkpoint

RP269: 4/28/2010 10:11:00 AM - System Checkpoint

RP270: 4/30/2010 8:04:11 AM - System Checkpoint

RP271: 5/1/2010 10:00:02 AM - System Checkpoint

RP272: 5/2/2010 11:01:03 AM - System Checkpoint

RP273: 5/3/2010 7:15:19 PM - System Checkpoint

RP274: 5/4/2010 7:30:12 PM - System Checkpoint

RP275: 5/6/2010 12:23:56 AM - System Checkpoint

RP276: 5/8/2010 8:18:57 AM - System Checkpoint

RP277: 5/9/2010 12:44:46 PM - System Checkpoint

RP278: 5/10/2010 10:04:49 PM - System Checkpoint

RP279: 5/12/2010 7:21:07 AM - System Checkpoint

RP280: 5/12/2010 8:25:46 AM - Software Distribution Service 3.0

RP281: 5/13/2010 8:44:12 AM - System Checkpoint

RP282: 5/14/2010 9:58:38 AM - System Checkpoint

RP283: 5/15/2010 10:05:54 AM - System Checkpoint

RP284: 5/16/2010 1:57:34 PM - System Checkpoint

RP285: 5/17/2010 11:14:54 PM - System Checkpoint

RP286: 5/18/2010 11:06:15 PM - Installed Java 6 Update 20

RP287: 5/20/2010 5:23:15 AM - System Checkpoint

RP288: 5/21/2010 7:32:24 AM - System Checkpoint

RP289: 5/22/2010 11:10:37 AM - System Checkpoint

RP290: 5/23/2010 1:29:21 PM - System Checkpoint

RP291: 5/25/2010 6:14:41 AM - System Checkpoint

RP292: 5/26/2010 7:35:41 AM - System Checkpoint

RP293: 5/27/2010 7:41:34 AM - Software Distribution Service 3.0

RP294: 5/28/2010 11:50:07 AM - System Checkpoint

RP295: 5/29/2010 12:55:11 PM - System Checkpoint

RP296: 5/30/2010 8:32:11 PM - System Checkpoint

RP297: 5/31/2010 10:39:09 PM - System Checkpoint

RP298: 6/2/2010 12:02:27 AM - System Checkpoint

RP299: 6/3/2010 7:22:02 AM - System Checkpoint

RP300: 6/4/2010 8:19:16 AM - System Checkpoint

RP301: 6/5/2010 9:13:18 AM - System Checkpoint

RP302: 6/6/2010 9:55:45 AM - System Checkpoint

RP303: 6/7/2010 11:16:56 AM - System Checkpoint

RP304: 6/8/2010 12:10:36 PM - System Checkpoint

RP305: 6/9/2010 9:18:01 AM - Software Distribution Service 3.0

RP306: 6/10/2010 11:56:13 AM - System Checkpoint

RP307: 6/11/2010 12:53:46 PM - System Checkpoint

RP308: 6/12/2010 1:51:55 PM - System Checkpoint

RP309: 6/13/2010 3:32:25 PM - System Checkpoint

RP310: 6/14/2010 4:45:03 PM - System Checkpoint

RP311: 6/15/2010 7:19:17 PM - System Checkpoint

RP312: 6/16/2010 8:39:29 PM - System Checkpoint

RP313: 6/17/2010 9:26:46 PM - System Checkpoint

RP314: 6/19/2010 12:41:43 AM - System Checkpoint

RP315: 6/20/2010 8:13:27 AM - System Checkpoint

RP316: 6/21/2010 2:57:35 PM - System Checkpoint

RP317: 6/22/2010 4:39:28 PM - System Checkpoint

RP318: 6/23/2010 5:17:09 PM - System Checkpoint

RP319: 6/24/2010 7:22:07 AM - Software Distribution Service 3.0

RP320: 6/25/2010 10:45:13 AM - System Checkpoint

RP321: 6/26/2010 11:30:08 AM - System Checkpoint

RP322: 6/27/2010 1:21:53 PM - System Checkpoint

RP323: 6/28/2010 2:29:46 PM - System Checkpoint

RP324: 6/29/2010 4:21:35 PM - System Checkpoint

RP325: 6/30/2010 8:00:28 PM - System Checkpoint

RP326: 7/1/2010 9:14:37 PM - System Checkpoint

RP327: 7/4/2010 9:10:13 PM - System Checkpoint

RP328: 7/5/2010 10:45:28 PM - System Checkpoint

RP329: 7/7/2010 7:47:19 AM - System Checkpoint

RP330: 7/8/2010 8:01:08 AM - System Checkpoint

RP331: 7/9/2010 10:10:58 AM - System Checkpoint

RP332: 7/10/2010 12:28:12 PM - System Checkpoint

RP333: 7/11/2010 12:30:43 PM - System Checkpoint

RP334: 7/11/2010 7:23:32 PM - Restore Operation

RP335: 7/11/2010 8:09:10 PM - Restore Operation

RP336: 7/12/2010 8:11:37 PM - System Checkpoint

RP337: 7/13/2010 9:19:56 PM - System Checkpoint

RP338: 7/15/2010 12:50:28 AM - System Checkpoint

RP339: 7/16/2010 1:41:58 AM - System Checkpoint

RP340: 7/17/2010 9:27:30 AM - System Checkpoint

RP341: 7/18/2010 10:21:23 AM - System Checkpoint

RP342: 7/19/2010 10:21:39 AM - System Checkpoint

RP343: 7/20/2010 11:10:37 AM - System Checkpoint

