Jump to content

Internet Connection/Antivirus IS


Recommended Posts

So I'm currently in the aftermath of an Antivirus IS attack on my Toshiba laptop. During the attack, which I believe started while visiting The Pirate Bay, the virus would spawn tons of virus notifications, and wouldn't let execute files, not only .exe but rkill.com and rkill.scr wouldn't work without executing them several times.

I finally got it to stop and Rkill returned this:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Ian on 10/03/2010 at 16:49:16.

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\DOCUME~1\IAN~1.TOS\LOCALS~1\Temp\fknunlots\ppvowldlanw.exe

C:\Documents and Settings\Ian.TOSHIBA\Desktop\rkill.scr

Rkill completed on 10/03/2010 at 16:49:19.

When I stopped ppvowldlanw from executing at startup and nothing happened I assumed that was the culprit, so I deleted it and the registries associated with it:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\DOCUME~1\IAN~1.TOS\LOCALS~1\Temp\fknunlots\ppvowldlanw.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ssvrplcs "command" and "item"

HKEY_USERS\S-1-5-21-839522115-308236825-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\DOCUME~1\IAN~1.TOS\LOCALS~1\Temp\fknunlots\ppvowldlanw.exe"

I, of course, immediately regretted doing this because I have no idea what the hell I'm doing, but it's too late now.

The virus, if there was only one, has left my computer in a sluggish state and I am unable to access the internet, however, my wireless connection says I'm receiving data. My TCP/IP Protocol Driver is nowhere to be found, although I have the tcpip.sys file in System32.

After I killed the process I ran Mbam, here's the log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

10/3/2010 4:42:21 PM

mbam-log-2010-10-03 (16-42-21).txt

Scan type: Full scan (C:\|)

Objects scanned: 285211

Time elapsed: 1 hour(s), 25 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.66,93.188.166.5 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{05537258-580c-48e4-9c1f-0911c90a5f5f}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.66,93.188.166.5 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a01e5e8d-e55f-4d77-9855-b627c68b48ba}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.66,93.188.166.5 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Truck Dismount\msvcp60.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Program Files\Truck Dismount\msvcrt.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Program Files\Porrasturvat - Stair Dismount\msvcp60.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ian.TOSHIBA\Local Settings\Temp\0.05439107563726808.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

I tried scanning the ppvowldlanw.exe file but avast!(currently updated) and Mbam(not updated, no internet when I got it off another computer), didn't find anything with it. I even accidentally started the file when I put in the wrong directory and the whole pop-up process started again, this was when I deleted everything.

So I got the defogger and dds and gmer and I've attached the attach.txt and ark.txt and here's dds:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Ian at 17:57:19.42 on Tue 10/05/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.618 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Documents and Settings\Ian.TOSHIBA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:27811

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\ian.toshiba\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe

uRun: [3FWHZQA3LT] c:\docume~1\ian~1.tos\locals~1\temp\Vnt.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

Notify: psfus - c:\windows\system32\psqlpwd.dll

LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ian~1.tos\applic~1\mozilla\firefox\profiles\5kqaf3et.default\

FF - plugin: c:\documents and settings\ian.toshiba\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-8-5 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-5 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 40384]

R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-9-30 116736]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 40384]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-4-4 14424]

=============== Created Last 30 ================

2010-10-05 21:52:41 176 ----a-w- c:\documents and settings\ian.toshiba\defogger_reenable

2010-10-05 02:49:39 0 d-----w- C:\Inetpub

2010-10-03 21:57:14 290 ----a-w- C:\Shortcut to SQ004033P03 ©.lnk

2010-10-03 19:01:48 0 d-----w- c:\docume~1\ian~1.tos\applic~1\Malwarebytes

2010-10-03 18:52:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-03 18:51:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-03 18:51:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-03 18:51:57 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2010-09-30 23:25:17 190976 ----a-w- c:\windows\Vguwob.exe

