Jump to content

Infection Recovery


Recommended Posts

I think I've squashed what was harming my computer, but I would like someone to take a look at some logs to double check that I'm running cleanly as the computer infected was a work computer that handles sensitive information for a customer base. Previously had a svcnost.exe manipulating my registry, was infected with a scareware fake antivirus, had Google redirecting links to different search results - these have since been removed (I hope).

Any help would be great appreciated as I'm still uncomfortable using this computer for my work tasks.

My MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4413

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/10/2010 11:26:00 AM

mbam-log-2010-08-10 (11-26-00).txt

Scan type: Quick scan

Objects scanned: 164665

Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

================================================

and my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:33:50 AM, on 8/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Common Files\Virtual Token\vtserver.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\SKDAEMON.EXE

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files\SmarThru Office\BackUpSvr.exe

C:\Program Files\SmarThru Office\LegacyLauncher.exe

C:\WINDOWS\Twain_32\Samsung\SCX4x26\Scan2pc.exe

C:\WINDOWS\system32\DllHost.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\r2 Studios\HideOE\HideOE.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe

C:\WINDOWS\TEMP\CN86A6.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE

O4 - HKLM\..\Run: [uC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

O4 - HKLM\..\Run: [updateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup

O4 - HKLM\..\Run: [iBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [sTO Backup Service] C:\Program Files\SmarThru Office\BackUpSvr.exe

O4 - HKLM\..\Run: [sTO Launcher Service] C:\Program Files\SmarThru Office\LegacyLauncher.exe /run

O4 - HKLM\..\Run: [4x26 Scan2PC] "C:\WINDOWS\Twain_32\Samsung\SCX4x26\Scan2pc.exe"

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot

O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [HideOE] "C:\Program Files\r2 Studios\HideOE\HideOE.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O8 - Extra context menu item: Capture Selection - C:\Program Files\SmarThru Office\WebCapture.dll2.htm

O8 - Extra context menu item: Save as HTML - C:\Program Files\SmarThru Office\WebCapture.dll1.htm

O8 - Extra context menu item: Save Selected Text - C:\Program Files\SmarThru Office\WebCapture.dll.htm

O8 - Extra context menu item: Web Capture - C:\Program Files\SmarThru Office\WebCapture.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Web Capture - {7BDBFB9E-FD6E-43c2-937A-5C9F33FEBE5F} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)

O9 - Extra 'Tools' menuitem: Web Capture - {7BDBFB9E-FD6E-43c2-937A-5C9F33FEBE5F} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)

O9 - Extra button: Capture Selection - {A36A58CC-70D5-4462-9C90-C0E9D244B230} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)

O9 - Extra 'Tools' menuitem: Capture Selection - {A36A58CC-70D5-4462-9C90-C0E9D244B230} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)

O9 - Extra button: Save Selected Text - {A5183750-A927-4ec3-B027-C633A2D5418C} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)

O9 - Extra 'Tools' menuitem: Save Selected Text - {A5183750-A927-4ec3-B027-C633A2D5418C} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)

O9 - Extra button: Save as HTML - {BDC4DF0E-D605-48d6-B4AF-CA5927A463EE} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)

O9 - Extra 'Tools' menuitem: Save as HTML - {BDC4DF0E-D605-48d6-B4AF-CA5927A463EE} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)

O11 - Options group: [JAVA_IBM] Java (IBM)

O15 - Trusted Zone: http://www.mendota-insurance.com

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://progressive.webex.com/client/T27LB/nbr/ieatgpc.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WolffDomain.local

O17 - HKLM\Software\..\Telephony: DomainName = WolffDomain.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{514146E2-0761-45F2-A047-F09363C3A091}: NameServer = 192.168.0.7

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WolffDomain.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WolffDomain.local

O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--

End of file - 9370 bytes

Link to post
Share on other sites

Hello Ja-Wolph! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow these instructions and post all logs if you can:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Hi Borislav,

Thanks for the help.

