Jump to content

cant run hjt, mbam or gmer.. help!


Recommended Posts

Hi,

I went through the steps of Im infected - What do I do now?..

MBAM closes after a few seconds

DeFogger ran, said it was finished, but never prompted me to restart

DDS ran and gave me the two reports

GMER closed after I clicked on the scan button, and when I tried to run it again I got an error - "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the file."

Here is the DeFogger disable log just in case, as well as the DDS log. And I've attached the Attach log from DDS.

Thanks for the help!!!!

-Sean

DeFogger Log

--------------------------------

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 13:46 on 19/10/2010 (Tom)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

SPTD -> Already disabled

-=E.O.F=-

---------------------------------

DDS Log

--------------------------------

DDS (Ver_10-10-10.03) - NTFSx86

Run by Tom at 14:01:28.03 on Tue 10/19/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.128 [GMT -7:00]

AV: avast! antivirus 4.8.1229 [VPS 080930-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

"C:\WINDOWS\system32\svchost.exe"

C:\WINDOWS\System32\alg.exe

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\login.exe

C:\WINDOWS\wininst.exe

C:\WINDOWS\win16.exe

C:\WINDOWS\mdm.exe

C:\WINDOWS\system.exe

C:\WINDOWS\sysedit.exe

C:\WINDOWS\user.exe

C:\WINDOWS\setup.exe

C:\WINDOWS\hexdump.exe

C:\WINDOWS\iexplarer.exe

C:\WINDOWS\win.exe

C:\WINDOWS\nvsvc32.exe

C:\WINDOWS\spoolsv.exe

C:\WINDOWS\taskmgr.exe

C:\WINDOWS\avp32.exe

C:\WINDOWS\drweb.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\login.exe

C:\WINDOWS\wininst.exe

C:\WINDOWS\win16.exe

C:\WINDOWS\mdm.exe

C:\WINDOWS\system.exe

C:\WINDOWS\sysedit.exe

C:\WINDOWS\user.exe

C:\WINDOWS\setup.exe

C:\WINDOWS\hexdump.exe

C:\WINDOWS\iexplarer.exe

C:\WINDOWS\win.exe

C:\WINDOWS\nvsvc32.exe

C:\WINDOWS\spoolsv.exe

C:\WINDOWS\taskmgr.exe

C:\WINDOWS\avp32.exe

C:\WINDOWS\drweb.exe

C:\Program Files\WhiskeyMilitia\Desktop Alert\WM-Desktop-Alert.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>

BHO: c:\windows\system32\pwvrpzgte.dll: {d6ba40a1-a502-59bd-f413-04b03a2c8953} - c:\windows\system32\pwvrpzgte.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll

EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\tom\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [HNUjHTgph] c:\docume~1\tom\locals~1\temp\setup.exe

uRun: [MKcrc] c:\windows\login.exe

uRun: [MKfre] c:\windows\wininst.exe

uRun: [MKfPc] c:\windows\win16.exe

uRun: [MKayc] c:\windows\csrss.exe

uRun: [MKeg] c:\windows\smss.exe

uRun: [HNUjHTgruf] c:\docume~1\tom\locals~1\temp\wininst.exe

uRun: [MKcZ] c:\windows\mdm.exe

uRun: [HNUjHTgre] c:\docume~1\tom\locals~1\temp\smss.exe

uRun: [HNUjHTgoe] c:\docume~1\tom\locals~1\temp\avp.exe

uRun: [MKexe] c:\windows\system.exe

uRun: [HNUjHTgrvg] c:\docume~1\tom\locals~1\temp\spoolsv.exe

uRun: [HNUjHTgrsc] c:\docume~1\tom\locals~1\temp\winlogon.exe

uRun: [HNUjHTgrA] c:\docume~1\tom\locals~1\temp\win16.exe

uRun: [MKaZ] c:\windows\cmd.exe

uRun: [MKetc] c:\windows\sysedit.exe

uRun: [MKee] c:\windows\user.exe

uRun: [MKeta] c:\windows\services.exe

uRun: [HNUjHTgta] c:\docume~1\tom\locals~1\temp\user.exe

uRun: [MKevc] c:\windows\setup.exe

uRun: [MKbtc] c:\windows\hexdump.exe

uRun: [MKbuqc] c:\windows\iexplarer.exe

uRun: [HNUjHTgne] c:\docume~1\tom\locals~1\temp\mdm.exe

uRun: [HNUjHTglb] c:\docume~1\tom\locals~1\temp\debug.exe

uRun: [HNUjHTgmve] c:\docume~1\tom\locals~1\temp\hexdump.exe

uRun: [MKfa] c:\windows\win.exe

uRun: [MKfsc] c:\windows\winlogon.exe

uRun: [HNUjHTgrrc] c:\docume~1\tom\locals~1\temp\winamp.exe

uRun: [HNUjHTgpb] c:\docume~1\tom\locals~1\temp\login.exe

uRun: [MKdw+] c:\windows\nvsvc32.exe

uRun: [HNUjHTgoh] c:\docume~1\tom\locals~1\temp\csrss.exe

uRun: [MKeuf] c:\windows\spoolsv.exe

uRun: [HNUjHTgob] c:\docume~1\tom\locals~1\temp\drweb.exe

uRun: [HNUjHTgsfP] c:\docume~1\tom\locals~1\temp\nvsvc32.exe

uRun: [MKerb] c:\windows\taskmgr.exe

uRun: [MKZSc] c:\windows\avp32.exe

uRun: [MKese] c:\windows\svchost.exe

uRun: [MKasc] c:\windows\drweb.exe

uRun: [HNUjHTgotd] c:\docume~1\tom\locals~1\temp\install.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [HNUjHTgph] c:\docume~1\tom\locals~1\temp\setup.exe