RP344: 7/21/2010 11:20:10 AM - System Checkpoint

RP345: 7/22/2010 11:57:48 AM - System Checkpoint

RP346: 7/23/2010 12:31:58 PM - System Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9.3.3

Adobe Shockwave Player 11.5

Apple Software Update

Canon MP Navigator EX 1.2

Canon MP190 series MP Drivers

Canon MP190 series User Registration

Canon My Printer

Canon Utilities Easy-PhotoPrint EX

Canon Utilities Solution Menu

Compatibility Pack for the 2007 Office system

Critical Update for Windows Media Player 11 (KB959772)

DeductionPro 2009

GoToMeeting 4.1.0.366

H&R Block Mississippi 2009

H&R Block Premium + Efile + State 2009

High Definition Audio Driver Package - KB835221

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Adapters and Drivers

Intel® PROSet for Wired Connections

J2SE Runtime Environment 5.0 Update 13

Java Auto Updater

Java 6 Update 20

LiveUpdate 3.1 (Symantec Corporation)

Malwarebytes' Anti-Malware

MetaFrame Presentation Server Web Client for Win32

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Digital Image Library 9 - Blocker

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Picture It! Library 10

Microsoft Picture It! Premium 10

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Windows XP Video Decoder Checkup Utility

Move Media Player

MSXML 6 Service Pack 2 (KB973686)

PrimoPDF -- brought to you by Nitro PDF Software

QuickTime

RealPlayer

Realtek High Definition Audio Driver

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981349)

Snapshot Viewer

Soft Data Fax Modem with SmartCP

Sophos Anti-Rootkit 1.5.0

Spelling Dictionaries Support For Adobe Reader 9

Symantec AntiVirus

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VLC media player 0.9.2

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

Yahoo! BrowserPlus 2.9.2

==== Event Viewer Messages From Past Week ========

7/18/2010 8:54:13 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

7/18/2010 8:54:13 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

Thank you

Link to post
Share on other sites

Hi FFF And Welcome to Malwarebytes Forum!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

========

Download ComboFix from one of these locations:

Link 1

Link 2

======================================================================

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply with TDSSKiller log.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi FFF

Lets run TDSSKiller and ComboFix.

Thanks,

I ran these programs and here are the logs. I no longer seem to have the redirect virus but my symantec just quarantined another trojan horse virus. Where am I getting these things?

2010/07/27 21:17:53.0393 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49

2010/07/27 21:17:53.0393 ================================================================================

2010/07/27 21:17:53.0393 SystemInfo:

2010/07/27 21:17:53.0393

2010/07/27 21:17:53.0393 OS Version: 5.1.2600 ServicePack: 3.0

2010/07/27 21:17:53.0393 Product type: Workstation

2010/07/27 21:17:53.0393 ComputerName: OWNER-2B1750732

2010/07/27 21:17:53.0393 UserName: Owner

2010/07/27 21:17:53.0393 Windows directory: C:\WINDOWS

2010/07/27 21:17:53.0393 System windows directory: C:\WINDOWS

2010/07/27 21:17:53.0393 Processor architecture: Intel x86

2010/07/27 21:17:53.0393 Number of processors: 1

2010/07/27 21:17:53.0393 Page size: 0x1000

2010/07/27 21:17:53.0393 Boot type: Normal boot

2010/07/27 21:17:53.0393 ================================================================================

2010/07/27 21:17:53.0518 Initialize success

2010/07/27 21:17:56.0330 ================================================================================

2010/07/27 21:17:56.0330 Scan started

2010/07/27 21:17:56.0330 Mode: Manual;