Here is my DDS log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by john at 10:18:30.67 on Wed 08/11/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.311 [GMT -5:00]

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {3DEDDBC2-00FA-42F5-A6D6-90028E16A605}

FW: Trend Micro Client-Server Security Agent Firewall *disabled* {3DEDDBC2-00FA-42F5-A6D6-90028E16A605}

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\SKDAEMON.EXE

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files\SmarThru Office\BackUpSvr.exe

C:\Program Files\SmarThru Office\LegacyLauncher.exe

C:\WINDOWS\Twain_32\Samsung\SCX4x26\Scan2pc.exe

C:\WINDOWS\system32\DllHost.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\r2 Studios\HideOE\HideOE.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe

C:\WINDOWS\TEMP\CN86A6.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\john\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [HideOE] "c:\program files\r2 studios\hideoe\HideOE.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE

mRun: [uC_Start] c:\program files\ibm\updater\\ucstartup.exe

mRun: [uC_SMB]

mRun: [<NO NAME>]

mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup

mRun: [iBMPRC] c:\ibmtools\utils\ibmprc.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow

mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun

mRun: [sTO Backup Service] c:\program files\smarthru office\BackUpSvr.exe

mRun: [sTO Launcher Service] c:\program files\smarthru office\LegacyLauncher.exe /run

mRun: [4x26 Scan2PC] "c:\windows\twain_32\samsung\scx4x26\Scan2pc.exe"

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

StartupFolder: c:\docume~1\john\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

IE: Capture Selection - c:\program files\smarthru office\WebCapture.dll2.htm

IE: Save as HTML - c:\program files\smarthru office\WebCapture.dll1.htm

IE: Save Selected Text - c:\program files\smarthru office\WebCapture.dll.htm

IE: Web Capture - c:\program files\smarthru office\WebCapture.dll

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: mendota-insurance.com\www

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://progressive.webex.com/client/T27LB/nbr/ieatgpc.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {514146E2-0761-45F2-A047-F09363C3A091} = 192.168.0.7

Notify: igfxcui - igfxsrvc.dll

Notify: LMIinit - LMIinit.dll

Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll

LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\a9v93lbg.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-6-8 47640]

R2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\OfcPfwSvc.exe [2007-8-6 282704]

R2 SmiHlp;SMI helper driver;c:\windows\system32\smihlp.sys [2005-1-27 3328]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2007-8-6 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2007-8-6 36368]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-08-07 00:40:10 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-08-07 00:40:10 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys

2010-08-07 00:27:12 376 ----a-w- c:\windows\system32\.crusader

2010-08-07 00:17:08 134464 ----a-w- c:\windows\system32\LnkProtect.dll

2010-08-06 23:54:39 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-08-06 23:25:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-08-06 23:25:10 0 d-----w- c:\program files\Hitman Pro 3.5

2010-08-06 23:16:52 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-06 23:16:51 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-06 23:16:51 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-06 23:16:51 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-06 23:16:51 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-06 23:16:43 0 d-----w- c:\program files\Trojan Remover

2010-08-06 23:16:43 0 d-----w- c:\docume~1\john\applic~1\Simply Super Software

2010-08-06 23:16:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-08-06 22:43:54 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-08-06 22:43:54 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-08-06 15:37:58 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-06 15:17:02 0 dc----w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}

2010-08-06 15:15:32 0 d-----w- c:\program files\Lavasoft

2010-08-06 14:46:36 0 d-----w- C:\$AVG

2010-08-05 16:13:41 12536 ----a-w- c:\windows\system32\avgrsstx(2).dll

2010-08-05 16:13:10 0 d-----w- c:\windows\system32\drivers\Avg(2)

2010-08-05 16:07:44 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-08-05 16:07:04 0 d-----w- c:\windows\SxsCaPendDel

2010-08-03 22:30:38 0 d-----w- c:\windows\pss

2010-08-02 21:13:51 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-08-02 21:13:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-08-02 20:05:11 0 d-----w- c:\documents and settings\john\DoctorWeb

2010-08-02 16:13:25 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-14 16:34:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-06-11 18:58:45 103720 ----a-w- c:\documents and settings\john\GoToAssistDownloadHelper.exe

2010-06-09 15:23:54 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-06-09 15:23:53 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-06-09 15:23:52 87424 ----a-w- c:\windows\system32\LMIinit.dll

============= FINISH: 10:19:14.25 ===============

And the attachment: Attach.zip

Link to post
Share on other sites

Step 1

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. JavaRa log
  2. Malwarebytes' Anti-Malware log
  3. DDS log with Attach.txt

Link to post
Share on other sites

Maniac,

Removed the following folders per your instruction:

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Windows\Sun

Doc & Settings folders were already non-existant.

