Jump to content

Help! Rogue.Antivirus 2010 removal

airbag

By airbag
in Resolved Malware Removal Logs

 Share

Recommended Posts

airbag

airbag

Posted
Posted

i fallowed all instructions i found here. please help! i'm not sure if i attached the attach and ark zipped files correctly. my computer is really struggling.

http://forums.malwarebytes.org/index.php?showtopic=9573

DDS (Ver_10-10-10.03) - NTFSx86

Run by Charles at 16:31:39.54 on Fri 10/15/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.581 [GMT -7:00]

AV: ESET Smart Security 4.2 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Charles\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://register3.valueactive.com/207/webolr/OCX/FlashAX.cab

DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: ActUtilSrv - {1D964A9A-A2A8-D836-3497-03C7BED39706} - No File

============= SERVICES / DRIVERS ===============

R1 atitray;atitray;c:\program files\radeon omega drivers\v3.8.360\ati tray tools\atitray.sys [2005-11-13 18088]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]

R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-8-12 810144]

S1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2010-7-18 95592]

S3 cpuz132;cpuz132;\??\c:\docume~1\charles\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\charles\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

=============== Created Last 30 ================

2010-10-14 23:40:22 -------- d-----w- C:\d7f197ba1704581e8f04e63a56abc241

2010-10-14 01:18:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

2010-10-01 23:32:57 892928 ----a-w- c:\windows\system32\iconv.dll

2010-10-01 23:32:57 675840 ----a-w- c:\windows\system32\ac3filter.ax

2010-10-01 23:32:57 496640 ----a-w- c:\windows\system32\xvid.ax

2010-10-01 23:32:53 -------- d-----w- c:\program files\Aimersoft

2010-10-01 04:54:39 87280 ----a-w- c:\windows\system32\wsatrace.dll

==================== Find3M ====================

2010-10-14 04:27:29 0 ----a-w- c:\documents and settings\charles\ntuser.tmp

2010-09-06 00:33:41 0 ----a-w- c:\windows\Fbocofokey.bin

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-04 08:59:12 53248 ----a-w- c:\windows\system32\aticalrt.dll

2010-08-04 08:59:02 53248 ----a-w- c:\windows\system32\aticalcl.dll

2010-08-04 08:57:42 4358144 ----a-w- c:\windows\system32\aticaldd.dll

2010-08-04 08:53:24 15900672 ----a-w- c:\windows\system32\atioglxx.dll

2010-08-04 08:47:50 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2010-08-04 08:47:02 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll

2010-08-04 08:46:06 300544 ----a-w- c:\windows\system32\ati2dvag.dll

2010-08-04 08:41:42 3901280 ----a-w- c:\windows\system32\ati3duag.dll

2010-08-04 08:31:18 208896 ----a-w- c:\windows\system32\atipdlxx.dll

2010-08-04 08:31:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2010-08-04 08:30:58 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2010-08-04 08:30:52 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2010-08-04 08:30:40 159744 ----a-w- c:\windows\system32\ati2evxx.dll

2010-08-04 08:29:28 606208 ----a-w- c:\windows\system32\ati2evxx.exe

2010-08-04 08:28:14 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2010-08-04 08:28:08 2537728 ----a-w- c:\windows\system32\ativvaxx.dll

2010-08-04 08:27:22 143360 ----a-w- c:\windows\system32\atiapfxx.exe

2010-08-04 08:24:06 610304 ----a-w- c:\windows\system32\atikvmag.dll

2010-08-04 08:23:54 393216 ----a-w- c:\windows\system32\atiok3x2.dll

2010-08-04 08:22:30 188416 ----a-w- c:\windows\system32\atiadlxx.dll

2010-08-04 08:22:10 17408 ----a-w- c:\windows\system32\atitvo32.dll

2010-08-04 08:16:52 700416 ----a-w- c:\windows\system32\ati2cqag.dll

2010-08-04 08:15:22 65024 ----a-w- c:\windows\system32\atimpc32.dll

2010-08-04 08:15:22 65024 ----a-w- c:\windows\system32\amdpcom32.dll

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 16:33:51.68 ===============

ark.txt

Attach.txt

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4590

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

10/15/2010 4:21:57 PM

mbam-log-2010-10-15 (16-21-57).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 334568

Time elapsed: 2 hour(s), 44 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully.

thanks!!!