2010-09-30 23:25:03 190976 ----a-w- c:\windows\Vguwoa.exe

2010-09-19 21:55:32 766 ----a-w- c:\windows\attwns.ico

2010-09-19 21:55:25 2998 ----a-w- c:\windows\setup.ico

2010-09-16 22:13:57 21840 ----a-w- c:\windows\system32\SIntfNT.dll

2010-09-16 22:13:57 17212 ----a-w- c:\windows\system32\SIntf32.dll

2010-09-16 22:13:57 12067 ----a-w- c:\windows\system32\SIntf16.dll

2010-09-16 21:47:08 531 ----a-w- c:\windows\SIERRA.INI

2010-09-13 02:06:59 0 d-----w- c:\program files\Carpe Fulgur

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2009-08-08 17:57:06 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080820090809\index.dat

2010-06-18 05:57:37 16384 -csha-w- c:\windows\temp\cookies\index.dat

2010-06-18 05:57:37 32768 -csha-w- c:\windows\temp\history\history.ie5\index.dat

2010-06-18 05:57:37 32768 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:58:08.81 ===============

Let me know what else I can do.

ark.zip

Link to post
Share on other sites

So I had already done the proxy server thing before, and some other stuff like typing ipconfig into the command prompt and all that stuff, to no avail. I did the fix.reg thing too, no luck. Though some good news, I got the newest update from another computer and updated my mbam to 9/26/10 version, and it found some new stuff. Here is the mbam log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4700

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

10/6/2010 9:48:36 AM

mbam-log-2010-10-06 (09-48-36).txt

Scan type: Quick scan

Objects scanned: 196658

Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\3FWHZQA3LT (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3fwhzqa3lt (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\All Users.WINDOWS\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users.WINDOWS\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ian.TOSHIBA\Local Settings\Temp\Vnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

And the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 9:53:24 AM, on 10/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17080)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Documents and Settings\Ian.TOSHIBA\Application Data\U3\000016761772E122\LaunchPad.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ian.TOSHIBA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--

End of file - 6848 bytes

Just as a note, the original virus wasn't overtly active when I originally posted, though I don't know if it's still around in my computer.

Link to post
Share on other sites

I am on a wireless router. I've already tried the winsock thing as well and nothing changed. I'm not sure if it will help but the TCP/IP Protocol Driver service is missing, and it seems to be messing up other services. I don't know what any of this means, though.

Link to post
Share on other sites

What's the device manager look like, any red checks by any devices?

-------------------------

Run TDSSKiller on the computer, see if it finds anything:

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

MrC

Link to post
Share on other sites

Nope, no red checks that I can see.

I was alerted to a malfunction in the TCP/IP driver when it was suggested elsewhere that I review the event log. This is what I found labeled as "error":

The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:

The dependency service does not exist or has been marked for deletion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

After that is this, and these two error logs keep repeating after the other:

The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

When I go into services it actually says that IPSec depends upon TCP/IP, and I can't find the TCP/IP service anywhere, but I can find the IPSec service.

Here is the TDDS log:

2010/10/07 14:19:53.0312 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59

2010/10/07 14:19:53.0312 ================================================================================

2010/10/07 14:19:53.0312 SystemInfo:

2010/10/07 14:19:53.0312

2010/10/07 14:19:53.0312 OS Version: 5.1.2600 ServicePack: 3.0

2010/10/07 14:19:53.0312 Product type: Workstation

2010/10/07 14:19:53.0312 ComputerName: TOSHIBA

2010/10/07 14:19:53.0312 UserName: Ian

2010/10/07 14:19:53.0312 Windows directory: C:\WINDOWS

2010/10/07 14:19:53.0312 System windows directory: C:\WINDOWS

2010/10/07 14:19:53.0312 Processor architecture: Intel x86

2010/10/07 14:19:53.0312 Number of processors: 2

2010/10/07 14:19:53.0312 Page size: 0x1000

2010/10/07 14:19:53.0312 Boot type: Normal boot

2010/10/07 14:19:53.0312 ================================================================================

2010/10/07 14:19:53.0812 Initialize success

2010/10/07 14:19:57.0468 ================================================================================

2010/10/07 14:19:57.0468 Scan started

2010/10/07 14:19:57.0468 Mode: Manual;

2010/10/07 14:19:57.0468 ================================================================================

2010/10/07 14:19:58.0703 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\system32\drivers\Aavmker4.sys