==================================

Here is the JavaRa log:

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Fri Aug 13 10:03:03 2010

Found and removed: C:\Documents and Settings\john\Application Data\Sun\Java\jre1.6.0_14

Found and removed: C:\Documents and Settings\john\Application Data\Sun\Java\jre1.6.0_15

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\JavaPlugin.160_15

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_15

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\JavaPlugin.160_15

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_15

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_15

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

==================================

Here is the MBAM Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4424

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/13/2010 10:39:10 AM

mbam-log-2010-08-13 (10-39-10).txt

Scan type: Quick scan

Objects scanned: 165238

Time elapsed: 11 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==================================

Here is the DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by john at 13:29:39.07 on Fri 08/13/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.423 [GMT -5:00]

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {3DEDDBC2-00FA-42F5-A6D6-90028E16A605}

FW: Trend Micro Client-Server Security Agent Firewall *disabled* {3DEDDBC2-00FA-42F5-A6D6-90028E16A605}

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

C:\WINDOWS\TEMP\NOE2F9.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\SKDAEMON.EXE

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files\SmarThru Office\BackUpSvr.exe

C:\Program Files\SmarThru Office\LegacyLauncher.exe

C:\WINDOWS\Twain_32\Samsung\SCX4x26\Scan2pc.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\DllHost.exe

C:\Program Files\r2 Studios\HideOE\HideOE.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\outlook express\msimn.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\john\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [HideOE] "c:\program files\r2 studios\hideoe\HideOE.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE

mRun: [uC_Start] c:\program files\ibm\updater\\ucstartup.exe

mRun: [uC_SMB]

mRun: [<NO NAME>]

mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup

mRun: [iBMPRC] c:\ibmtools\utils\ibmprc.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow

mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun

mRun: [sTO Backup Service] c:\program files\smarthru office\BackUpSvr.exe

mRun: [sTO Launcher Service] c:\program files\smarthru office\LegacyLauncher.exe /run

mRun: [4x26 Scan2PC] "c:\windows\twain_32\samsung\scx4x26\Scan2pc.exe"

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

StartupFolder: c:\docume~1\john\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

IE: Capture Selection - c:\program files\smarthru office\WebCapture.dll2.htm

IE: Save as HTML - c:\program files\smarthru office\WebCapture.dll1.htm

IE: Save Selected Text - c:\program files\smarthru office\WebCapture.dll.htm

IE: Web Capture - c:\program files\smarthru office\WebCapture.dll

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: mendota-insurance.com\www

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://progressive.webex.com/client/T27LB/nbr/ieatgpc.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {514146E2-0761-45F2-A047-F09363C3A091} = 192.168.0.7

Notify: igfxcui - igfxsrvc.dll

Notify: LMIinit - LMIinit.dll

Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll

LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\a9v93lbg.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-08-13 15:01:38 0 d-----w- c:\windows\system32\appmgmt

2010-08-07 00:40:10 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-08-07 00:40:10 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys

2010-08-07 00:27:12 376 ----a-w- c:\windows\system32\.crusader

2010-08-07 00:17:08 134464 ----a-w- c:\windows\system32\LnkProtect.dll

2010-08-06 23:54:39 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-08-06 23:25:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-08-06 23:25:10 0 d-----w- c:\program files\Hitman Pro 3.5

2010-08-06 23:16:52 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-06 23:16:51 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-06 23:16:51 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-06 23:16:51 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-06 23:16:51 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-06 23:16:43 0 d-----w- c:\program files\Trojan Remover

2010-08-06 23:16:43 0 d-----w- c:\docume~1\john\applic~1\Simply Super Software

2010-08-06 23:16:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-08-06 22:43:54 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-08-06 22:43:54 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-08-06 15:37:58 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-06 15:17:02 0 dc----w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}

2010-08-06 15:15:32 0 d-----w- c:\program files\Lavasoft

2010-08-06 14:46:36 0 d-----w- C:\$AVG

2010-08-05 16:13:41 12536 ----a-w- c:\windows\system32\avgrsstx(2).dll

2010-08-05 16:13:10 0 d-----w- c:\windows\system32\drivers\Avg(2)

2010-08-05 16:07:44 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-08-05 16:07:04 0 d-----w- c:\windows\SxsCaPendDel

2010-08-03 22:30:38 0 d-----w- c:\windows\pss

2010-08-02 21:13:51 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-08-02 21:13:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-08-02 20:05:11 0 d-----w- c:\documents and settings\john\DoctorWeb