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

:welcome:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Next:

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Link to post
Share on other sites
airbag

airbag

Posted
  • Author
Posted

thanks LDTate, here is the TDSSKiller log from the scan. I appreciate the help!

2010/10/16 14:39:47.0609 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59

2010/10/16 14:39:47.0609 ================================================================================

2010/10/16 14:39:47.0609 SystemInfo:

2010/10/16 14:39:47.0609

2010/10/16 14:39:47.0609 OS Version: 5.1.2600 ServicePack: 3.0

2010/10/16 14:39:47.0609 Product type: Workstation

2010/10/16 14:39:47.0609 ComputerName: D9RW0QB1

2010/10/16 14:39:47.0609 UserName: Charles

2010/10/16 14:39:47.0609 Windows directory: C:\WINDOWS

2010/10/16 14:39:47.0609 System windows directory: C:\WINDOWS

2010/10/16 14:39:47.0609 Processor architecture: Intel x86

2010/10/16 14:39:47.0609 Number of processors: 2

2010/10/16 14:39:47.0609 Page size: 0x1000

2010/10/16 14:39:47.0609 Boot type: Normal boot

2010/10/16 14:39:47.0609 ================================================================================

2010/10/16 14:39:47.0921 Initialize success

2010/10/16 14:39:52.0843 ================================================================================

2010/10/16 14:39:52.0843 Scan started

2010/10/16 14:39:52.0843 Mode: Manual;

2010/10/16 14:39:52.0843 ================================================================================

2010/10/16 14:39:54.0156 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/10/16 14:39:54.0203 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/16 14:39:54.0265 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/10/16 14:39:54.0312 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/10/16 14:39:54.0359 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/10/16 14:39:54.0437 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/10/16 14:39:54.0484 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/10/16 14:39:54.0500 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/10/16 14:39:54.0546 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/10/16 14:39:54.0593 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/10/16 14:39:54.0625 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/10/16 14:39:54.0656 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/10/16 14:39:54.0703 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/10/16 14:39:54.0859 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/10/16 14:39:54.0953 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/10/16 14:39:54.0984 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/10/16 14:39:55.0015 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/10/16 14:39:55.0046 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/10/16 14:39:55.0109 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/16 14:39:55.0140 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/16 14:39:55.0359 ati2mtag (e7426973d081b6607056d1dd91bd9b01) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/10/16 14:39:55.0515 atitray (f46afb51f1a1cb8c7ecd85533ca839fe) C:\Program Files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys

2010/10/16 14:39:55.0578 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/16 14:39:55.0609 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/16 14:39:55.0640 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/10/16 14:39:55.0687 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/10/16 14:39:55.0703 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/16 14:39:55.0750 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/10/16 14:39:55.0765 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/16 14:39:55.0796 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/16 14:39:55.0828 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/16 14:39:55.0921 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/10/16 14:39:55.0984 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/10/16 14:39:56.0312 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/10/16 14:39:56.0390 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/10/16 14:39:56.0437 Disk (b8c4af2a0637871b6aade81357bd3a93) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/16 14:39:56.0437 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\disk.sys. Real md5: b8c4af2a0637871b6aade81357bd3a93, Fake md5: 2b122cace382382ac2a73304bc064719

2010/10/16 14:39:56.0437 Disk - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/10/16 14:39:56.0500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/16 14:39:56.0578 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/10/16 14:39:56.0609 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/10/16 14:39:56.0656 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/16 14:39:56.0687 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/10/16 14:39:56.0734 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/16 14:39:56.0781 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/10/16 14:39:56.0828 eamon (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys

2010/10/16 14:39:56.0921 ehdrv (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys

2010/10/16 14:39:56.0984 epfw (15bfe00f030ea20955117bb0677e9668) C:\WINDOWS\system32\DRIVERS\epfw.sys

2010/10/16 14:39:57.0093 Epfwndis (52310e0e603d7da79ecca7d764937a91) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

2010/10/16 14:39:57.0171 epfwtdi (bdde7dd8fcdb1de7e879bb320b0605c0) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys

2010/10/16 14:39:57.0265 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/16 14:39:57.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/10/16 14:39:57.0359 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/10/16 14:39:57.0421 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/10/16 14:39:57.0453 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/10/16 14:39:57.0515 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/16 14:39:57.0531 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/16 14:39:57.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/16 14:39:57.0578 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/10/16 14:39:57.0625 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/10/16 14:39:57.0671 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/10/16 14:39:57.0734 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/16 14:39:57.0812 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/10/16 14:39:57.0859 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/10/16 14:39:57.0906 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/10/16 14:39:58.0000 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/10/16 14:39:58.0109 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/16 14:39:58.0156 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/10/16 14:39:58.0203 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/10/16 14:39:58.0234 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/10/16 14:39:58.0281 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/10/16 14:39:58.0406 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/16 14:39:58.0484 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/16 14:39:58.0562 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/16 14:39:58.0625 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/10/16 14:39:58.0687 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/16 14:39:58.0734 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/16 14:39:58.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/16 14:39:58.0859 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/10/16 14:39:58.0890 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/16 14:39:58.0921 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/16 14:39:59.0031 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys

2010/10/16 14:39:59.0078 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/16 14:39:59.0109 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/10/16 14:39:59.0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/16 14:39:59.0203 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/10/16 14:39:59.0234 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/16 14:39:59.0281 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/10/16 14:39:59.0343 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/16 14:39:59.0375 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/16 14:39:59.0484 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/16 14:39:59.0562 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/16 14:39:59.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/16 14:39:59.0656 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/16 14:39:59.0687 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/16 14:39:59.0703 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/10/16 14:39:59.0765 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/16 14:39:59.0796 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/16 14:39:59.0843 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/16 14:39:59.0875 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/16 14:39:59.0921 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/16 14:39:59.0968 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/16 14:40:00.0015 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/16 14:40:00.0125 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/16 14:40:00.0171 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/16 14:40:00.0218 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/10/16 14:40:00.0312 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/10/16 14:40:00.0437 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/16 14:40:00.0468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/16 14:40:00.0500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/10/16 14:40:00.0625 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/16 14:40:00.0703 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/16 14:40:00.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/16 14:40:00.0765 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/10/16 14:40:00.0812 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/10/16 14:40:00.0906 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/10/16 14:40:00.0937 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/10/16 14:40:01.0015 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/16 14:40:01.0078 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/10/16 14:40:01.0109 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/16 14:40:01.0140 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/16 14:40:01.0187 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/10/16 14:40:01.0218 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/10/16 14:40:01.0250 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/10/16 14:40:01.0281 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/10/16 14:40:01.0296 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/10/16 14:40:01.0328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/16 14:40:01.0359 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/16 14:40:01.0375 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/16 14:40:01.0390 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/16 14:40:01.0453 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/16 14:40:01.0515 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/16 14:40:01.0578 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/10/16 14:40:01.0687 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/16 14:40:01.0781 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/16 14:40:01.0875 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/16 14:40:01.0953 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/10/16 14:40:02.0000 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/10/16 14:40:02.0062 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/10/16 14:40:02.0140 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/10/16 14:40:02.0187 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/10/16 14:40:02.0250 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/10/16 14:40:02.0312 sptd (1a606a8d611816adc47d2b25dbedcb1f) C:\WINDOWS\System32\Drivers\sptd.sys

2010/10/16 14:40:02.0421 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys

2010/10/16 14:40:02.0484 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/16 14:40:02.0578 StarPortLite (61b8922afc74f1ebb31e34f43320d2cc) C:\WINDOWS\system32\DRIVERS\StarPortLite.sys

2010/10/16 14:40:02.0656 STHDA (0aa91bbe468b3f46072091f18003ecaa) C:\WINDOWS\system32\drivers\sthda.sys

2010/10/16 14:40:02.0828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/16 14:40:02.0937 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/16 14:40:03.0031 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/10/16 14:40:03.0171 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/10/16 14:40:03.0375 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/10/16 14:40:03.0515 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/10/16 14:40:03.0625 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/16 14:40:03.0937 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/16 14:40:04.0062 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/16 14:40:04.0250 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/16 14:40:04.0390 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/16 14:40:04.0609 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/10/16 14:40:04.0734 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/16 14:40:04.0796 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/10/16 14:40:04.0890 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/16 14:40:05.0140 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/10/16 14:40:05.0265 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/16 14:40:05.0359 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/16 14:40:05.0421 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/16 14:40:05.0500 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/10/16 14:40:05.0593 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/10/16 14:40:05.0734 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/10/16 14:40:05.0796 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/10/16 14:40:05.0875 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/16 14:40:06.0000 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/16 14:40:06.0187 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys

2010/10/16 14:40:06.0437 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/16 14:40:06.0609 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys

2010/10/16 14:40:06.0890 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/10/16 14:40:06.0968 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/10/16 14:40:07.0093 zumbus (6bfb54f73aae470e9299e66cbc7bb632) C:\WINDOWS\system32\DRIVERS\zumbus.sys

2010/10/16 14:40:07.0171 ================================================================================

2010/10/16 14:40:07.0171 Scan finished

2010/10/16 14:40:07.0171 ================================================================================

2010/10/16 14:40:07.0187 Detected object count: 1

2010/10/16 14:40:27.0281 Disk (b8c4af2a0637871b6aade81357bd3a93) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/16 14:40:27.0281 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\disk.sys. Real md5: b8c4af2a0637871b6aade81357bd3a93, Fake md5: 2b122cace382382ac2a73304bc064719

2010/10/16 14:40:29.0796 Backup copy found, using it..

2010/10/16 14:40:29.0843 C:\WINDOWS\system32\DRIVERS\disk.sys - will be cured after reboot

2010/10/16 14:40:29.0843 Rootkit.Win32.TDSS.tdl3(Disk) - User select action: Cure

2010/10/16 14:40:36.0656 Deinitialize success

Link to post
Share on other sites
airbag

airbag

Posted
  • Author
Posted

here are the results from ComboFix Tate... fallowed all steps in your last post. my computer is running better. I also have an IE shortcut on my desktop that wasn't there before I ran ATF_Cleaner and ComboFix.

ComboFix 10-10-16.03 - Charles 10/16/2010 16:03:20.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.611 [GMT -7:00]

Running from: c:\documents and settings\Charles\Desktop\ComboFix.exe

AV: ESET Smart Security 4.2 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\.wtav

c:\documents and settings\Charles\.COMMgr

c:\documents and settings\Charles\Application Data\31F14BC6FFA9AF5D95476B4A0B964DFB

c:\documents and settings\Charles\Application Data\31F14BC6FFA9AF5D95476B4A0B964DFB\enemies-names.txt

c:\documents and settings\Charles\Application Data\31F14BC6FFA9AF5D95476B4A0B964DFB\local.ini

c:\documents and settings\Charles\Application Data\31F14BC6FFA9AF5D95476B4A0B964DFB\lsrslt.ini

c:\documents and settings\Charles\Local Settings\Application Data\{00F6F118-FFB9-4FA6-89A0-F063B731E4F7}

c:\documents and settings\Charles\Local Settings\Application Data\{00F6F118-FFB9-4FA6-89A0-F063B731E4F7}\chrome.manifest

c:\documents and settings\Charles\Local Settings\Application Data\{00F6F118-FFB9-4FA6-89A0-F063B731E4F7}\chrome\content\_cfg.js

c:\documents and settings\Charles\Local Settings\Application Data\{00F6F118-FFB9-4FA6-89A0-F063B731E4F7}\chrome\content\overlay.xul

c:\documents and settings\Charles\Local Settings\Application Data\{00F6F118-FFB9-4FA6-89A0-F063B731E4F7}\install.rdf

c:\documents and settings\Charles\Local Settings\Application Data\Windows Server

c:\documents and settings\Charles\Local Settings\Application Data\Windows Server\server.dat

c:\documents and settings\DECCHECK\EULA.txt

C:\install.exe

C:\Thumbs.db

c:\windows\system32\_000003_.tmp.dll

c:\windows\system32\_000005_.tmp.dll

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_003622_.tmp.dll

c:\windows\system32\_006138_.tmp.dll

c:\windows\system32\temp#01.exe

c:\windows\system32\USRINI~1.EXE

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_USERINIT

((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))

.