mRun: [MKcrc] c:\windows\login.exe

mRun: [MKfre] c:\windows\wininst.exe

mRun: [MKfPc] c:\windows\win16.exe

mRun: [MKayc] c:\windows\csrss.exe

mRun: [MKeg] c:\windows\smss.exe

mRun: [HNUjHTgruf] c:\docume~1\tom\locals~1\temp\wininst.exe

mRun: [MKcZ] c:\windows\mdm.exe

mRun: [HNUjHTgre] c:\docume~1\tom\locals~1\temp\smss.exe

mRun: [HNUjHTgoe] c:\docume~1\tom\locals~1\temp\avp.exe

mRun: [MKexe] c:\windows\system.exe

mRun: [HNUjHTgrvg] c:\docume~1\tom\locals~1\temp\spoolsv.exe

mRun: [HNUjHTgrsc] c:\docume~1\tom\locals~1\temp\winlogon.exe

mRun: [HNUjHTgrA] c:\docume~1\tom\locals~1\temp\win16.exe

mRun: [MKaZ] c:\windows\cmd.exe

mRun: [MKetc] c:\windows\sysedit.exe

mRun: [MKee] c:\windows\user.exe

mRun: [MKeta] c:\windows\services.exe

mRun: [HNUjHTgta] c:\docume~1\tom\locals~1\temp\user.exe

mRun: [MKevc] c:\windows\setup.exe

mRun: [MKbtc] c:\windows\hexdump.exe

mRun: [MKbuqc] c:\windows\iexplarer.exe

mRun: [HNUjHTgne] c:\docume~1\tom\locals~1\temp\mdm.exe

mRun: [HNUjHTglb] c:\docume~1\tom\locals~1\temp\debug.exe

mRun: [HNUjHTgmve] c:\docume~1\tom\locals~1\temp\hexdump.exe

mRun: [MKfa] c:\windows\win.exe

mRun: [MKfsc] c:\windows\winlogon.exe

mRun: [HNUjHTgrrc] c:\docume~1\tom\locals~1\temp\winamp.exe

mRun: [HNUjHTgpb] c:\docume~1\tom\locals~1\temp\login.exe

mRun: [MKdw+] c:\windows\nvsvc32.exe

mRun: [HNUjHTgoh] c:\docume~1\tom\locals~1\temp\csrss.exe

mRun: [MKeuf] c:\windows\spoolsv.exe

mRun: [HNUjHTgob] c:\docume~1\tom\locals~1\temp\drweb.exe

mRun: [HNUjHTgsfP] c:\docume~1\tom\locals~1\temp\nvsvc32.exe

mRun: [MKerb] c:\windows\taskmgr.exe

mRun: [MKZSc] c:\windows\avp32.exe

mRun: [MKese] c:\windows\svchost.exe

mRun: [MKasc] c:\windows\drweb.exe

mRun: [HNUjHTgotd] c:\docume~1\tom\locals~1\temp\install.exe

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

mExplorerRun: [RTHDBPL] c:\documents and settings\tom\application data\systemproc\lsass.exe

StartupFolder: c:\docume~1\tom\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wm-des~1.lnk - c:\program files\whiskeymilitia\desktop alert\WM-Desktop-Alert.exe

uPolicies-explorer: NoFolderOptions = 1 (0x1)

uPolicies-system: DisableRegistryTools = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE:

Attach.zip

Link to post
Share on other sites

post-32477-1261866970.gif

You have quit an infection there.

If you have MBAM already there's no need to download it again.

Print out these instructions as we may need to close every window that is open later in the fix.

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not reboot your computer after running rkill as the malware programs will start again.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 5 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. WiNlOgOn.exe
  5. uSeRiNiT.exe

Do not reboot your computer after running rkill as the malware programs will start again.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Thanks LDTate!

Rkill ran with no problem, as did ATF Cleaner. I downloaded MBAM with no problem, and it ran for about 30 seconds before closing itself. When I attempted to run it again I got the error "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item".

As far as how my computer has been acting, I've been using rkill right after startup just to have some sort of functionality. A program called Antivirus 2010 keeps popping up with some sort of fake scan. Other than that, any browser I use gets link hijacked, whether its chrome, firefox or iexplorer, occasionally they will just close randomly as well.

Thanks again for the help

Link to post
Share on other sites

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Link to post
Share on other sites

Here is the TDSSKiller Log:

2010/10/19 15:56:31.0625 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59

2010/10/19 15:56:31.0625

================================================================================

2010/10/19 15:56:31.0625 SystemInfo:

2010/10/19 15:56:31.0625

2010/10/19 15:56:31.0625 OS Version: 5.1.2600 ServicePack: 3.0

2010/10/19 15:56:31.0625 Product type: Workstation

2010/10/19 15:56:31.0625 ComputerName: SEAN

2010/10/19 15:56:31.0625 UserName: Tom

2010/10/19 15:56:31.0625 Windows directory: C:\WINDOWS

2010/10/19 15:56:31.0625 System windows directory: C:\WINDOWS

2010/10/19 15:56:31.0625 Processor architecture: Intel x86

2010/10/19 15:56:31.0625 Number of processors: 1

2010/10/19 15:56:31.0625 Page size: 0x1000

2010/10/19 15:56:31.0625 Boot type: Normal boot

2010/10/19 15:56:31.0625

================================================================================

2010/10/19 15:56:32.0000 Initialize success

2010/10/19 15:56:49.0593

================================================================================

2010/10/19 15:56:49.0593 Scan started

2010/10/19 15:56:49.0593 Mode: Manual;

2010/10/19 15:56:49.0593

================================================================================

2010/10/19 15:56:52.0078 ACPI (15634a4d4371423ad438b93ee0519cb8)

C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/19 15:56:52.0125 ACPIEC (9859c0f6936e723e4892d7141b1327d5)

C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/10/19 15:56:52.0187 aec (8bed39e3c35d6a489438b8141717a557)

C:\WINDOWS\system32\drivers\aec.sys

2010/10/19 15:56:52.0250 AegisP (30bb1bde595ca65fd5549462080d94e5)

C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/10/19 15:56:52.0312 AFD (7e775010ef291da96ad17ca4b17137d7)

C:\WINDOWS\System32\drivers\afd.sys

2010/10/19 15:56:52.0531 AmdPPM (033448d435e65c4bd72e70521fd05c76)

C:\WINDOWS\system32\DRIVERS\AmdPPM.sys

2010/10/19 15:56:52.0718 AsyncMac (0d4681f78a20b50d691a4f3c9f75eb41)

C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/19 15:56:52.0765 atapi (335bb30ed68cf3dc0ee2bddb438b6a9b)

C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/19 15:56:52.0859 Atmarpc (ecf89e5bd58e3a3cc2e7db0f0d9f6c6c)

C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/19 15:56:52.0921 audstub (d9f724aa26c010a217c97606b160ed68)