2010/07/27 21:17:56.0330 ================================================================================

2010/07/27 21:17:57.0596 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/07/27 21:17:57.0643 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/07/27 21:17:57.0705 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/07/27 21:17:57.0768 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/07/27 21:17:57.0877 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/07/27 21:17:57.0955 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/07/27 21:17:57.0986 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/07/27 21:17:58.0018 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/07/27 21:17:58.0080 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/07/27 21:17:58.0127 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/07/27 21:17:58.0174 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/07/27 21:17:58.0236 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/07/27 21:17:58.0283 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/07/27 21:17:58.0314 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/07/27 21:17:58.0439 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/07/27 21:17:58.0830 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/07/27 21:17:58.0861 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/07/27 21:17:58.0877 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/07/27 21:17:58.0908 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/07/27 21:17:58.0955 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/07/27 21:17:59.0002 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/07/27 21:17:59.0080 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/07/27 21:17:59.0143 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2010/07/27 21:17:59.0205 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/07/27 21:17:59.0236 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/07/27 21:17:59.0268 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/07/27 21:17:59.0299 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/07/27 21:17:59.0346 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/07/27 21:17:59.0393 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/07/27 21:17:59.0424 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/07/27 21:17:59.0486 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/07/27 21:17:59.0533 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys

2010/07/27 21:17:59.0627 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/07/27 21:17:59.0674 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/07/27 21:17:59.0736 HSFHWBS2 (b6b0721a86e51d141ec55c3cc1ca5686) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2010/07/27 21:17:59.0799 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2010/07/27 21:17:59.0861 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/07/27 21:17:59.0924 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/07/27 21:17:59.0986 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/07/27 21:18:00.0033 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/07/27 21:18:00.0080 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/07/27 21:18:00.0205 IntcAzAudAddService (1ed9ac45c69e650d4f12d1114132622b) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/07/27 21:18:00.0268 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/07/27 21:18:00.0299 intelppm (9fd96f57a1b40af0b6ff3d68593b7c19) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/07/27 21:18:00.0299 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: 9fd96f57a1b40af0b6ff3d68593b7c19, Fake md5: 8c953733d8f36eb2133f5bb58808b66b

2010/07/27 21:18:00.0299 intelppm - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/07/27 21:18:00.0346 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/07/27 21:18:00.0393 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/07/27 21:18:00.0424 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/07/27 21:18:00.0455 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/07/27 21:18:00.0486 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/07/27 21:18:00.0518 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/07/27 21:18:00.0549 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/07/27 21:18:00.0580 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/07/27 21:18:00.0611 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/07/27 21:18:00.0658 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys

2010/07/27 21:18:00.0689 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/07/27 21:18:00.0736 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/07/27 21:18:00.0799 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/07/27 21:18:00.0846 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/07/27 21:18:00.0893 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/07/27 21:18:00.0924 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/07/27 21:18:00.0986 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/07/27 21:18:01.0018 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/07/27 21:18:01.0049 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/07/27 21:18:01.0111 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/07/27 21:18:01.0127 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/07/27 21:18:01.0158 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/07/27 21:18:01.0189 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/07/27 21:18:01.0221 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/07/27 21:18:01.0268 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/07/27 21:18:01.0299 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/07/27 21:18:01.0408 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100727.005\naveng.sys

2010/07/27 21:18:01.0471 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100727.005\navex15.sys

2010/07/27 21:18:01.0518 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/07/27 21:18:01.0564 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/07/27 21:18:01.0596 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/07/27 21:18:01.0627 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/07/27 21:18:01.0658 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/07/27 21:18:01.0705 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/07/27 21:18:01.0721 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/07/27 21:18:01.0752 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/07/27 21:18:01.0783 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/07/27 21:18:01.0814 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/07/27 21:18:01.0861 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/07/27 21:18:01.0893 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/07/27 21:18:01.0924 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/07/27 21:18:01.0955 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/07/27 21:18:01.0971 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/07/27 21:18:02.0002 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/07/27 21:18:02.0018 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/07/27 21:18:02.0049 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/07/27 21:18:02.0080 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/07/27 21:18:02.0111 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/07/27 21:18:02.0252 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/07/27 21:18:02.0268 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/07/27 21:18:02.0314 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/07/27 21:18:02.0424 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/07/27 21:18:02.0439 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/07/27 21:18:02.0471 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/07/27 21:18:02.0502 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/07/27 21:18:02.0533 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/07/27 21:18:02.0549 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/07/27 21:18:02.0580 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/07/27 21:18:02.0643 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/07/27 21:18:02.0674 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/07/27 21:18:02.0736 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys

2010/07/27 21:18:02.0752 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

2010/07/27 21:18:02.0814 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/07/27 21:18:02.0861 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/07/27 21:18:02.0893 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/07/27 21:18:02.0924 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/07/27 21:18:03.0018 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2010/07/27 21:18:03.0064 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/07/27 21:18:03.0111 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/07/27 21:18:03.0143 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/07/27 21:18:03.0174 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/07/27 21:18:03.0205 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/07/27 21:18:03.0283 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS

2010/07/27 21:18:03.0330 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2010/07/27 21:18:03.0361 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2010/07/27 21:18:03.0455 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/07/27 21:18:03.0502 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/07/27 21:18:03.0533 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/07/27 21:18:03.0564 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/07/27 21:18:03.0596 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/07/27 21:18:03.0658 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/07/27 21:18:03.0736 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/07/27 21:18:03.0783 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/07/27 21:18:03.0814 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/07/27 21:18:03.0846 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/07/27 21:18:03.0877 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/07/27 21:18:03.0908 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/07/27 21:18:03.0924 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/07/27 21:18:03.0955 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/07/27 21:18:03.0986 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/07/27 21:18:04.0033 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/07/27 21:18:04.0064 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/07/27 21:18:04.0111 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/07/27 21:18:04.0189 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/07/27 21:18:04.0252 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/07/27 21:18:04.0268 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/07/27 21:18:04.0299 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/07/27 21:18:04.0330 ================================================================================

2010/07/27 21:18:04.0330 Scan finished

2010/07/27 21:18:04.0330 ================================================================================

2010/07/27 21:18:04.0346 Detected object count: 1

2010/07/27 21:18:55.0643 intelppm (9fd96f57a1b40af0b6ff3d68593b7c19) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/07/27 21:18:55.0643 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: 9fd96f57a1b40af0b6ff3d68593b7c19, Fake md5: 8c953733d8f36eb2133f5bb58808b66b

2010/07/27 21:18:56.0314 Backup copy found, using it..

2010/07/27 21:18:56.0346 C:\WINDOWS\system32\DRIVERS\intelppm.sys - will be cured after reboot

2010/07/27 21:18:56.0346 Rootkit.Win32.TDSS.tdl3(intelppm) - User select action: Cure

2010/07/27 21:19:02.0299 Deinitialize success

and here is the other one:

ComboFix 10-07-27.01 - Owner 07/27/2010 21:39:11.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1982 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\g2mdlhlpx.exe

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\A0lAxB.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\A3m7aBx.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\aO0y3.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\B53b0a.jpg

c:\documents and settings\Owner\Recent\Thumbs.db

c:\program files\Internet Explorer\Plugins\npqtplugin2.dll

c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

c:\program files\Internet Explorer\Plugins\npqtplugin4.dll

c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

c:\program files\QuickTime\Plugins\npqtplugin2.dll

c:\program files\QuickTime\Plugins\npqtplugin3.dll

c:\program files\QuickTime\Plugins\npqtplugin4.dll

c:\program files\QuickTime\Plugins\npqtplugin5.dll

c:\program files\QuickTime\Plugins\npqtplugin6.dll

c:\program files\QuickTime\Plugins\npqtplugin7.dll

c:\program files\Shared

c:\windows\acufozuz.dll

.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))

.

2010-07-28 02:22 . 2010-07-28 02:22 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{682C99AA-1B1E-4427-9092-48FC5CF159BF}

2010-07-26 16:00 . 2010-07-26 16:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\lbyvcgsmq

2010-07-25 06:41 . 2010-07-25 06:41 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\dyvhvrnwc

2010-07-19 10:53 . 2010-07-19 10:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{0FDA65B4-3FEE-4E94-9EC3-C315C8C28519}

2010-07-13 23:39 . 2010-07-13 23:39 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{5BDB6C7C-54D2-48A3-90B9-0EDFF96B1BBA}

2010-07-12 11:52 . 2010-07-12 11:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{258626A1-FA86-4D19-AD58-B71885453FAD}

2010-07-12 01:10 . 2010-07-12 01:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{F09D793D-913B-4F52-B5CE-48F93448829C}

2010-07-12 00:24 . 2010-07-12 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{E82CDC65-D3B4-463B-A56E-85905920E8F1}

2010-07-12 00:15 . 2010-07-12 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{7C566C15-DBB8-470D-8CD5-F3DCA576CF31}

2010-07-11 21:58 . 2010-07-12 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{4189BEF2-2767-4294-A7B1-0C8B1EEFE490}