2010-08-02 16:13:25 423656 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-24 22:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll

2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll

2010-06-24 12:22:01 611840 ------w- c:\windows\system32\dllcache\mstime.dll

2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll

2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll

2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll

2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll

2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys

2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

2010-06-11 18:58:45 103720 ----a-w- c:\documents and settings\john\GoToAssistDownloadHelper.exe

2010-06-09 15:23:54 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-06-09 15:23:53 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-06-09 15:23:52 87424 ----a-w- c:\windows\system32\LMIinit.dll

============= FINISH: 13:32:53.85 ===============

The attachment has been updated as well:

Attach2.zip

Link to post
Share on other sites

Okay, thanks! :)

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Maniac,

Here is my combofix log:

ComboFix 10-08-15.04 - john 08/16/2010 9:07.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.616 [GMT -5:00]

Running from: c:\documents and settings\john\Desktop\Combo-Fix.exe

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {3DEDDBC2-00FA-42F5-A6D6-90028E16A605}

FW: Trend Micro Client-Server Security Agent Firewall *disabled* {3DEDDBC2-00FA-42F5-A6D6-90028E16A605}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\john\GoToAssistDownloadHelper.exe

c:\documents and settings\john\My Documents\Readiris.DUS

C:\Install.exe

c:\windows\system32\pwdmon.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PROCEXP141

((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))

.

2010-08-07 21:25 . 2010-07-27 00:13 3683248 ----a-w- c:\documents and settings\john\Application Data\Simply Super Software\Trojan Remover\mnb1E.exe

2010-08-07 00:40 . 2008-04-14 05:09 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-08-07 00:40 . 2008-04-14 05:09 23040 ----a-w- c:\windows\system32\dllcache\mouclass.sys

2010-08-07 00:17 . 2010-08-07 00:17 134464 ----a-w- c:\windows\system32\LnkProtect.dll

2010-08-06 23:54 . 2010-08-16 13:49 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-08-06 23:52 . 2010-08-06 23:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-08-06 23:30 . 2010-08-06 23:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software

2010-08-06 23:30 . 2010-07-27 00:13 3683248 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\mdr1.exe

2010-08-06 23:25 . 2010-08-07 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-08-06 23:25 . 2010-08-06 23:25 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-08-06 23:17 . 2010-08-07 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-06 23:16 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-06 23:16 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-06 23:16 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-06 23:16 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-06 23:16 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-06 23:16 . 2010-08-06 23:16 -------- d-----w- c:\program files\Trojan Remover

2010-08-06 23:16 . 2010-08-06 23:16 -------- d-----w- c:\documents and settings\john\Application Data\Simply Super Software

2010-08-06 23:16 . 2010-08-06 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2010-08-06 22:43 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-08-06 22:43 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-08-06 15:37 . 2010-08-06 15:37 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-06 15:17 . 2010-08-06 15:37 -------- dc----w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}

2010-08-06 15:15 . 2010-08-06 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-08-06 15:15 . 2010-08-06 15:15 -------- d-----w- c:\program files\Lavasoft

2010-08-06 14:46 . 2010-08-06 14:46 -------- d-----w- C:\$AVG

2010-08-06 04:24 . 2010-08-06 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-08-05 16:13 . 2010-08-05 16:13 12536 ----a-w- c:\windows\system32\avgrsstx(2).dll

2010-08-05 16:13 . 2010-08-06 12:21 -------- d-----w- c:\windows\system32\drivers\Avg(2)

2010-08-05 16:07 . 2010-08-10 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-08-05 16:07 . 2010-08-05 18:38 -------- d-----w- c:\windows\SxsCaPendDel

2010-08-03 23:15 . 2010-08-03 23:15 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-08-03 23:14 . 2010-08-03 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Samsung

2010-08-03 23:14 . 2010-08-03 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn

2010-08-03 23:14 . 2010-08-03 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\S2PC

2010-08-03 22:15 . 2010-08-03 22:15 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-08-03 22:13 . 2010-08-03 22:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-03 22:13 . 2010-08-03 22:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-08-02 21:13 . 2010-08-03 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-02 21:13 . 2010-08-02 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-02 20:05 . 2010-08-02 20:05 -------- d-----w- c:\documents and settings\john\DoctorWeb