C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/19 15:56:52.0968 Beep (da1f27d85e0d1525f6621372e7b685e9)

C:\WINDOWS\system32\drivers\Beep.sys

2010/10/19 15:56:53.0046 Bridge (7a5559fe80e2dcb62059dc648dbe5bf5)

C:\WINDOWS\system32\DRIVERS\bridge.sys

2010/10/19 15:56:53.0062 BridgeMP (7a5559fe80e2dcb62059dc648dbe5bf5)

C:\WINDOWS\system32\DRIVERS\bridge.sys

2010/10/19 15:56:53.0250 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9)

C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/19 15:56:53.0343 Cdaudio (c1b486a7658353d33a10cc15211a873b)

C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/19 15:56:53.0406 Cdfs (b7b2efd695bb6e937eb3e5b5465b6f47)

C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/19 15:56:53.0453 Cdrom (1f29616b1fc4d66a988cf97531bcf729)

C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/19 15:56:53.0656 cvmacii (9194b45017524170ebde51209d597cf7)

C:\WINDOWS\system32\drivers\cvmacii.sys

2010/10/19 15:56:53.0671 Suspicious file (Forged):

C:\WINDOWS\system32\drivers\cvmacii.sys. Real md5: 9194b45017524170ebde51209d597cf7,

Fake md5: 23bab8c86792f3d306c2255e9b5202f1

2010/10/19 15:56:53.0671 cvmacii - detected Forged file (1)

2010/10/19 15:56:53.0781 Disk (023712144c69e60fcb662cda2715bf16)

C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/19 15:56:53.0843 dmboot (1e5c89a65465f6d9674898eb4989cb86)

C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/19 15:56:53.0906 dmio (6cf151f832ec417ffaf68f20ed7d39fb)

C:\WINDOWS\system32\drivers\dmio.sys

2010/10/19 15:56:53.0937 dmload (e9317282a63ca4d188c0df5e09c6ac5f)

C:\WINDOWS\system32\drivers\dmload.sys

2010/10/19 15:56:53.0984 DMusic (c561840c22148f5affb659d547efdbb0)

C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/19 15:56:54.0031 drmkaud (c13ee685aa1a8950146f7f968eb090bd)

C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/19 15:56:54.0093 EAPPkt (d82414ec520453efe2eba936f6a9115a)

C:\WINDOWS\system32\DRIVERS\EAPPkt.sys

2010/10/19 15:56:54.0140 es1371 (a55dd7d8ced5d2624a9ee2dda7be0319)

C:\WINDOWS\system32\drivers\es1371mp.sys

2010/10/19 15:56:54.0187 Fastfat (f696cf49c72f50ea0c1038c2daa98a00)

C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/19 15:56:54.0218 Fdc (650fa0d37498f9e2b201a09dbca0b85b)

C:\WINDOWS\system32\drivers\Fdc.sys

2010/10/19 15:56:54.0250 Fips (74947fd2d6a9151c0bb9c72bdaf0e894)

C:\WINDOWS\system32\drivers\Fips.sys

2010/10/19 15:56:54.0296 Flpydisk (3b8607a2bf5aec3dab18cf3612c07c1d)

C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/10/19 15:56:54.0390 FltMgr (87ec219a7ae5553144e2086d2d7daa8a)

C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/10/19 15:56:54.0437 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a)

C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/19 15:56:54.0500 Ftdisk (6ac26732762483366c3969c9e4d2259d)

C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/19 15:56:54.0562 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e)

C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/10/19 15:56:54.0609 Gpc (9479c26a5691ccea495e2438ef11c948)

C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/19 15:56:54.0671 HidUsb (5f845228561e9545edc6f9ebfa15d338)

C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/10/19 15:56:54.0734 HPFXBULK (e4e0b356a8756066cf89080d9da69f22)

C:\WINDOWS\system32\drivers\hpfxbulk.sys

2010/10/19 15:56:54.0843 HSFHWBS2 (5df616addb75c1ad36c1f9e4de0f7654)

C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2010/10/19 15:56:54.0906 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b)

C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2010/10/19 15:56:55.0031 HTTP (f80a415ef82cd06ffaf0d971528ead38)

C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/19 15:56:55.0171 i8042prt (30abe7000df369d8b1c4174429260aad)

C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/10/19 15:56:55.0234 Imapi (e32bf30d20b5c162775f9a3451e87b67)

C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/19 15:56:55.0359 Ip6Fw (ef9bb587e33c2c245b5b83e882501ff6)

C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/10/19 15:56:55.0421 IpFilterDriver (731f22ba402ee4b62748adaf6363c182)

C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/19 15:56:55.0484 IpInIp (30aba7a3f81e4b76c963cd6caa23cb49)

C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/19 15:56:55.0531 IpNat (eeb5787bd1445c8dc592f40691781774)

C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/19 15:56:55.0593 IPSec (bfea19daff955239a16a80c3cdf64fbe)

C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/10/19 15:56:55.0640 IRENUM (64e28d94089cff1c3c77f02f99ffac3f)

C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/19 15:56:55.0687 isapnp (81a40a1118265dfc09c036f7776ebcc0)

C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/19 15:56:55.0734 Kbdclass (4ff969b48f320f6ce0b07247069c4c22)

C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/19 15:56:55.0750 kbdhid (0cded60b750cb5023e901f1fe4e15556)

C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/10/19 15:56:55.0875 kmixer (55e8d7039254728e9f071118184ff53b)

C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/19 15:56:55.0921 KSecDD (b467646c54cc746128904e1654c750c1)

C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/19 15:56:56.0031 mdmxsdk (3c318b9cd391371bed62126581ee9961)

C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/10/19 15:56:56.0109 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6)

C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/19 15:56:56.0156 Modem (add0bb36498e4da9b1b6a3e201b60a18)

C:\WINDOWS\system32\drivers\Modem.sys

2010/10/19 15:56:56.0203 Mouclass (e70558b84cb0cb9c739cc48ead2a4323)

C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/19 15:56:56.0234 mouhid (b1c303e17fb9d46e87a98e4ba6769685)

C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/10/19 15:56:56.0250 MountMgr (07be8cafd246a7dfb7fd4a387e936e92)

C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/19 15:56:56.0328 MRxDAV (ac816eff53bca79369f0b8643165368c)

C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/19 15:56:56.0390 MRxSmb (f3aefb11abc521122b67095044169e98)