2010-07-10 19:18 . 2010-07-12 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{C54C6E4A-CA87-4ABD-B130-09AEC372A5A2}

2010-07-10 17:09 . 2010-07-12 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{19177630-995E-4FA6-8397-8799911C1C7B}

2010-07-10 16:28 . 2010-07-12 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{F6A2D5D5-1A79-48FF-9A15-5F4A07838DB6}

2010-07-10 16:12 . 2010-07-12 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{D923AA26-308D-47A4-ADCB-72AECF9B5388}

2010-07-10 15:34 . 2010-07-12 01:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{947382DB-39EB-46D6-BF28-547763E3BE3F}

2010-07-10 14:37 . 2010-07-10 14:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{B376E164-DF2A-4E7B-9D3C-699FD67AB5CD}

2010-07-10 14:15 . 2010-07-10 14:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{09D24B01-9033-4AD1-A656-171EF16C2964}

2010-07-10 08:56 . 2010-07-10 15:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\cqepqxxsw

2010-07-10 08:54 . 2010-07-10 08:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-10 04:34 . 2010-07-10 04:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{335C706C-7314-4106-A9DC-8855F895E38C}

2010-07-09 13:19 . 2010-07-09 13:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{E3C7DCA5-26A9-4B67-A356-88E0AE2B58C7}

2010-07-09 03:38 . 2010-07-09 03:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{21F7A5FC-4004-41C2-8C1B-3493ADB664A6}

2010-07-08 13:52 . 2010-07-10 08:57 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-08 13:42 . 2010-07-08 13:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{77695730-F0FD-491C-8603-A3655CCEEF28}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-28 02:32 . 2009-07-25 20:37 -------- d-----w- c:\program files\Symantec AntiVirus

2010-07-28 02:20 . 2004-08-03 22:59 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys

2010-07-10 14:15 . 2010-03-23 20:33 0 ----a-w- c:\windows\Awosuro.dat

2010-07-09 11:50 . 2010-03-23 20:33 0 ----a-w- c:\windows\Bjedokimakige.bin

2010-06-29 13:21 . 2010-04-07 01:07 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe

2010-05-27 21:55 . 2010-05-27 21:55 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618ca634-n\msvcp71.dll

2010-05-27 21:55 . 2010-05-27 21:55 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6d0dceae-n\decora-sse.dll

2010-05-27 21:55 . 2010-05-27 21:55 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618ca634-n\jmc.dll

2010-05-27 21:55 . 2010-05-27 21:55 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618ca634-n\msvcr71.dll

2010-05-27 21:55 . 2010-05-27 21:55 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6d0dceae-n\decora-d3d.dll

2010-05-19 04:07 . 2010-05-19 04:07 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4954fdff-n\msvcp71.dll

2010-05-19 04:07 . 2010-05-19 04:07 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4954fdff-n\jmc.dll

2010-05-19 04:07 . 2010-05-19 04:07 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4954fdff-n\msvcr71.dll

2010-05-19 04:07 . 2010-05-19 04:07 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2f8f527f-n\decora-sse.dll

2010-05-19 04:07 . 2010-05-19 04:07 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2f8f527f-n\decora-d3d.dll

2010-05-04 17:20 . 2004-08-04 00:56 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 00:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 00:56 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-03 23:17 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 20:39 . 2009-07-25 20:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39 . 2009-07-25 20:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]

"Mixersel"="c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-11 369664]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 77824]

"AlcWzrd"="ALCWZRD.EXE" [2004-10-22 2744832]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-20 198160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 10:11 PM 102448]

S0 ftnwj;ftnwj; [x]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\D.tmp --> c:\windows\system32\D.tmp [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmdb

.

Contents of the 'Scheduled Tasks' folder

2010-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://forecast.weather.gov/MapClick.php?CityName=Brandon&state=MS&site=JAN&textField1=32.2805&textField2=-90.0038&e=0

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Tberacufotizici - c:\windows\acufozuz.dll

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-27 21:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\D.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-07-27 21:44:59

ComboFix-quarantined-files.txt 2010-07-28 02:44

Pre-Run: 178,967,904,256 bytes free

Post-Run: 179,593,535,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 83330B8514345F6EA58097A096A9AFD9