2010/10/07 14:19:58.0828 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/07 14:19:58.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/10/07 14:19:58.0953 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/10/07 14:19:59.0031 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/10/07 14:19:59.0234 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/10/07 14:19:59.0375 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/10/07 14:19:59.0609 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/10/07 14:19:59.0875 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2010/10/07 14:19:59.0906 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\system32\drivers\aswMon2.sys

2010/10/07 14:19:59.0937 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\system32\drivers\aswRdr.sys

2010/10/07 14:19:59.0968 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\system32\drivers\aswSP.sys

2010/10/07 14:20:00.0000 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\system32\drivers\aswTdi.sys

2010/10/07 14:20:00.0078 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/07 14:20:00.0343 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/07 14:20:00.0437 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/07 14:20:00.0500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/07 14:20:00.0609 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/10/07 14:20:00.0796 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

2010/10/07 14:20:00.0890 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/07 14:20:00.0953 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/07 14:20:01.0015 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/07 14:20:01.0046 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/07 14:20:01.0093 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

2010/10/07 14:20:01.0187 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/10/07 14:20:01.0328 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/10/07 14:20:01.0531 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys

2010/10/07 14:20:01.0718 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/07 14:20:01.0812 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/07 14:20:01.0953 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/10/07 14:20:02.0031 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/10/07 14:20:02.0125 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/07 14:20:02.0234 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/07 14:20:02.0312 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2010/10/07 14:20:02.0484 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/07 14:20:02.0625 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/10/07 14:20:02.0671 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/10/07 14:20:02.0703 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/10/07 14:20:02.0781 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/10/07 14:20:02.0859 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/07 14:20:02.0890 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/07 14:20:03.0031 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/10/07 14:20:03.0125 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/07 14:20:03.0171 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/10/07 14:20:03.0281 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/07 14:20:03.0406 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/10/07 14:20:03.0890 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/10/07 14:20:04.0375 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/07 14:20:04.0703 IntcAzAudAddService (7c09d605fcae64e3cb11ebf90fb1e3a1) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/10/07 14:20:04.0937 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/10/07 14:20:04.0968 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/10/07 14:20:05.0046 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/07 14:20:05.0109 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/07 14:20:05.0156 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/07 14:20:05.0218 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/07 14:20:05.0281 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/07 14:20:05.0531 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/07 14:20:05.0843 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/07 14:20:06.0046 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/07 14:20:06.0171 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2010/10/07 14:20:06.0234 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/07 14:20:06.0312 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/10/07 14:20:06.0375 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/07 14:20:06.0531 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/07 14:20:06.0656 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/07 14:20:06.0750 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/07 14:20:06.0796 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/07 14:20:06.0859 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/07 14:20:06.0921 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/07 14:20:07.0046 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/07 14:20:07.0125 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/07 14:20:07.0156 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/10/07 14:20:07.0203 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/07 14:20:07.0265 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/07 14:20:07.0296 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/07 14:20:07.0390 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/07 14:20:07.0468 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/07 14:20:07.0531 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/07 14:20:07.0593 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/07 14:20:07.0765 NETw3x32 (50f5de54e1d1646c02078f3eddc15a8e) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys

2010/10/07 14:20:08.0000 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/10/07 14:20:08.0031 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/07 14:20:08.0093 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/07 14:20:08.0171 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/10/07 14:20:08.0234 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/07 14:20:08.0328 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/07 14:20:08.0437 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/10/07 14:20:08.0500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/10/07 14:20:08.0546 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/07 14:20:08.0593 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/07 14:20:08.0687 pbfilter (65fb0c4aa30d84849e0e4c97cb5501ce) C:\Program Files\PeerBlock\pbfilter.sys

2010/10/07 14:20:08.0875 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/07 14:20:08.0968 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/10/07 14:20:09.0015 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/10/07 14:20:09.0234 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/07 14:20:09.0265 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/07 14:20:09.0296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/07 14:20:09.0359 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/10/07 14:20:09.0531 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/07 14:20:09.0718 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/07 14:20:09.0750 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/07 14:20:09.0828 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/07 14:20:09.0890 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/07 14:20:09.0921 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/07 14:20:09.0968 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/10/07 14:20:10.0031 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/07 14:20:10.0203 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/07 14:20:10.0328 s24trans (2862adb14481ac28f98105ff33a99eb0) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/10/07 14:20:10.0453 SbieDrv (d5223bb45782b35407148a47255497c7) C:\Program Files\Sandboxie\SbieDrv.sys