C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/19 15:56:56.0437 Msfs (4d563545581e72c477ab00741b119853)

C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/19 15:56:56.0484 MSKSSRV (b16206732e541c04c1860d84447ef5bf)

C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/19 15:56:56.0515 MSPCLOCK (bd33cfa58c156cbd5419a87c3a4cd0b2)

C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/19 15:56:56.0531 MSPQM (a7ec2f88fae0f03252a60950660cc3e1)

C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/19 15:56:56.0609 Mup (2bb00d68cc9fbda1ee3d9bab9e4fd620)

C:\WINDOWS\system32\drivers\Mup.sys

2010/10/19 15:56:56.0656 NDIS (d1b364f049eb84a883c8a45d3b92ff3b)

C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/19 15:56:56.0750 NdisTapi (7d0d0f2bf199c2df0a9d1b01406168ac)

C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/19 15:56:56.0890 Ndisuio (e8969046dc350ecd1e9209dfe341c170)

C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/19 15:56:56.0937 NdisWan (266fded9836490ff227ad13e677ba4fb)

C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/19 15:56:56.0984 NDProxy (5aa58d218431c79e36a4878f18414637)

C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/19 15:56:57.0015 NetBIOS (c70b403d8158e11bf0d43d5b153cbe6b)

C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/19 15:56:57.0046 NetBT (c181e1f7a2a251b7af6352dcbd8457f3)

C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/19 15:56:57.0125 Npfs (20c123afc574abf76ba35d39c26ae6df)

C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/19 15:56:57.0187 Ntfs (34a993d7e519364f5d548b5726917753)

C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/19 15:56:57.0265 Null (73c1e1f395918bc2c6dd67af7591a3ad)

C:\WINDOWS\system32\drivers\Null.sys

2010/10/19 15:56:57.0468 nv (8c0456001b6900114bbb1c548bd8aaf5)

C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/10/19 15:56:57.0671 NVENETFD (4d6f0d3fb17c1ba64942f415c73adcdb)

C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2010/10/19 15:56:57.0687 nvnetbus (921e63aa1e1a20302223d016acafb52b)

C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2010/10/19 15:56:57.0859 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57)

C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/19 15:56:57.0921 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9)

C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/19 15:56:58.0015 Parport (10572a94d8978619ce4845fe8595c9a5)

C:\WINDOWS\system32\drivers\Parport.sys

2010/10/19 15:56:58.0046 PartMgr (67075da61516adedd710a9da6c6c8acb)

C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/19 15:56:58.0093 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1)

C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/19 15:56:58.0140 PCI (f3cebed46dc3a7f1758745c1d1fa5fcf)

C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/19 15:56:58.0250 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0)

C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/10/19 15:56:58.0312 Pcmcia (1ec157cb90d06455d67c007ada4973ac)

C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/10/19 15:56:58.0515 PptpMiniport (87d6a848dc367056778168d40a6f1a70)

C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/19 15:56:58.0546 Processor (7169253efd25e3213c432f59350f16a8)

C:\WINDOWS\system32\DRIVERS\processr.sys

2010/10/19 15:56:58.0593 PSched (8dc29e493cce832784a60bf7c120f132)

C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/19 15:56:58.0640 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd)

C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/19 15:56:58.0687 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042)

C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/10/19 15:56:58.0921 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c)

C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/19 15:56:58.0968 Rasl2tp (dbc6aeda3111edaf60948fc063565006)

C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/19 15:56:59.0000 RasPppoe (96467fc3e135f0b174b8978bd8ce69f9)

C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/19 15:56:59.0015 Raspti (fdbb1d60066fcfbb7452fd8f9829b242)

C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/19 15:56:59.0046 Rdbss (1116a775bfa71f2c13f3d420da455ff2)

C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/19 15:56:59.0078 RDPCDD (4912d5b403614ce99c28420f75353332)

C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/19 15:56:59.0140 rdpdr (9b7b9221177c83c7cbfd20b4b67f23dc)

C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/10/19 15:56:59.0171 RDPWD (0cd1bda7f6848e4de4eed3d36874ffb5)

C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/19 15:56:59.0203 redbook (11540f52cbc8a4c97467579bbf7ffae2)

C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/19 15:56:59.0281 rt2870 (ca1f3487c964f80d76d4a79c8d1c1cbe)

C:\WINDOWS\system32\DRIVERS\rt2870.sys

2010/10/19 15:56:59.0343 RTL8187B (d668006d3f4249d20729ef6da27c916e)

C:\WINDOWS\system32\DRIVERS\RTL8187B.sys

2010/10/19 15:56:59.0421 Secdrv (90a3935d05b494a5a39d37e71f09a677)

C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/19 15:56:59.0468 Serial (471168d4b9adfd1f9e692f8779455188)

C:\WINDOWS\system32\drivers\Serial.sys

2010/10/19 15:56:59.0531 Sfloppy (dc495a349dfd94fbfe4cf0689ed647b2)

C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/10/19 15:56:59.0640 snapman (bcc773872041aa59bc9a6cf770fb32e2)

C:\WINDOWS\system32\DRIVERS\snapman.sys

2010/10/19 15:56:59.0750 splitter (e477a633ea2d387788879a30666e5998)

C:\WINDOWS\system32\drivers\splitter.sys

2010/10/19 15:56:59.0859 sptd (71e276f6d189413266ea22171806597b)

C:\WINDOWS\system32\Drivers\sptd.sys

2010/10/19 15:56:59.0921 sr (8ec0ec1508d5c0dc9f0a46b264b41bff)

C:\WINDOWS\system32\DRIVERS\sr.sys

2010/10/19 15:56:59.0984 Srv (89220b427890aa1dffd1a02648ae51c3)

C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/19 15:57:00.0296 swenum (a5491f57e70167a10ed40e19d36edd13)

C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/19 15:57:00.0359 swmidi (5f8ab2829c52609e03560725eaf167f9)

C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/19 15:57:00.0500 sysaudio (feaee2df25f435c153756707321bbf46)

C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/19 15:57:00.0578 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d)

C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/19 15:57:00.0625 TDPIPE (76afdfea26d4cb16e81fa32a22c34376)

C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/19 15:57:00.0687 tdrpman (eb53ec341458256deae2ad58822c4a17)