Fran

Link to post
Share on other sites

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

Folder::
c:\documents and settings\Owner\Local Settings\Application Data\{682C99AA-1B1E-4427-9092-48FC5CF159BF}
c:\documents and settings\Owner\Local Settings\Application Data\lbyvcgsmq
c:\documents and settings\Owner\Local Settings\Application Data\dyvhvrnwc
c:\documents and settings\Owner\Local Settings\Application Data\{0FDA65B4-3FEE-4E94-9EC3-C315C8C28519}
c:\documents and settings\Owner\Local Settings\Application Data\{5BDB6C7C-54D2-48A3-90B9-0EDFF96B1BBA}
c:\documents and settings\Owner\Local Settings\Application Data\{258626A1-FA86-4D19-AD58-B71885453FAD}
c:\documents and settings\Owner\Local Settings\Application Data\{F09D793D-913B-4F52-B5CE-48F93448829C}
c:\documents and settings\Owner\Local Settings\Application Data\{E82CDC65-D3B4-463B-A56E-85905920E8F1}
c:\documents and settings\Owner\Local Settings\Application Data\{7C566C15-DBB8-470D-8CD5-F3DCA576CF31}
c:\documents and settings\Owner\Local Settings\Application Data\{4189BEF2-2767-4294-A7B1-0C8B1EEFE490}
c:\documents and settings\Owner\Local Settings\Application Data\{C54C6E4A-CA87-4ABD-B130-09AEC372A5A2}
c:\documents and settings\Owner\Local Settings\Application Data\{19177630-995E-4FA6-8397-8799911C1C7B}
c:\documents and settings\Owner\Local Settings\Application Data\{F6A2D5D5-1A79-48FF-9A15-5F4A07838DB6}
c:\documents and settings\Owner\Local Settings\Application Data\{D923AA26-308D-47A4-ADCB-72AECF9B5388}
c:\documents and settings\Owner\Local Settings\Application Data\{947382DB-39EB-46D6-BF28-547763E3BE3F}
c:\documents and settings\Owner\Local Settings\Application Data\{B376E164-DF2A-4E7B-9D3C-699FD67AB5CD}
c:\documents and settings\Owner\Local Settings\Application Data\{09D24B01-9033-4AD1-A656-171EF16C2964}
c:\documents and settings\NetworkService\Local Settings\Application Data\cqepqxxsw
c:\documents and settings\Owner\Local Settings\Application Data\{335C706C-7314-4106-A9DC-8855F895E38C}
c:\documents and settings\Owner\Local Settings\Application Data\{E3C7DCA5-26A9-4B67-A356-88E0AE2B58C7}
c:\documents and settings\Owner\Local Settings\Application Data\{21F7A5FC-4004-41C2-8C1B-3493ADB664A6}
c:\documents and settings\Owner\Local Settings\Application Data\{77695730-F0FD-491C-8603-A3655CCEEF28}


Driver::
ftnwj

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

cfscriptb4.gif

This will start ComboFix again. It may ask to reboot. This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Thanks Kenny,

Here is what I got

ComboFix 10-07-27.01 - Owner 07/31/2010 13:45:38.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1872 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NetworkService\Local Settings\Application Data\cqepqxxsw

c:\documents and settings\Owner\Local Settings\Application Data\{09D24B01-9033-4AD1-A656-171EF16C2964}

c:\documents and settings\Owner\Local Settings\Application Data\{09D24B01-9033-4AD1-A656-171EF16C2964}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{09D24B01-9033-4AD1-A656-171EF16C2964}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{09D24B01-9033-4AD1-A656-171EF16C2964}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{0FDA65B4-3FEE-4E94-9EC3-C315C8C28519}

c:\documents and settings\Owner\Local Settings\Application Data\{0FDA65B4-3FEE-4E94-9EC3-C315C8C28519}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{0FDA65B4-3FEE-4E94-9EC3-C315C8C28519}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{0FDA65B4-3FEE-4E94-9EC3-C315C8C28519}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{19177630-995E-4FA6-8397-8799911C1C7B}

c:\documents and settings\Owner\Local Settings\Application Data\{19177630-995E-4FA6-8397-8799911C1C7B}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{19177630-995E-4FA6-8397-8799911C1C7B}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{19177630-995E-4FA6-8397-8799911C1C7B}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{21F7A5FC-4004-41C2-8C1B-3493ADB664A6}

c:\documents and settings\Owner\Local Settings\Application Data\{21F7A5FC-4004-41C2-8C1B-3493ADB664A6}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{21F7A5FC-4004-41C2-8C1B-3493ADB664A6}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{21F7A5FC-4004-41C2-8C1B-3493ADB664A6}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{258626A1-FA86-4D19-AD58-B71885453FAD}