2010/10/07 14:20:10.0531 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/10/07 14:20:10.0656 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/07 14:20:10.0750 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/10/07 14:20:10.0796 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/10/07 14:20:10.0921 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/10/07 14:20:11.0031 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\System32\Drivers\sptd.sys

2010/10/07 14:20:11.0140 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/10/07 14:20:11.0218 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/07 14:20:11.0328 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/07 14:20:11.0375 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/07 14:20:11.0671 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/10/07 14:20:11.0703 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/07 14:20:11.0796 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/07 14:20:11.0875 TcUsb (53900527fa5e2ccc818c5894383772d1) C:\WINDOWS\system32\Drivers\tcusb.sys

2010/10/07 14:20:11.0921 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/07 14:20:11.0953 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/07 14:20:12.0031 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/07 14:20:12.0187 tifm21 (f779ba4cd37963ab4600c9871b7752a3) C:\WINDOWS\system32\drivers\tifm21.sys

2010/10/07 14:20:12.0265 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys

2010/10/07 14:20:12.0328 Tvs (546dfba6486569120d33f7ad6e94efdd) C:\WINDOWS\system32\DRIVERS\Tvs.sys

2010/10/07 14:20:12.0390 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/07 14:20:12.0484 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/07 14:20:12.0593 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/10/07 14:20:12.0718 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/07 14:20:12.0796 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/07 14:20:12.0859 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/10/07 14:20:12.0921 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/07 14:20:12.0953 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/10/07 14:20:12.0984 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/10/07 14:20:13.0078 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/07 14:20:13.0140 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/07 14:20:13.0250 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/07 14:20:13.0593 ================================================================================

2010/10/07 14:20:13.0593 Scan finished

2010/10/07 14:20:13.0593 ================================================================================

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

So after I installed the driver using the C:\Windows\inf directory and am returned to the screen the "uninstall" button is greyed out. I looked around a little and found some reports that said XP systems don't allow the uninstallation of the driver. Are there any XP alternatives? I performed all the steps correctly up until this point.

Link to post
Share on other sites

So I ran it and it didn't return any error messages, but after restart nothing has changed.

I have neglected to mention it until now, and I don't know if it's any use to you at all, but about two to three minutes after start up I have been receiving a "Driver Error" message since the virus hit, and it concerns my PeerBlock.

It reads:

Driver Error

PeerBlock is unable to load the packet filtering driver.

This could happen if PeerBlock crashed and didn't have a chance to unload the driver, or if the file pbfilter.sys can't be found.

class win32_error

StartService

1068

The dependency service or group failed to start.

This is also when my internet connection icon appears, telling me I'm connected, and when I get a Windows balloon telling me my firewall is not turned on.

Link to post
Share on other sites

The best advice I can give you is to Google this:

PeerBlock is unable to load the packet filtering driver

There's a lot of hits, below are just a few:

http://forums.peerblock.com/read.php?3,2139 <----PeerBlock forum

http://forums.malwarebytes.org/index.php?showtopic=44701

http://forums.peerblock.com/read.php?3,2674

This is something I'm really not that knowledgeable on.

-----------------------------------------

We could run one other program to check for malware and related problems, I've been a little reluctant to have you run it on this computer....just make sure you have any important items backed up. ComboFix is a very powerful tool.

Please download and run ComboFix:

A few notes first:

  • ComboFix is compatible exclusively with W2K, XP, Vista, and Windows 7 (32-bit only).
  • ComboFix must be run from an Administrative account.
  • Vista and W7 users - Right click, choose "Run as Administrator"
  • It must be downloaded to and run from your desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    ComboFix Guide <---please read!