C:\WINDOWS\system32\DRIVERS\tdrpman.sys

2010/10/19 15:57:00.0828 TDTCP (2fc82251c9e895aa48624ebe05e5774e)

C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/19 15:57:00.0859 TermDD (4e55b6f75ad92f13d6abbf8d767cbcec)

C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/19 15:57:00.0921 tifsfilter (b0b3122bff3910e0ba97014045467778)

C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2010/10/19 15:57:01.0000 timounter (13bfe330880ac0ce8672d00aa5aff738)

C:\WINDOWS\system32\DRIVERS\timntr.sys

2010/10/19 15:57:01.0125 Udfs (90374e55f93f2883377902cb9cbfc6db)

C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/19 15:57:01.0218 Update (415c2a770f4b6932308f9de7b19b3139)

C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/19 15:57:01.0296 USBAAPL (1df89c499bf45d878b87ebd4421d462d)

C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/10/19 15:57:01.0343 usbccgp (9a0a8be756bd7a9bad4a3d0e9fa7bd79)

C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/10/19 15:57:01.0375 usbehci (d37fee874b49d951f68e788d40d8c196)

C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/19 15:57:01.0406 usbhub (8167383fe00199108f63269c2b8a99e1)

C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/19 15:57:01.0437 usbohci (2e79c58ff52dda6d066047fc7723625c)

C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/10/19 15:57:01.0468 usbprint (14caa438f4ebd12dbd43db0273bc0fdc)

C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/10/19 15:57:01.0515 usbscan (5be9c3f196c607aaa072ed660f9c0423)

C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/10/19 15:57:01.0546 usbstor (e3eef7ae5105a9f99b1807031edb4171)

C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/19 15:57:01.0562 Suspicious service (NoAccess): vbma4f28

2010/10/19 15:57:01.0656 vbma4f28 (2238b0a45fdcff73dfa5d47c4e59a692)

C:\WINDOWS\system32\drivers\vbma4f28.sys

2010/10/19 15:57:01.0656 vbma4f28 - detected Locked service (1)

2010/10/19 15:57:01.0781 VgaSave (cc1f0dd100f577e9b029547fee285813)

C:\WINDOWS\System32\drivers\vga.sys

2010/10/19 15:57:01.0890 VolSnap (2abf037f9d447424b58d73706b55b762)

C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/19 15:57:01.0953 Wanarp (8794191476e6b93161baaa136e309454)

C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/19 15:57:02.0031 wdmaud (cf66393a0b2e361503bf381ac013b34a)

C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/19 15:57:02.0093 winachsf (473ee64c368ce2eed110376c11960259)

C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/10/19 15:57:02.0187 WpdUsb (cf4def1bf66f06964dc0d91844239104)

C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/10/19 15:57:02.0234 WudfPf (f15feafffbb3644ccc80c5da584e6311)

C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/10/19 15:57:02.0250 WudfRd (28b524262bce6de1f7ef9f510ba3985b)

C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/10/19 15:57:02.0296 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/10/19 15:57:02.0312

================================================================================

2010/10/19 15:57:02.0312 Scan finished

2010/10/19 15:57:02.0312

================================================================================

2010/10/19 15:57:02.0312 Detected object count: 3

2010/10/19 15:57:29.0406 Forged file(cvmacii) - User select action: Skip

2010/10/19 15:57:29.0406 Locked service(vbma4f28) - User select action: Skip

2010/10/19 15:57:29.0453 \HardDisk0\MBR - will be cured after reboot

2010/10/19 15:57:29.0453 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select

action: Cure

2010/10/19 15:57:53.0328 Deinitialize success

Link to post
Share on other sites

Click: Start > All Programs> Accessories

Open Notepad, click on Format and uncheck Word Wrap.

Next:

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I downloaded combofix, ran it, and it ran for a while showing its progress in a blue progress bar and red progress bar. It stopped at around 11%, went to a blue window screen and showed the following

Scanning for infected files . . .

This typically doesn't tale more than 10 minutes

However, scan times for badly infected machines may easily double

Access is denied.

Access is denied.

Access is denied.

Access is denied.

Access is denied.

Access is denied.

Access is denied.

And then it just stalled out

Link to post
Share on other sites

Alright, I downloaded combofix to another computer and burned it to a CD, as I do not have a thumb drive. I booted into safe mode, ran combofix from the CD. It gave me an error with the title "PING.cfxxe - Bad Image" and the message "The application or DLL C:\Windows\system32\winsock.dll is not a valid Windows image. Please check against your installation diskette". It still attempted to run after the error, it got through about step 9 of 11 with the blue and red progress bar screen, then went back to the initial blue screen window and said Access Is Denied seven times. It then gave me an error with the title "NirCmd.cfxxe - Bad Image" with the same message as the first error.

Seems like a nasty little thing haha. Thanks for all the help again. Oh, and I dont have the Windows XP CD just in case, this (work) computer was handed down to me and they dont have any of the software on CD.

Link to post
Share on other sites

Lets see if we can get HijackThis to run.

Download HijackThis .

  • Save HijackThis.exe to your desktop.
  • Doubleclick on the HijackThis.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Also post a new DDS log.

Link to post
Share on other sites

I downloaded and ran hijackthis.. it completes the scan but the second it does it closes down and does not generate a log. I cant even run the program a second time, I have to redownload, install and run fresh. As for DDS.. here are the logs:

DDS

DDS (Ver_10-10-10.03) - NTFSx86

Run by Tom at 11:51:02.53 on Wed 10/20/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.326 [GMT -7:00]

AV: avast! antivirus 4.8.1229 [VPS 080930-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

"C:\WINDOWS\system32\svchost.exe"