2010-08-02 16:13 . 2010-08-02 16:13 503808 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73bd78f9-n\msvcp71.dll

2010-08-02 16:13 . 2010-08-02 16:13 499712 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73bd78f9-n\jmc.dll

2010-08-02 16:13 . 2010-08-02 16:13 348160 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-73bd78f9-n\msvcr71.dll

2010-08-02 16:13 . 2010-08-02 16:13 61440 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5175851b-n\decora-sse.dll

2010-08-02 16:13 . 2010-08-02 16:13 12800 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5175851b-n\decora-d3d.dll

2010-08-02 16:13 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-30 17:21 . 2010-07-30 17:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-16 13:43 . 2009-06-08 21:20 -------- d-----w- c:\program files\LogMeIn

2010-08-14 13:40 . 2009-06-08 18:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\catalog.wci

2010-08-13 20:53 . 2009-06-08 21:05 1 ----a-w- c:\documents and settings\john\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-08-04 15:14 . 2008-10-31 16:58 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-04 15:11 . 2010-03-03 21:53 -------- d-----w- c:\program files\Coupons

2010-07-19 14:26 . 2009-10-01 16:26 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-30 12:31 . 1980-01-01 08:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-28 21:46 . 2010-06-28 21:46 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes

2010-06-28 21:43 . 2010-06-28 21:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-28 21:43 . 2010-06-28 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-28 21:27 . 2009-06-08 18:21 -------- d-----w- c:\program files\Trend Micro

2010-06-24 12:22 . 1980-01-01 08:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 1980-01-01 08:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 1980-01-01 08:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 1980-01-01 08:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-09 18:52 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 1980-01-01 08:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-09 15:23 . 2009-06-08 21:20 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-06-09 15:23 . 2009-06-08 21:20 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-06-09 15:23 . 2009-06-08 21:20 87424 ----a-w- c:\windows\system32\LMIinit.dll

2010-05-24 16:44 . 2010-05-24 16:44 348160 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e256fac-n\msvcr71.dll

2010-05-24 16:44 . 2010-05-24 16:44 503808 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e256fac-n\msvcp71.dll

2010-05-24 16:44 . 2010-05-24 16:44 499712 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e256fac-n\jmc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-12-11 446464]

"HideOE"="c:\program files\r2 Studios\HideOE\HideOE.exe" [2003-07-24 32768]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-23 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-23 126976]

"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2004-12-17 40960]

"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-15 36864]

"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-12-11 446464]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-07 122939]

"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2005-01-28 286818]

"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-12-16 90112]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-18 536576]

"STO Backup Service"="c:\program files\SmarThru Office\BackUpSvr.exe" [2008-08-06 192512]

"STO Launcher Service"="c:\program files\SmarThru Office\LegacyLauncher.exe" [2008-08-06 331776]

"4x26 Scan2PC"="c:\windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe" [2008-07-23 495616]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-07 6289216]

c:\documents and settings\john\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-06-09 15:23 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2005-01-28 01:49 110176 ----a-w- c:\program files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=

"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]

R2 SmiHlp;SMI helper driver;c:\windows\system32\smihlp.sys [1/27/2005 8:42 PM 3328]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [8/6/2007 2:24 PM 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [8/6/2007 2:24 PM 36368]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

IE: Capture Selection - c:\program files\SmarThru Office\WebCapture.dll2.htm

IE: Save as HTML - c:\program files\SmarThru Office\WebCapture.dll1.htm

IE: Save Selected Text - c:\program files\SmarThru Office\WebCapture.dll.htm

IE: Web Capture - c:\program files\SmarThru Office\WebCapture.dll

Trusted Zone: mendota-insurance.com\www

TCP: {514146E2-0761-45F2-A047-F09363C3A091} = 192.168.0.7

FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\a9v93lbg.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-UC_SMB - (no file)

AddRemove-Coupon Printer for Windows5.0.0.0 - c:\program files\Coupons\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-16 09:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)

c:\windows\system32\LMIinit.dll

c:\program files\IBM fingerprint software\psfus.dll

c:\program files\Common Files\Virtual Token\psutil.dll

c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1112)

c:\windows\system32\WININET.dll

c:\windows\system32\SKHOOKS.dll

c:\windows\system32\SKUtil.DLL

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\LMIRfsClientNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Virtual Token\vtserver.exe

c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\SKDAEMON.EXE

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\DllHost.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\outlook express\msimn.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\windows\system32\cisvc.exe

c:\windows\system32\cidaemon.exe

c:\windows\system32\cidaemon.exe

c:\program files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe

c:\program files\Trend Micro\Client Server Security Agent\pccntupd.exe

.