---------------------------

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE<-------
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks

and Please disable Autorun ASAP!.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

I'm not sure why this happened, but I had to manually install the recovery console. When I did so, I didn't realize I was using an older version of combofix to install it, I found this out when I was informed it would be running on "REDUCED FUNCTIONALITY". So I downloaded another ComboFix which ran normally, but it said I didn't have the recovery console installed, even when I had just done so. Even so, it ran through nicely with no error messages so here's the log:

ComboFix 10-10-18.06 - Administrator 10/19/2010 17:41:55.1.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.812 [GMT -4:00]

Running from: c:\documents and settings\Administrator.TOSHIBA\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common

.

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))

.

2010-10-06 20:04 . 2010-10-06 20:04 -------- d-----w- c:\documents and settings\Ian.TOSHIBA\Application Data\CVS

2010-10-06 13:36 . 2010-10-06 13:36 388096 ----a-r- c:\documents and settings\Ian.TOSHIBA\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-10-06 13:36 . 2010-10-06 13:36 -------- d-----w- c:\program files\Trend Micro

2010-10-05 02:49 . 2010-10-05 02:49 -------- d-----w- C:\Inetpub

2010-10-03 19:01 . 2010-10-03 19:01 -------- d-----w- c:\documents and settings\Ian.TOSHIBA\Application Data\Malwarebytes

2010-10-03 18:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-03 18:51 . 2010-10-03 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-03 18:51 . 2010-10-03 18:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2010-10-03 18:51 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-01 03:29 . 2010-10-01 03:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2010-09-30 23:51 . 2010-09-30 23:51 -------- d-----w- c:\documents and settings\Administrator.TOSHIBA

2010-09-30 23:25 . 2010-09-30 23:25 190976 ----a-w- c:\windows\Vguwob.exe

2010-09-30 23:25 . 2010-09-30 23:24 190976 ----a-w- c:\windows\Vguwoa.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]

@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]

2007-11-14 16:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]

@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]

2007-11-14 16:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 16206848]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]

"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

c:\documents and settings\Ian\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-6-12 59080]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-2-16 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2007-11-14 16:07 96008 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssvrplcs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]

2007-11-14 15:38 49416 -c--a-w- c:\program files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]

2009-09-30 09:15 387584 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

"c:\\Documents and Settings\\Ian.TOSHIBA\\My Documents\\Downloads\\mule_windows_1.1.0\\mule\\data\\lib\\jre\\bin\\java.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/4/2010 3:42 PM 14424]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/15/2009 1:03 PM 691696]

.

Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-308236825-725345543-1003Core.job

- c:\documents and settings\Ian.TOSHIBA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-07 13:55]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-308236825-725345543-1003UA.job

- c:\documents and settings\Ian.TOSHIBA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-07 13:55]

.

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Administrator.TOSHIBA\Application Data\Mozilla\Firefox\Profiles\yfeyifwz.default\

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

AddRemove-ESPNMotion - c:\progra~1\ESPNMO~1\UNWISE.EXE

AddRemove-Final Fantasy VII - c:\program files\Square Soft

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infql2.dll

c:\program files\Protector Suite QL\applaun.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\biokmd.dll

c:\program files\Protector Suite QL\bioset.dll

c:\program files\Protector Suite QL\capikey.dll

c:\program files\Protector Suite QL\crypto.dll

c:\program files\Protector Suite QL\devinsp.dll

c:\program files\Protector Suite QL\enrset.dll

c:\program files\Protector Suite QL\farchns.dll

c:\program files\Protector Suite QL\fdhome.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\infcore.dll

c:\program files\Protector Suite QL\lgnset.dll

c:\program files\Protector Suite QL\ms2fs.dll

c:\program files\Protector Suite QL\navset.dll

c:\program files\Protector Suite QL\ntrucore.dll

c:\program files\Protector Suite QL\otp.dll

c:\program files\Protector Suite QL\otprsa.dll

c:\windows\system32\WININET.dll

c:\program files\Protector Suite QL\psqltray.dll

c:\program files\Protector Suite QL\psuiteax.dll

c:\program files\Protector Suite QL\pwdbank.dll

c:\program files\Protector Suite QL\pwdkmd.dll

c:\program files\Protector Suite QL\qlbase.dll

c:\program files\Protector Suite QL\secuset.dll

c:\program files\Protector Suite QL\sndset.dll

c:\program files\Protector Suite QL\sysset.dll

c:\program files\Protector Suite QL\tbxset.dll

c:\program files\Protector Suite QL\tpminit.dll

c:\program files\Protector Suite QL\tpmkey.dll

- - - - - - - > 'lsass.exe'(284)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infql2.dll