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\alg.exe

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\login.exe

C:\WINDOWS\wininst.exe

C:\WINDOWS\win16.exe

C:\WINDOWS\mdm.exe

C:\WINDOWS\system.exe

C:\WINDOWS\sysedit.exe

C:\WINDOWS\user.exe

C:\WINDOWS\setup.exe

C:\WINDOWS\hexdump.exe

C:\WINDOWS\iexplarer.exe

C:\WINDOWS\win.exe

C:\WINDOWS\nvsvc32.exe

C:\WINDOWS\spoolsv.exe

C:\WINDOWS\taskmgr.exe

C:\WINDOWS\avp32.exe

C:\WINDOWS\drweb.exe

C:\WINDOWS\avp.exe

C:\WINDOWS\winamp.exe

C:\WINDOWS\login.exe

C:\WINDOWS\wininst.exe

C:\WINDOWS\win16.exe

C:\WINDOWS\mdm.exe

C:\WINDOWS\system.exe

C:\WINDOWS\sysedit.exe

C:\WINDOWS\user.exe

C:\WINDOWS\setup.exe

C:\WINDOWS\hexdump.exe

C:\WINDOWS\iexplarer.exe

C:\WINDOWS\win.exe

C:\WINDOWS\nvsvc32.exe

C:\WINDOWS\spoolsv.exe

C:\WINDOWS\taskmgr.exe

C:\WINDOWS\avp32.exe

C:\WINDOWS\drweb.exe

C:\WINDOWS\avp.exe

C:\WINDOWS\winamp.exe

C:\Program Files\WhiskeyMilitia\Desktop Alert\WM-Desktop-Alert.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>

BHO: c:\windows\system32\pwvrpzgte.dll: {d6ba40a1-a502-59bd-f413-04b03a2c8953} - c:\windows\system32\pwvrpzgte.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll

EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\tom\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [HNUjHTgph] c:\docume~1\tom\locals~1\temp\setup.exe

uRun: [MKcrc] c:\windows\login.exe

uRun: [MKfre] c:\windows\wininst.exe

uRun: [MKfPc] c:\windows\win16.exe

uRun: [MKayc] c:\windows\csrss.exe

uRun: [MKeg] c:\windows\smss.exe

uRun: [HNUjHTgruf] c:\docume~1\tom\locals~1\temp\wininst.exe

uRun: [MKcZ] c:\windows\mdm.exe

uRun: [HNUjHTgre] c:\docume~1\tom\locals~1\temp\smss.exe

uRun: [HNUjHTgoe] c:\docume~1\tom\locals~1\temp\avp.exe

uRun: [MKexe] c:\windows\system.exe

uRun: [HNUjHTgrvg] c:\docume~1\tom\locals~1\temp\spoolsv.exe

uRun: [HNUjHTgrsc] c:\docume~1\tom\locals~1\temp\winlogon.exe

uRun: [HNUjHTgrA] c:\docume~1\tom\locals~1\temp\win32.exe

uRun: [MKaZ] c:\windows\cmd.exe

uRun: [MKetc] c:\windows\sysedit.exe

uRun: [MKee] c:\windows\user.exe

uRun: [MKeta] c:\windows\services.exe

uRun: [HNUjHTgta] c:\docume~1\tom\locals~1\temp\user.exe

uRun: [MKevc] c:\windows\setup.exe

uRun: [MKbtc] c:\windows\hexdump.exe

uRun: [MKbuqc] c:\windows\iexplarer.exe

uRun: [HNUjHTgne] c:\docume~1\tom\locals~1\temp\mdm.exe

uRun: [HNUjHTglb] c:\docume~1\tom\locals~1\temp\debug.exe

uRun: [HNUjHTgmve] c:\docume~1\tom\locals~1\temp\hexdump.exe

uRun: [MKfa] c:\windows\win.exe

uRun: [MKfsc] c:\windows\winlogon.exe

uRun: [HNUjHTgrrc] c:\docume~1\tom\locals~1\temp\winamp.exe

uRun: [HNUjHTgpb] c:\docume~1\tom\locals~1\temp\login.exe

uRun: [MKdw+] c:\windows\nvsvc32.exe

uRun: [HNUjHTgoh] c:\docume~1\tom\locals~1\temp\csrss.exe

uRun: [MKeuf] c:\windows\spoolsv.exe

uRun: [HNUjHTgob] c:\docume~1\tom\locals~1\temp\drweb.exe

uRun: [HNUjHTgsfP] c:\docume~1\tom\locals~1\temp\nvsvc32.exe

uRun: [MKerb] c:\windows\taskmgr.exe

uRun: [MKZSc] c:\windows\avp32.exe

uRun: [MKese] c:\windows\svchost.exe

uRun: [MKasc] c:\windows\drweb.exe

uRun: [HNUjHTgotd] c:\docume~1\tom\locals~1\temp\install.exe

uRun: [MKcuc] c:\windows\lsass.exe

uRun: [HNUjHTgN2zc\Tom\LOCALS~1\Temp\2799445640.exe] c:\docume~1\tom\locals~1\temp\2799445640.exe

uRun: [HNUjHTgosf] c:\docume~1\tom\locals~1\temp\taskmgr.exe

uRun: [MKZe] c:\windows\avp.exe

uRun: [HNUjHTgnb] c:\docume~1\tom\locals~1\temp\cmd.exe

uRun: [HNUjHTgupf] c:\docume~1\tom\locals~1\temp\sysedit.exe

uRun: [HNUjHTgl/] c:\docume~1\tom\locals~1\temp\gdi32.exe

uRun: [MKfpe] c:\windows\winamp.exe

uRun: [HNUjHTgmtd] c:\docume~1\tom\locals~1\temp\iexplarer.exe

uRun: [HNUjHTgqd] c:\docume~1\tom\locals~1\temp\lsass.exe

uRun: [HNUjHTgO2x1\Tom\LOCALS~1\Temp\593788024.exe] c:\docume~1\tom\locals~1\temp\593788024.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [HNUjHTgph] c:\docume~1\tom\locals~1\temp\setup.exe