2010-10-14 23:40 . 2010-10-14 23:40 -------- d-----w- C:\d7f197ba1704581e8f04e63a56abc241

2010-10-14 01:18 . 2010-10-14 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2010-10-01 23:32 . 2010-09-19 17:59 892928 ----a-w- c:\windows\system32\iconv.dll

2010-10-01 23:32 . 2010-09-19 17:59 496640 ----a-w- c:\windows\system32\xvid.ax

2010-10-01 23:32 . 2010-09-19 17:59 675840 ----a-w- c:\windows\system32\ac3filter.ax

2010-10-01 23:32 . 2010-10-13 23:33 -------- d-----w- c:\program files\Aimersoft

2010-10-01 04:54 . 2003-06-17 21:54 87280 ----a-w- c:\windows\system32\wsatrace.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk

backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Charles\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-08-26 00:17 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-11 23:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]

2010-01-07 22:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AOL ACS"=2 (0x2)

"MDM"=2 (0x2)

"McSysmon"=2 (0x2)

"McShield"=2 (0x2)

"McRedirector"=2 (0x2)

"mcpromgr"=2 (0x2)

"McODS"=2 (0x2)

"McNASvc"=2 (0x2)

"mcmscsvc"=2 (0x2)

"McAfee HackerWatch Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Steam\\steamapps\\generalgeewhiz\\team fortress 2\\hl2.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Pidgin\\pidgin.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2 demo\\left4dead2.exe"=

"c:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"=

"c:\\Program Files\\StarCraft II Beta\\Support\\BlizzardDownloader.exe"=

"c:\\Program Files\\Steam\\steamapps\\generalgeewhiz\\counter-strike\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\generalgeewhiz\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys [11/13/2005 3:43 PM 18088]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144]

S1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [7/18/2010 8:43 PM 95592]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/18/2010 8:44 PM 721904]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

SSODL-ActUtilSrv-{1D964A9A-A2A8-D836-3497-03C7BED39706} - (no file)

SafeBoot-klmdb.sys

SafeBoot-WudfPf

SafeBoot-WudfRd

MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe

MSConfigStartUp-HNUfoHTgcTZc - c:\docume~1\Charles\LOCALS~1\Temp\n639jwb4ck.exe

MSConfigStartUp-HNUfoHTgtgc - c:\docume~1\Charles\LOCALS~1\Temp\sxh0su.exe

MSConfigStartUp-HNUfoHTgXhmc - c:\docume~1\Charles\LOCALS~1\Temp\a0is1x6ysx.exe

MSConfigStartUp-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

MSConfigStartUp-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe

MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe

MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

MSConfigStartUp-Ryixagup - c:\windows\odbdptam.dll

MSConfigStartUp-webcomset - c:\windows\system32\hulwnkjm.exe

AddRemove-XPv3.8.360 - c:\windows\Radeon Omega Drivers v3.8.360

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(1584)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\ZuneBusEnum.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\stsystra.exe

.

**************************************************************************

.

Completion time: 2010-10-16 16:19:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-16 23:19

Pre-Run: 76,658,515,968 bytes free

Post-Run: 76,584,185,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6

- - End Of File - - 6C234B8E72839A07D786427B63B81EA3

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

AV: ESET Smart Security 4.2 *On-access scanning disabled* (Outdated)

Be sure to update your ESET Smart Security

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

Link to post
Share on other sites
airbag

airbag

Posted
  • Author
Posted

Ty Tate! it seems everything is running great. I re-installed my drivers after fallowing all instructions. I also purchased the full version of your guys malwarebytes since you guys provide such a great service. eset wouldn't update and their customer service was rude. so I would rather support you guys than eset. :lol: thanks again!

airbag.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

MalwareBytes isn't a anti-virus program, it's a anti-malware program so you need an anti-virus program to go along with it.

Only run one Anti-Virus program at a time.

Use an AntiVirus Software - Choose only one - More than one will conflict. It is very important that your computer has anti-virus software running to protect against viruses. Update Antivirus prior to manual scans as necessary or as used. Please only choose one, having more than one can cause problems, such as crashes and your computer to slow down.

Link to post
Share on other sites
airbag

airbag

Posted
  • Author
Posted
MalwareBytes isn't a anti-virus program, it's a anti-malware program so you need an anti-virus program to go along with it.

Only run one Anti-Virus program at a time.

Use an AntiVirus Software - Choose only one - More than one will conflict. It is very important that your computer has anti-virus software running to protect against viruses. Update Antivirus prior to manual scans as necessary or as used. Please only choose one, having more than one can cause problems, such as crashes and your computer to slow down.

ty again Tate, hah. I downloaded Microsoft Security Essentials. Running great.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.