c:\program files\Protector Suite QL\applaun.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\biokmd.dll

c:\program files\Protector Suite QL\bioset.dll

c:\program files\Protector Suite QL\capikey.dll

c:\program files\Protector Suite QL\crypto.dll

c:\program files\Protector Suite QL\devinsp.dll

c:\program files\Protector Suite QL\enrset.dll

c:\program files\Protector Suite QL\farchns.dll

c:\program files\Protector Suite QL\fdhome.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\infcore.dll

c:\program files\Protector Suite QL\lgnset.dll

c:\program files\Protector Suite QL\ms2fs.dll

c:\program files\Protector Suite QL\navset.dll

c:\program files\Protector Suite QL\ntrucore.dll

c:\program files\Protector Suite QL\otp.dll

c:\program files\Protector Suite QL\otprsa.dll

c:\windows\system32\WININET.dll

c:\program files\Protector Suite QL\psqltray.dll

c:\program files\Protector Suite QL\psuiteax.dll

c:\program files\Protector Suite QL\pwdbank.dll

c:\program files\Protector Suite QL\pwdkmd.dll

c:\program files\Protector Suite QL\qlbase.dll

c:\program files\Protector Suite QL\secuset.dll

c:\program files\Protector Suite QL\sndset.dll

c:\program files\Protector Suite QL\sysset.dll

c:\program files\Protector Suite QL\tbxset.dll

c:\program files\Protector Suite QL\tpminit.dll

c:\program files\Protector Suite QL\tpmkey.dll

- - - - - - - > 'explorer.exe'(1952)

c:\windows\system32\WININET.dll

c:\program files\Protector Suite QL\farchns.dll

c:\program files\Protector Suite QL\infql2.dll

c:\program files\Protector Suite QL\applaun.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\biokmd.dll

c:\program files\Protector Suite QL\bioset.dll

c:\program files\Protector Suite QL\capikey.dll

c:\program files\Protector Suite QL\crypto.dll

c:\program files\Protector Suite QL\devinsp.dll

c:\program files\Protector Suite QL\enrset.dll

c:\program files\Protector Suite QL\fdhome.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\infcore.dll

c:\program files\Protector Suite QL\lgnset.dll

c:\program files\Protector Suite QL\ms2fs.dll

c:\program files\Protector Suite QL\navset.dll

c:\program files\Protector Suite QL\ntrucore.dll

c:\program files\Protector Suite QL\otp.dll

c:\program files\Protector Suite QL\otprsa.dll

c:\program files\Protector Suite QL\psqltray.dll

c:\program files\Protector Suite QL\psuiteax.dll

c:\program files\Protector Suite QL\pwdbank.dll

c:\program files\Protector Suite QL\pwdkmd.dll

c:\program files\Protector Suite QL\qlbase.dll

c:\program files\Protector Suite QL\secuset.dll

c:\program files\Protector Suite QL\sndset.dll

c:\program files\Protector Suite QL\sysset.dll

c:\program files\Protector Suite QL\tbxset.dll

c:\program files\Protector Suite QL\tpminit.dll

c:\program files\Protector Suite QL\tpmkey.dll

.

Completion time: 2010-10-19 17:53:07

ComboFix-quarantined-files.txt 2010-10-19 21:53

Pre-Run: 13,926,416,384 bytes free

Post-Run: 14,039,822,336 bytes free

- - End Of File - - E6F5BF2DAA92A1B8F795EBB4AEDC3F1A

Link to post
Share on other sites

That's strange, that's the newest file I downloaded from this thread. I'm going to try to do the drag recovery console file over the the combofix file thing again, and just run a new scan, because the log that you see is the only combofix scan I've ever done, and maybe not having properly installed the recovery console is messing it up.