mRun: [MKcrc] c:\windows\login.exe

mRun: [MKfre] c:\windows\wininst.exe

mRun: [MKfPc] c:\windows\win16.exe

mRun: [MKayc] c:\windows\csrss.exe

mRun: [MKeg] c:\windows\smss.exe

mRun: [HNUjHTgruf] c:\docume~1\tom\locals~1\temp\wininst.exe

mRun: [MKcZ] c:\windows\mdm.exe

mRun: [HNUjHTgre] c:\docume~1\tom\locals~1\temp\smss.exe

mRun: [HNUjHTgoe] c:\docume~1\tom\locals~1\temp\avp.exe

mRun: [MKexe] c:\windows\system.exe

mRun: [HNUjHTgrvg] c:\docume~1\tom\locals~1\temp\spoolsv.exe

mRun: [HNUjHTgrsc] c:\docume~1\tom\locals~1\temp\winlogon.exe

mRun: [HNUjHTgrA] c:\docume~1\tom\locals~1\temp\win32.exe

mRun: [MKaZ] c:\windows\cmd.exe

mRun: [MKetc] c:\windows\sysedit.exe

mRun: [MKee] c:\windows\user.exe

mRun: [MKeta] c:\windows\services.exe

mRun: [HNUjHTgta] c:\docume~1\tom\locals~1\temp\user.exe

mRun: [MKevc] c:\windows\setup.exe

mRun: [MKbtc] c:\windows\hexdump.exe

mRun: [MKbuqc] c:\windows\iexplarer.exe

mRun: [HNUjHTgne] c:\docume~1\tom\locals~1\temp\mdm.exe

mRun: [HNUjHTglb] c:\docume~1\tom\locals~1\temp\debug.exe

mRun: [HNUjHTgmve] c:\docume~1\tom\locals~1\temp\hexdump.exe

mRun: [MKfa] c:\windows\win.exe

mRun: [MKfsc] c:\windows\winlogon.exe

mRun: [HNUjHTgrrc] c:\docume~1\tom\locals~1\temp\winamp.exe

mRun: [HNUjHTgpb] c:\docume~1\tom\locals~1\temp\login.exe

mRun: [MKdw+] c:\windows\nvsvc32.exe

mRun: [HNUjHTgoh] c:\docume~1\tom\locals~1\temp\csrss.exe

mRun: [MKeuf] c:\windows\spoolsv.exe

mRun: [HNUjHTgob] c:\docume~1\tom\locals~1\temp\drweb.exe

mRun: [HNUjHTgsfP] c:\docume~1\tom\locals~1\temp\nvsvc32.exe

mRun: [MKerb] c:\windows\taskmgr.exe

mRun: [MKZSc] c:\windows\avp32.exe

mRun: [MKese] c:\windows\svchost.exe

mRun: [MKasc] c:\windows\drweb.exe

mRun: [HNUjHTgotd] c:\docume~1\tom\locals~1\temp\install.exe

mRun: [MKcuc] c:\windows\lsass.exe

mRun: [HNUjHTgN2zc\Tom\LOCALS~1\Temp\2799445640.exe] c:\docume~1\tom\locals~1\temp\2799445640.exe

mRun: [HNUjHTgosf] c:\docume~1\tom\locals~1\temp\taskmgr.exe

mRun: [MKZe] c:\windows\avp.exe

mRun: [HNUjHTgnb] c:\docume~1\tom\locals~1\temp\cmd.exe

mRun: [HNUjHTgupf] c:\docume~1\tom\locals~1\temp\sysedit.exe

mRun: [HNUjHTgl/] c:\docume~1\tom\locals~1\temp\gdi32.exe

mRun: [MKfpe] c:\windows\winamp.exe

mRun: [HNUjHTgmtd] c:\docume~1\tom\locals~1\temp\iexplarer.exe

mRun: [HNUjHTgqd] c:\docume~1\tom\locals~1\temp\lsass.exe

mRun: [HNUjHTgO2x1\Tom\LOCALS~1\Temp\593788024.exe] c:\docume~1\tom\locals~1\temp\593788024.exe

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

mExplorerRun: [RTHDBPL] c:\documents and settings\tom\application data\systemproc\lsass.exe

StartupFolder: c:\docume~1\tom\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wm-des~1.lnk - c:\program files\whiskeymilitia\desktop alert\WM-Desktop-Alert.exe

uPolicies-explorer: NoFolderOptions = 1 (0x1)

uPolicies-system: DisableRegistryTools = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll

IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll

IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: winsock.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211587291171

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259707250250

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: c:\windows\system32\pwvrpzgte.dll: {d6ba40a1-a502-59bd-f413-04b03a2c8953} - c:\windows\system32\pwvrpzgte.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

LSA: Authentication Packages = msv1_0 relog_ap

mASetup: {8CD620CB-E463-446F-A79C-F2DA6C90C382} - rundll32.exe "c:\documents and settings\tom\application data\bitrix security\xaukvmm60.dll", DllUnrer

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\vj895qtp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox

FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=

FF - plugin: c:\documents and settings\tom\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - HiddenExtension: XULRunner: {60936386-F8F0-497F-9CB8-B5B399B0E4E7} - c:\documents and settings\tom\local settings\application data\{60936386-F8F0-497F-9CB8-B5B399B0E4E7}

FF - HiddenExtension: Firefox security: No Registry Reference - c:\program files\mozilla firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 cvmacii;cvmacii;c:\windows\system32\drivers\cvmacii.sys [2007-11-30 303904]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-10-9 38144]

R3 RTL8187B;Airlink101 802.11g USB 2.0 Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-10-14 238208]

S0 kcdwnloe;kcdwnloe; [x]

S1 aAAAAAa;aAAAAAa;c:\windows\system32\drivers\aaaaaaa.sys --> c:\windows\system32\drivers\aAAAAAa.sys [?]

S3 5DE6C4AB;5DE6C4AB; [x]

S3 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [2005-11-22 24576]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-11-16 550272]

=============== Created Last 30 ================

2010-10-20 17:41:46 -------- d-s---w- C:\ComboFix

2010-10-19 22:30:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-19 22:30:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-19 22:16:28 21636 ---h--w- c:\windows\lsass.exe