**************************************************************************

.

Completion time: 2010-08-16 09:21:33 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-16 14:21

Pre-Run: 20,593,049,600 bytes free

Post-Run: 20,961,980,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 5392F2283CF4915360A17F2C772DCB0E

Link to post
Share on other sites

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Hi Maniac,

Appreciate the help, looks like this came up clean.

The TDSSKiller Log:

2010/08/17 09:12:50.0901 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23

2010/08/17 09:12:50.0901 ================================================================================

2010/08/17 09:12:50.0901 SystemInfo:

2010/08/17 09:12:50.0901

2010/08/17 09:12:50.0901 OS Version: 5.1.2600 ServicePack: 3.0

2010/08/17 09:12:50.0901 Product type: Workstation

2010/08/17 09:12:50.0901 ComputerName: IBMWEST

2010/08/17 09:12:50.0901 UserName: john

2010/08/17 09:12:50.0901 Windows directory: C:\WINDOWS

2010/08/17 09:12:50.0901 System windows directory: C:\WINDOWS

2010/08/17 09:12:50.0901 Processor architecture: Intel x86

2010/08/17 09:12:50.0901 Number of processors: 2

2010/08/17 09:12:50.0901 Page size: 0x1000

2010/08/17 09:12:50.0901 Boot type: Normal boot

2010/08/17 09:12:50.0901 ================================================================================

2010/08/17 09:12:51.0166 Initialize success

2010/08/17 09:13:03.0057 ================================================================================

2010/08/17 09:13:03.0057 Scan started

2010/08/17 09:13:03.0057 Mode: Manual;

2010/08/17 09:13:03.0057 ================================================================================

2010/08/17 09:13:03.0869 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/08/17 09:13:04.0088 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys

2010/08/17 09:13:04.0260 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/08/17 09:13:04.0416 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/08/17 09:13:04.0557 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/08/17 09:13:04.0713 aeaudio (cde1f62fe63631b932ace2249fb11da0) C:\WINDOWS\system32\drivers\aeaudio.sys

2010/08/17 09:13:04.0885 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/08/17 09:13:05.0041 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/08/17 09:13:05.0198 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/08/17 09:13:05.0354 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/08/17 09:13:05.0494 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/08/17 09:13:05.0635 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/08/17 09:13:05.0776 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/08/17 09:13:05.0916 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/08/17 09:13:06.0088 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/08/17 09:13:06.0229 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/08/17 09:13:06.0401 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/08/17 09:13:06.0541 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/08/17 09:13:06.0682 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/08/17 09:13:07.0057 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/08/17 09:13:07.0229 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/08/17 09:13:07.0369 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/08/17 09:13:07.0604 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/08/17 09:13:07.0760 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/08/17 09:13:07.0901 b57w2k (9948740f9043aca23b8fddf8b9651160) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2010/08/17 09:13:08.0119 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/08/17 09:13:08.0276 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/08/17 09:13:08.0416 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/08/17 09:13:08.0541 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/08/17 09:13:08.0682 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/08/17 09:13:08.0838 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/08/17 09:13:08.0994 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/08/17 09:13:09.0260 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/08/17 09:13:09.0416 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/08/17 09:13:09.0557 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/08/17 09:13:09.0713 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/08/17 09:13:09.0869 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys

2010/08/17 09:13:10.0057 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/08/17 09:13:10.0229 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/08/17 09:13:10.0416 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/08/17 09:13:10.0573 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/08/17 09:13:10.0713 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/08/17 09:13:10.0854 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/08/17 09:13:11.0041 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/08/17 09:13:11.0182 drvmcdb (24646242310499d75c6db4b32768a3b3) C:\WINDOWS\system32\drivers\drvmcdb.sys

2010/08/17 09:13:11.0338 drvnddm (b295700e684ed1984db1d6be40354421) C:\WINDOWS\system32\drivers\drvnddm.sys