Link to post
Share on other sites

Ok, here's the newest log:

ComboFix 10-10-18.06 - Ian 10/19/2010 18:57:36.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.635 [GMT -4:00]

Running from: c:\documents and settings\Ian.TOSHIBA\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ian.TOSHIBA\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

.

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))

.

2010-10-06 20:04 . 2010-10-06 20:04 -------- d-----w- c:\documents and settings\Ian.TOSHIBA\Application Data\CVS

2010-10-06 13:36 . 2010-10-06 13:36 388096 ----a-r- c:\documents and settings\Ian.TOSHIBA\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-10-06 13:36 . 2010-10-06 13:36 -------- d-----w- c:\program files\Trend Micro

2010-10-05 02:49 . 2010-10-05 02:49 -------- d-----w- C:\Inetpub

2010-10-03 19:01 . 2010-10-03 19:01 -------- d-----w- c:\documents and settings\Ian.TOSHIBA\Application Data\Malwarebytes

2010-10-03 18:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-03 18:51 . 2010-10-03 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-03 18:51 . 2010-10-03 18:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2010-10-03 18:51 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-01 03:29 . 2010-10-01 03:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2010-09-30 23:51 . 2010-09-30 23:51 -------- d-----w- c:\documents and settings\Administrator.TOSHIBA

2010-09-30 23:25 . 2010-09-30 23:25 190976 ----a-w- c:\windows\Vguwob.exe

2010-09-30 23:25 . 2010-09-30 23:24 190976 ----a-w- c:\windows\Vguwoa.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-10-19_21.50.36 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-10-19 22:00 . 2010-10-19 22:00 16384 c:\windows\temp\Perflib_Perfdata_690.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]

@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]

2007-11-14 16:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]

@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]

2007-11-14 16:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Ian.TOSHIBA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-07 133104]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-08-11 288048]

"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 16206848]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]

"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

c:\documents and settings\Ian\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-6-12 59080]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-2-16 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2007-11-14 16:07 96008 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]

2007-11-14 15:38 49416 -c--a-w- c:\program files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]

2009-09-30 09:15 387584 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

"c:\\Documents and Settings\\Ian.TOSHIBA\\My Documents\\Downloads\\mule_windows_1.1.0\\mule\\data\\lib\\jre\\bin\\java.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/4/2010 3:42 PM 14424]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/15/2009 1:03 PM 691696]

.

Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-308236825-725345543-1003Core.job

- c:\documents and settings\Ian.TOSHIBA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-07 13:55]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-308236825-725345543-1003UA.job

- c:\documents and settings\Ian.TOSHIBA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-07 13:55]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Ian.TOSHIBA\Application Data\Mozilla\Firefox\Profiles\5kqaf3et.default\

FF - plugin: c:\documents and settings\Ian.TOSHIBA\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(368)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infql2.dll

c:\program files\Protector Suite QL\applaun.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\biokmd.dll

c:\program files\Protector Suite QL\bioset.dll

c:\program files\Protector Suite QL\capikey.dll

c:\program files\Protector Suite QL\crypto.dll

c:\program files\Protector Suite QL\devinsp.dll

c:\program files\Protector Suite QL\enrset.dll

c:\program files\Protector Suite QL\farchns.dll

c:\program files\Protector Suite QL\fdhome.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\infcore.dll

c:\program files\Protector Suite QL\lgnset.dll

c:\program files\Protector Suite QL\ms2fs.dll

c:\program files\Protector Suite QL\navset.dll

c:\program files\Protector Suite QL\ntrucore.dll

c:\program files\Protector Suite QL\otp.dll

c:\program files\Protector Suite QL\otprsa.dll

c:\windows\system32\WININET.dll

c:\program files\Protector Suite QL\psqltray.dll

c:\program files\Protector Suite QL\psuiteax.dll

c:\program files\Protector Suite QL\pwdbank.dll

c:\program files\Protector Suite QL\pwdkmd.dll

c:\program files\Protector Suite QL\qlbase.dll

c:\program files\Protector Suite QL\secuset.dll

c:\program files\Protector Suite QL\sndset.dll

c:\program files\Protector Suite QL\sysset.dll

c:\program files\Protector Suite QL\tbxset.dll

c:\program files\Protector Suite QL\tpminit.dll

c:\program files\Protector Suite QL\tpmkey.dll

- - - - - - - > 'lsass.exe'(424)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infql2.dll