c:\documents and settings\Owner\Local Settings\Application Data\{258626A1-FA86-4D19-AD58-B71885453FAD}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{258626A1-FA86-4D19-AD58-B71885453FAD}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{258626A1-FA86-4D19-AD58-B71885453FAD}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{335C706C-7314-4106-A9DC-8855F895E38C}

c:\documents and settings\Owner\Local Settings\Application Data\{335C706C-7314-4106-A9DC-8855F895E38C}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{335C706C-7314-4106-A9DC-8855F895E38C}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{335C706C-7314-4106-A9DC-8855F895E38C}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{4189BEF2-2767-4294-A7B1-0C8B1EEFE490}

c:\documents and settings\Owner\Local Settings\Application Data\{4189BEF2-2767-4294-A7B1-0C8B1EEFE490}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{4189BEF2-2767-4294-A7B1-0C8B1EEFE490}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{4189BEF2-2767-4294-A7B1-0C8B1EEFE490}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{5BDB6C7C-54D2-48A3-90B9-0EDFF96B1BBA}

c:\documents and settings\Owner\Local Settings\Application Data\{5BDB6C7C-54D2-48A3-90B9-0EDFF96B1BBA}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{5BDB6C7C-54D2-48A3-90B9-0EDFF96B1BBA}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{5BDB6C7C-54D2-48A3-90B9-0EDFF96B1BBA}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{682C99AA-1B1E-4427-9092-48FC5CF159BF}

c:\documents and settings\Owner\Local Settings\Application Data\{682C99AA-1B1E-4427-9092-48FC5CF159BF}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{682C99AA-1B1E-4427-9092-48FC5CF159BF}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{682C99AA-1B1E-4427-9092-48FC5CF159BF}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{77695730-F0FD-491C-8603-A3655CCEEF28}

c:\documents and settings\Owner\Local Settings\Application Data\{77695730-F0FD-491C-8603-A3655CCEEF28}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{77695730-F0FD-491C-8603-A3655CCEEF28}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{77695730-F0FD-491C-8603-A3655CCEEF28}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{7C566C15-DBB8-470D-8CD5-F3DCA576CF31}

c:\documents and settings\Owner\Local Settings\Application Data\{7C566C15-DBB8-470D-8CD5-F3DCA576CF31}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{7C566C15-DBB8-470D-8CD5-F3DCA576CF31}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{7C566C15-DBB8-470D-8CD5-F3DCA576CF31}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{947382DB-39EB-46D6-BF28-547763E3BE3F}

c:\documents and settings\Owner\Local Settings\Application Data\{947382DB-39EB-46D6-BF28-547763E3BE3F}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{947382DB-39EB-46D6-BF28-547763E3BE3F}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{947382DB-39EB-46D6-BF28-547763E3BE3F}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{B376E164-DF2A-4E7B-9D3C-699FD67AB5CD}

c:\documents and settings\Owner\Local Settings\Application Data\{B376E164-DF2A-4E7B-9D3C-699FD67AB5CD}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{B376E164-DF2A-4E7B-9D3C-699FD67AB5CD}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{B376E164-DF2A-4E7B-9D3C-699FD67AB5CD}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{C54C6E4A-CA87-4ABD-B130-09AEC372A5A2}

c:\documents and settings\Owner\Local Settings\Application Data\{C54C6E4A-CA87-4ABD-B130-09AEC372A5A2}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{C54C6E4A-CA87-4ABD-B130-09AEC372A5A2}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{C54C6E4A-CA87-4ABD-B130-09AEC372A5A2}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{D923AA26-308D-47A4-ADCB-72AECF9B5388}

c:\documents and settings\Owner\Local Settings\Application Data\{D923AA26-308D-47A4-ADCB-72AECF9B5388}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{D923AA26-308D-47A4-ADCB-72AECF9B5388}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{D923AA26-308D-47A4-ADCB-72AECF9B5388}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{E3C7DCA5-26A9-4B67-A356-88E0AE2B58C7}

c:\documents and settings\Owner\Local Settings\Application Data\{E3C7DCA5-26A9-4B67-A356-88E0AE2B58C7}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{E3C7DCA5-26A9-4B67-A356-88E0AE2B58C7}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{E3C7DCA5-26A9-4B67-A356-88E0AE2B58C7}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{E82CDC65-D3B4-463B-A56E-85905920E8F1}

c:\documents and settings\Owner\Local Settings\Application Data\{E82CDC65-D3B4-463B-A56E-85905920E8F1}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{E82CDC65-D3B4-463B-A56E-85905920E8F1}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{E82CDC65-D3B4-463B-A56E-85905920E8F1}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{F09D793D-913B-4F52-B5CE-48F93448829C}