2010/08/17 09:13:11.0494 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/08/17 09:13:11.0682 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/08/17 09:13:11.0838 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/08/17 09:13:11.0994 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/08/17 09:13:12.0151 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/08/17 09:13:12.0291 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/08/17 09:13:12.0448 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/08/17 09:13:12.0588 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/08/17 09:13:12.0744 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/08/17 09:13:12.0901 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/08/17 09:13:13.0073 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/08/17 09:13:13.0229 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/08/17 09:13:13.0385 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/08/17 09:13:13.0526 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/08/17 09:13:13.0666 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/08/17 09:13:13.0838 ialm (0c7b8efc2b1ac4cd62f4e7eafc864b95) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/08/17 09:13:14.0057 ibmfilter (6603a96f2ee0f88f53651adc4fcd7468) C:\WINDOWS\system32\drivers\ibmfilter.sys

2010/08/17 09:13:14.0229 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/08/17 09:13:14.0385 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/08/17 09:13:14.0541 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/08/17 09:13:14.0682 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/08/17 09:13:14.0823 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/08/17 09:13:14.0963 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/08/17 09:13:15.0119 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/08/17 09:13:15.0385 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/08/17 09:13:15.0557 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/08/17 09:13:15.0713 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/08/17 09:13:15.0854 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/08/17 09:13:16.0057 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/08/17 09:13:16.0198 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/08/17 09:13:16.0354 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/08/17 09:13:16.0494 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/08/17 09:13:16.0729 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2010/08/17 09:13:16.0885 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2010/08/17 09:13:17.0244 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2010/08/17 09:13:17.0401 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/08/17 09:13:17.0541 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/08/17 09:13:17.0682 mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/08/17 09:13:17.0838 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/08/17 09:13:17.0994 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/08/17 09:13:18.0198 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/08/17 09:13:18.0338 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/08/17 09:13:18.0510 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/08/17 09:13:18.0713 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/08/17 09:13:18.0869 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/08/17 09:13:19.0041 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/08/17 09:13:19.0182 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/08/17 09:13:19.0307 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/08/17 09:13:19.0463 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/08/17 09:13:19.0619 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/08/17 09:13:19.0776 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/08/17 09:13:19.0916 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/08/17 09:13:20.0135 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/08/17 09:13:20.0276 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/08/17 09:13:20.0432 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/08/17 09:13:20.0573 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/08/17 09:13:20.0760 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/08/17 09:13:20.0916 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/08/17 09:13:21.0088 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/08/17 09:13:21.0291 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/08/17 09:13:21.0526 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/08/17 09:13:21.0666 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/08/17 09:13:21.0823 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/08/17 09:13:21.0963 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/08/17 09:13:22.0088 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/08/17 09:13:22.0229 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/08/17 09:13:22.0494 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/08/17 09:13:22.0635 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/08/17 09:13:23.0276 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/08/17 09:13:23.0432 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/08/17 09:13:23.0604 PMEM (fa292805788528c083f416e151b60ab6) C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS

2010/08/17 09:13:23.0744 portio (a15f8012b1bb59f5c5abf1aa1158cd43) C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys

2010/08/17 09:13:23.0885 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/08/17 09:13:24.0041 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/08/17 09:13:24.0198 psadd (fd5f021e63671f0d7e16e858f1b2d4ce) C:\WINDOWS\system32\Drivers\psadd.sys

2010/08/17 09:13:24.0354 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/08/17 09:13:24.0494 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/08/17 09:13:24.0651 PxHelp20 (338a770f9ab04e5b2104d2d6e04cba2c) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/08/17 09:13:24.0791 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/08/17 09:13:24.0932 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/08/17 09:13:25.0135 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/08/17 09:13:25.0291 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/08/17 09:13:25.0479 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/08/17 09:13:25.0729 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/08/17 09:13:25.0963 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/08/17 09:13:26.0213 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/08/17 09:13:26.0401 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/08/17 09:13:26.0557 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/08/17 09:13:26.0713 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/08/17 09:13:26.0854 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/08/17 09:13:27.0088 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/08/17 09:13:27.0244 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/08/17 09:13:27.0448 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/08/17 09:13:27.0619 senfilt (e3a8d5ef17b540fc42465051a34a04eb) C:\WINDOWS\system32\drivers\senfilt.sys

2010/08/17 09:13:27.0776 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/08/17 09:13:27.0916 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/08/17 09:13:28.0229 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/08/17 09:13:28.0494 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/08/17 09:13:28.0635 SmiHlp (d4676e878f1869a03cebe3ebcd156932) C:\WINDOWS\system32\smihlp.sys