c:\program files\Protector Suite QL\applaun.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\biokmd.dll

c:\program files\Protector Suite QL\bioset.dll

c:\program files\Protector Suite QL\capikey.dll

c:\program files\Protector Suite QL\crypto.dll

c:\program files\Protector Suite QL\devinsp.dll

c:\program files\Protector Suite QL\enrset.dll

c:\program files\Protector Suite QL\farchns.dll

c:\program files\Protector Suite QL\fdhome.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\infcore.dll

c:\program files\Protector Suite QL\lgnset.dll

c:\program files\Protector Suite QL\ms2fs.dll

c:\program files\Protector Suite QL\navset.dll

c:\program files\Protector Suite QL\ntrucore.dll

c:\program files\Protector Suite QL\otp.dll

c:\program files\Protector Suite QL\otprsa.dll

c:\windows\system32\WININET.dll

c:\program files\Protector Suite QL\psqltray.dll

c:\program files\Protector Suite QL\psuiteax.dll

c:\program files\Protector Suite QL\pwdbank.dll

c:\program files\Protector Suite QL\pwdkmd.dll

c:\program files\Protector Suite QL\qlbase.dll

c:\program files\Protector Suite QL\secuset.dll

c:\program files\Protector Suite QL\sndset.dll

c:\program files\Protector Suite QL\sysset.dll

c:\program files\Protector Suite QL\tbxset.dll

c:\program files\Protector Suite QL\tpminit.dll

c:\program files\Protector Suite QL\tpmkey.dll

- - - - - - - > 'explorer.exe'(1044)

c:\windows\system32\WININET.dll

c:\program files\Protector Suite QL\farchns.dll

c:\program files\Protector Suite QL\infql2.dll

c:\program files\Protector Suite QL\applaun.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\biokmd.dll

c:\program files\Protector Suite QL\bioset.dll

c:\program files\Protector Suite QL\capikey.dll

c:\program files\Protector Suite QL\crypto.dll

c:\program files\Protector Suite QL\devinsp.dll

c:\program files\Protector Suite QL\enrset.dll

c:\program files\Protector Suite QL\fdhome.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\infcore.dll

c:\program files\Protector Suite QL\lgnset.dll

c:\program files\Protector Suite QL\ms2fs.dll

c:\program files\Protector Suite QL\navset.dll

c:\program files\Protector Suite QL\ntrucore.dll

c:\program files\Protector Suite QL\otp.dll

c:\program files\Protector Suite QL\otprsa.dll

c:\program files\Protector Suite QL\psqltray.dll

c:\program files\Protector Suite QL\psuiteax.dll

c:\program files\Protector Suite QL\pwdbank.dll

c:\program files\Protector Suite QL\pwdkmd.dll

c:\program files\Protector Suite QL\qlbase.dll

c:\program files\Protector Suite QL\secuset.dll

c:\program files\Protector Suite QL\sndset.dll

c:\program files\Protector Suite QL\sysset.dll

c:\program files\Protector Suite QL\tbxset.dll

c:\program files\Protector Suite QL\tpminit.dll

c:\program files\Protector Suite QL\tpmkey.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2010-10-19 19:04:06

ComboFix-quarantined-files.txt 2010-10-19 23:04

ComboFix2.txt 2010-10-19 21:53

Pre-Run: 13,892,861,952 bytes free

Post-Run: 13,983,731,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 85E66EC02546CCAF9D2E62416CC75DCE

Link to post
Share on other sites

Ok, I'll see what the PeerBlock people say. I guess my only remaining question is what this business with my missing TCP/IP and IPSEC drivers is all about? I seem to have all the .sys files except for the ipsec.sys file; is this something you're familiar with?

Link to post
Share on other sites

Lets see if it's on your system:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
     :filefind
    ipsec.sys


    Make sure the :filefind and the ipsec.sys are located all the way to the left border.

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.