2010-10-19 20:18:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro

2010-10-19 20:18:11 -------- d-----w- c:\program files\Trend Micro

2010-10-19 18:41:32 -------- d-s---w- C:\Combo-Fix6475C

2010-10-19 17:46:22 -------- d-s---w- C:\Combo-Fix

2010-10-19 17:41:11 21636 ---h--w- c:\windows\svchost.exe

2010-10-19 17:40:37 21636 ---h--w- c:\windows\avp32.exe

2010-10-19 17:19:16 21636 ---h--w- c:\windows\spoolsv.exe

2010-10-19 01:52:29 21636 ---h--w- c:\windows\sysedit.exe

2010-10-19 00:01:51 21636 ---h--w- c:\windows\smss.exe

2010-10-18 22:13:18 21636 ---h--w- c:\windows\hexdump.exe

2010-10-18 22:09:16 21636 ---h--w- c:\windows\install.exe

2010-10-18 20:23:01 21636 ---h--w- c:\windows\cmd.exe

2010-10-18 20:22:59 21636 ---h--w- c:\windows\drweb.exe

2010-10-18 20:22:26 21636 ---h--w- c:\windows\wininst.exe

2010-10-18 20:22:24 21636 ---h--w- c:\windows\nvsvc32.exe

2010-10-18 18:15:10 21636 ---h--w- c:\windows\debug.exe

2010-10-18 17:22:14 21636 ---h--w- c:\windows\login.exe

2010-10-18 17:22:13 21636 ---h--w- c:\windows\services.exe

2010-10-18 17:22:12 21636 ---h--w- c:\windows\gdi32.exe

2010-10-15 21:29:26 21636 ---h--w- c:\windows\winlogon.exe

2010-10-15 21:29:24 21636 ---h--w- c:\windows\winamp.exe

2010-10-15 21:29:22 21636 ---h--w- c:\windows\setup.exe

2010-10-15 21:22:35 21636 ---h--w- c:\windows\win.exe

2010-10-15 21:22:34 21636 ---h--w- c:\windows\win16.exe

2010-10-15 21:22:17 21636 ---h--w- c:\windows\taskmgr.exe

2010-10-15 21:22:15 21636 ---h--w- c:\windows\user.exe

2010-10-15 21:22:13 21636 ---h--w- c:\windows\avp.exe

2010-10-15 21:22:10 21636 ---h--w- c:\windows\win32.exe

2010-10-15 21:22:08 21636 ---h--w- c:\windows\system.exe

2010-10-15 21:22:08 21636 ---h--w- c:\windows\mdm.exe

2010-10-15 21:22:07 21636 ---h--w- c:\windows\iexplarer.exe

2010-10-15 21:21:54 21636 ---h--w- c:\windows\csrss.exe

2010-10-15 21:21:44 30000 ----a-w- c:\windows\system32\o8d3ej.dll

2010-10-15 21:21:43 30000 ----a-w- c:\windows\system32\pwvrpzgte.dll

2010-10-15 21:18:36 737280 ----a-w- c:\docume~1\tom\applic~1\hotfix.exe

2010-10-15 21:18:36 190 ----a-w- c:\docume~1\tom\applic~1\jsfhjjsd.bat

2010-10-15 21:18:06 -------- d-----w- c:\docume~1\tom\applic~1\Bitrix Security

2010-10-15 17:08:16 53248 ----a-w- c:\windows\system32\6to4v32.dll

2010-10-11 21:55:19 0 ----a-w- c:\windows\Nbimupe.bin

2010-10-11 21:54:41 -------- d-----w- c:\docume~1\tom\locals~1\applic~1\{60936386-F8F0-497F-9CB8-B5B399B0E4E7}

2010-09-29 19:13:11 -------- d-----w- c:\docume~1\tom\applic~1\Delicious IE Extension

2010-09-29 19:12:45 -------- d-----w- c:\program files\Delicious Add-on for Internet Explorer

2010-09-28 19:29:27 -------- d-sh--w- c:\docume~1\tom\applic~1\SystemProc

==================== Find3M ====================

2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 11:51:56.56 ===============

And ATTACH

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/23/2008 4:24:51 PM

System Uptime: 10/20/2010 11:45:48 AM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | IVY

Processor: AMD Athlon 64 Processor 3800+ | Socket AM2 | 2410/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 59 GiB total, 39.62 GiB free.

D: is FIXED (NTFS) - 90 GiB total, 44.571 GiB free.

E: is Removable

F: is Removable

G: is Removable

H: is Removable

I: is CDROM (CDFS)

Z: is NetworkDisk (NTFS) - 40 GiB total, 8.289 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}

Description: Microsoft System Management BIOS Driver

Device ID: ROOT\SYSTEM\0002

Manufacturer: (Standard system devices)

Name: Microsoft System Management BIOS Driver

PNP Device ID: ROOT\SYSTEM\0002

Service: mssmbios

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acronis

Link to post
Share on other sites

I'm not sure we're going to be able to clean this, but will keep trying.

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Hi LDTate,

Alright I ran the scan and here is the log...

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=586ff85ecec6474494459f72a40552ac

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-10-20 09:28:34

# local_time=2010-10-20 02:28:34 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3, v.5938

# compatibility_mode=512 16777215 100 0 1596 1596 0 0

# compatibility_mode=768 16777195 100 0 75934444 75934444 0 0

# compatibility_mode=1024 16777215 100 0 26971230 26971230 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=115437

# found=16

# cleaned=15

# scan_time=2629

C:\Documents and Settings\Tom\Local Settings\temp\1917683380.exe probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Tom\Local Settings\temp\3476277130.exe probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Tom\Local Settings\temp\iexplorer.exe Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Tom\Local Settings\temp\NOD846.tmp Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Tom\Local Settings\temp\NOD859.tmp a variant of Win32/Wimpixo.AA trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Tom\Local Settings\temp\NOD87A.tmp a variant of Win32/TrojanDownloader.Small.PAF trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Tom\Local Settings\temp\nvsvc32.exe Win32/Agent.ROS trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Tom\Local Settings\temp\win16.exe Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\cmd.exe Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\debug.exe Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\login.exe Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\taskmgr.exe Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\win16.exe Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\winamp.exe Win32/Agent.ROS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\fips.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

${Memory} Win32/Agent.ROS trojan 00000000000000000000000000000000 C

Link to post
Share on other sites

Unfortunately no. I tried in both normal mode and safe mode. MBAM will install but closes after a few seconds of scanning, Combofix will run, update itself, get through step 9 out of 11 and then close and go to the blue screen and give me the access is denied error seven times in a row. I tried hijackthis as well, it closes as soon as the scan is complete.

Is there anything else to try?

Thanks for your help and patience

Link to post
Share on other sites

Download OTL to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Custom Scan box paste this in:
    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and include them in your next post.

Please include the following in your next post:

  • OTL and Extras logs

Please use Copy/Paste

Link to post
Share on other sites

This is a legit Windows file that in your report shows it's infected with a RootKit.

Don't delete it. Lets see if we can find a good one.

C:\WINDOWS\system32\drivers\fips.sys

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    fips.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

1) exeHelper

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now try System Look

Link to post
Share on other sites

SystemLook still wont work, here is the log from exehelper..

exeHelper by Raktor

Build 20100414

Run at 14:16:58 on 10/21/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

Link to post
Share on other sites

Can you do a file searce for fips.sys

Make sure you have hidden files and folders viewable.

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.