2010/08/17 09:13:28.0807 smwdm (014ab093e6452ea88031bb6e22919bb5) C:\WINDOWS\system32\drivers\smwdm.sys

2010/08/17 09:13:28.0979 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/08/17 09:13:29.0135 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/08/17 09:13:29.0291 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/08/17 09:13:29.0463 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/08/17 09:13:29.0635 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys

2010/08/17 09:13:29.0901 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys

2010/08/17 09:13:30.0119 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/08/17 09:13:30.0276 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/08/17 09:13:30.0432 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/08/17 09:13:30.0573 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/08/17 09:13:30.0713 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/08/17 09:13:30.0869 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/08/17 09:13:31.0088 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/08/17 09:13:31.0229 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/08/17 09:13:31.0401 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/08/17 09:13:31.0541 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/08/17 09:13:31.0698 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/08/17 09:13:31.0854 tfsnboio (818bc02bffb1370961092c6b5b61effd) C:\WINDOWS\system32\dla\tfsnboio.sys

2010/08/17 09:13:32.0010 tfsncofs (d416d123824bb68bd42337220eabd0f8) C:\WINDOWS\system32\dla\tfsncofs.sys

2010/08/17 09:13:32.0151 tfsndrct (d727ba310c389b8aaf430c6eb43bb6cc) C:\WINDOWS\system32\dla\tfsndrct.sys

2010/08/17 09:13:32.0291 tfsndres (585c7608520d78db044305e8e87e7aaa) C:\WINDOWS\system32\dla\tfsndres.sys

2010/08/17 09:13:32.0416 tfsnifs (8cd4967293437d61da143be54c4059f5) C:\WINDOWS\system32\dla\tfsnifs.sys

2010/08/17 09:13:32.0604 tfsnopio (8b99b4d9b8a63e2a4364654dfc371417) C:\WINDOWS\system32\dla\tfsnopio.sys

2010/08/17 09:13:32.0744 tfsnpool (a7608fbe5c71e742cf22c622a4e143b2) C:\WINDOWS\system32\dla\tfsnpool.sys

2010/08/17 09:13:32.0885 tfsnudf (b2f93bba5135535f087808c50877d18d) C:\WINDOWS\system32\dla\tfsnudf.sys

2010/08/17 09:13:33.0073 tfsnudfa (ff0251484aaeae12263538ef877a5f4b) C:\WINDOWS\system32\dla\tfsnudfa.sys

2010/08/17 09:13:33.0244 tmcomm (eb2283c0a4dfbd2e53d14f2c4d5a1e89) C:\WINDOWS\system32\drivers\tmcomm.sys

2010/08/17 09:13:33.0354 TmFilter (3e615f370f0c7db414b6bcd1c18399d4) C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys

2010/08/17 09:13:33.0463 TmPreFilter (c7c7959ec0940e0eddfc881fed8ec214) C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys

2010/08/17 09:13:33.0619 TM_CFW (6ebec57eb4b4b29c8a90d3c32a588f3e) C:\Program Files\Trend Micro\Client Server Security Agent\tm_cfw.sys

2010/08/17 09:13:34.0057 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/08/17 09:13:34.0213 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/08/17 09:13:34.0354 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/08/17 09:13:34.0510 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/08/17 09:13:34.0682 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/08/17 09:13:34.0823 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/08/17 09:13:34.0979 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/08/17 09:13:35.0119 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/08/17 09:13:35.0260 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/08/17 09:13:35.0416 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/08/17 09:13:35.0573 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/08/17 09:13:35.0729 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/08/17 09:13:35.0885 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/08/17 09:13:36.0088 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/08/17 09:13:36.0244 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/08/17 09:13:36.0401 VSApiNt (60dfbc34228ca36221b03460789f5d4e) C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys

2010/08/17 09:13:36.0588 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/08/17 09:13:36.0854 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/08/17 09:13:37.0041 ================================================================================

2010/08/17 09:13:37.0041 Scan finished

2010/08/17 09:13:37.0041 ================================================================================

Link to post
Share on other sites

Nice job! :)

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

Please manually delete DDS, GMER, JavaRa and TDSSKiller.

Step 3

Please download and install the latest version of Java from:

www.java.com/en

Step 4

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :(

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.