c:\documents and settings\Owner\Local Settings\Application Data\{F09D793D-913B-4F52-B5CE-48F93448829C}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{F09D793D-913B-4F52-B5CE-48F93448829C}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{F09D793D-913B-4F52-B5CE-48F93448829C}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\{F6A2D5D5-1A79-48FF-9A15-5F4A07838DB6}

c:\documents and settings\Owner\Local Settings\Application Data\{F6A2D5D5-1A79-48FF-9A15-5F4A07838DB6}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{F6A2D5D5-1A79-48FF-9A15-5F4A07838DB6}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{F6A2D5D5-1A79-48FF-9A15-5F4A07838DB6}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\dyvhvrnwc

c:\documents and settings\Owner\Local Settings\Application Data\lbyvcgsmq

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FTNWJ

-------\Service_ftnwj

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))

.

2010-07-28 02:54 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-10 08:54 . 2010-07-10 08:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-08 13:52 . 2010-07-10 08:57 664 ----a-w- c:\windows\system32\d3d9caps.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-31 18:51 . 2009-07-25 20:37 -------- d-----w- c:\program files\Symantec AntiVirus

2010-07-28 02:20 . 2004-08-03 22:59 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys

2010-07-10 14:15 . 2010-03-23 20:33 0 ----a-w- c:\windows\Awosuro.dat

2010-07-09 11:50 . 2010-03-23 20:33 0 ----a-w- c:\windows\Bjedokimakige.bin

2010-06-29 13:21 . 2010-04-07 01:07 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe

2010-06-14 14:31 . 2009-07-25 17:32 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-05-27 21:55 . 2010-05-27 21:55 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618ca634-n\msvcp71.dll

2010-05-27 21:55 . 2010-05-27 21:55 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6d0dceae-n\decora-sse.dll

2010-05-27 21:55 . 2010-05-27 21:55 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618ca634-n\jmc.dll

2010-05-27 21:55 . 2010-05-27 21:55 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-618ca634-n\msvcr71.dll

2010-05-27 21:55 . 2010-05-27 21:55 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6d0dceae-n\decora-d3d.dll

2010-05-19 04:07 . 2010-05-19 04:07 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4954fdff-n\msvcp71.dll

2010-05-19 04:07 . 2010-05-19 04:07 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4954fdff-n\jmc.dll

2010-05-19 04:07 . 2010-05-19 04:07 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4954fdff-n\msvcr71.dll

2010-05-19 04:07 . 2010-05-19 04:07 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2f8f527f-n\decora-sse.dll

2010-05-19 04:07 . 2010-05-19 04:07 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2f8f527f-n\decora-d3d.dll

2010-05-04 17:20 . 2004-08-04 00:56 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 00:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 00:56 17408 ------w- c:\windows\system32\corpol.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-07-28_02.42.56 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-31 18:51 . 2010-07-31 18:51 16384 c:\windows\temp\Perflib_Perfdata_224.dat

+ 2009-07-25 19:29 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]

"Mixersel"="c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-11 369664]

"SoundMan"="SOUNDMAN.EXE" [2004-10-21 77824]

"AlcWzrd"="ALCWZRD.EXE" [2004-10-22 2744832]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-20 198160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 10:11 PM 102448]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\D.tmp --> c:\windows\system32\D.tmp [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

.

Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://forecast.weather.gov/MapClick.php?CityName=Brandon&state=MS&site=JAN&textField1=32.2805&textField2=-90.0038&e=0

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-31 13:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\D.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3956)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\SOUNDMAN.EXE

c:\windows\ALCWZRD.EXE

.

**************************************************************************

.

Completion time: 2010-07-31 13:56:14 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-31 18:56

ComboFix2.txt 2010-07-28 02:45

Pre-Run: 179,469,672,448 bytes free

Post-Run: 179,447,746,560 bytes free

- - End Of File - - B5D6180798ED5021C13BF229FCFB502B

Link to post
Share on other sites

Smile we are getting closer. Good job you done there!

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Here it is. When saving the log I clicked the x and it exited the program without my clicking finish. Don't know if that matters???

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=1db7a4f74cb9cf4f991acb01240b7dc8

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-07-31 08:49:20

# local_time=2010-07-31 03:49:20 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=56997

# found=1

# cleaned=0

# scan_time=2137

C:\Qoobox\Quarantine\C\WINDOWS\acufozuz.dll.vir a variant of Win32/Cimag.CK trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

C:\Qoobox\Quarantine is ComboFix that we will remove.

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Glad we could help. :P

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.