Jump to content

Browser link doesn't work, win 32 generic host errors


kate927
 Share

Recommended Posts

Hi, I am in need of some expert help. My desktop browser icon (Explorer 8, windows XP, service pack 3) and others that require an internet connection won't open. I can open the browser through links in C://favorites, but searches will get re-directed and I get frequent win32 generic host services has encountered a problem errors. This began after some infections were detected by ZA extreme security. I downloaded MBAM and it detected one infection. Subsequent scans have shown no infections, but I am still having major problems. Enclosed, are scans required from "I'm infected, what do I do now"? and ZA and MBAM logs. Thanks. Kate

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 21:02:58.40 on Tue 10/05/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.361 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\providerComcast\bin\tgsrvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hphmon05.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\interMute\SpamSubtract\SpamSub.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Program Files\HP\hpcoretech\comp\hpdarc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/

uSearch Page = hxxp://srch-us10.hpwis.com/

uDefault_Search_URL = hxxp://srch-us10.hpwis.com/

uSearch Bar = hxxp://srch-us10.hpwis.com/

uWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar = hxxp://srch-us10.hpwis.com/

mWindow Title = Microsoft Internet Explorer provided by Comcast

uInternet Settings,ProxyOverride = localhost;*.local

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\googletoolbar1.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [RecordNow!]

uRun: [backupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [MRC] "c:\program files\pc tune-up\PCTuneUp.exe" /MBRSTART

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe

mRun: [HPHmon05] c:\windows\system32\hphmon05.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [LTMSG] LTMSG.exe 7

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe

mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server

mRun: [CookiePatrol] c:\progra~1\pestpa~1\CookiePatrol.exe

mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRunOnce: [ZAFFRegisterTrustChecker] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustChecker.dll"

dRunOnce: [ZAFFRegisterTrustCheckerIE] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll"

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\organize.lnk - c:\program files\hewlett-packard\hp organize\bin\displayAgent.exe

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSub.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\137903\program\BackWeb-137903.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/

IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/

IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab

DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -

hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab

DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -

hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============ SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-8-4 128016]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-8-4 317072]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-9 528128]

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-2-12 26352]

R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-2-12 493032]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-2 304464]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-3 1245064]

R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program

files\providercomcast\bin\tgsrvc.exe [2008-5-2 148768]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-2-12 35568]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-2 20952]

S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2010-10-06 01:03:47 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-10-05 12:01:16 0 d-----w- c:\windows\system32\XPSViewer

2010-10-05 11:59:59 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-10-05 11:59:59 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-10-05 11:59:59 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-10-05 11:59:59 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-10-05 11:59:59 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-10-05 11:59:59 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-10-05 11:59:59 117760 ------w- c:\windows\system32\prntvpt.dll

2010-10-05 11:59:58 0 d-----w- C:\e9eacf442e6bda2f8d37

c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-02 16:00:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-10-02 16:00:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-02 16:00:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-02 14:39:31 0 d-----w- c:\windows\pss

2010-10-02 09:46:22 827392 ----a-w- c:\windows\system32\FLASH.OCX

2010-10-02 09:46:22 0 d-sh--w- c:\windows\ftpcache

2010-10-01 23:02:10 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-10-06 02:03:33 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-10-06 01:49:34 4116 ----a-w- c:\windows\viassary-hp.reg

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-31 23:35:40 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-21 02:22:56 72704 ----a-w- c:\windows\zllsputility.exe

2010-07-21 02:22:46 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2004-07-03 22:36:22 0 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 21:06:11.28 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4733

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/2/2010 12:52:38 PM

mbam-log-2010-10-02 (12-52-38).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 271935

Time elapsed: 1 hour(s), 44 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4733

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/2/2010 12:52:38 PM

mbam-log-2010-10-02 (12-52-38).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 271935

Time elapsed: 1 hour(s), 44 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.txt

2ark.txt

Link to post
Share on other sites

:)

Please don't attach the scan results, use Copy/Paste

Your scan shows 2 anti-virus programs active

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

Please do not delete anything unless instructed to.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove either:

ZoneAlarm Extreme Security Antivirus

Norton AntiVirus

Next:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Link to post
Share on other sites

Hi LDTate, thanks for your response. I am puzzled by Norton antivirus being enabled. I uninstalled that at least three years ago. There is no trace of it in Add/Remove programs but there is still a Norton folder in Program Files and it contains one small file. I'd appeciate your advice in solving this. Below are the logs per your instructions. I was able to open my browser from the desktop after TDSKiller found an infection. Thanks for your time. Kate

2010/10/25 19:41:29.0187 TDSS rootkit removing tool 2.4.5.0 Oct 25 2010 09:49:04

2010/10/25 19:41:29.0187 ================================================================================

2010/10/25 19:41:29.0187 SystemInfo:

2010/10/25 19:41:29.0187

2010/10/25 19:41:29.0187 OS Version: 5.1.2600 ServicePack: 3.0

2010/10/25 19:41:29.0187 Product type: Workstation

2010/10/25 19:41:29.0187 ComputerName: YOUR-AT5QGAAC3Z

2010/10/25 19:41:29.0187 UserName: Owner

2010/10/25 19:41:29.0187 Windows directory: C:\WINDOWS

2010/10/25 19:41:29.0187 System windows directory: C:\WINDOWS

2010/10/25 19:41:29.0187 Processor architecture: Intel x86

2010/10/25 19:41:29.0187 Number of processors: 2

2010/10/25 19:41:29.0187 Page size: 0x1000

2010/10/25 19:41:29.0187 Boot type: Normal boot

2010/10/25 19:41:29.0187 ================================================================================

2010/10/25 19:41:29.0953 Initialize success

2010/10/25 19:41:32.0093 ================================================================================

2010/10/25 19:41:32.0093 Scan started

2010/10/25 19:41:32.0093 Mode: Manual;

2010/10/25 19:41:32.0093 ================================================================================

2010/10/25 19:41:38.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/25 19:41:38.0140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/10/25 19:41:38.0265 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/10/25 19:41:38.0375 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/10/25 19:41:38.0468 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/10/25 19:41:38.0578 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys

2010/10/25 19:41:38.0671 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/10/25 19:41:38.0921 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS

2010/10/25 19:41:39.0156 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/10/25 19:41:39.0578 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2010/10/25 19:41:39.0906 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/10/25 19:41:40.0328 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/25 19:41:40.0453 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/25 19:41:40.0578 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/25 19:41:40.0765 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/25 19:41:40.0859 BCM42RLY (438179abe9b7a922a21b8d6369ff52ff) C:\WINDOWS\System32\BCM42RLY.SYS

2010/10/25 19:41:40.0968 BCM43XX (ebf36d658d0da5b1ea667fa403919c26) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2010/10/25 19:41:41.0062 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/10/25 19:41:41.0171 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/25 19:41:41.0296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/25 19:41:41.0390 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/25 19:41:41.0500 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/25 19:41:41.0953 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/25 19:41:42.0078 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/25 19:41:42.0187 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/10/25 19:41:42.0296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/10/25 19:41:42.0421 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/25 19:41:42.0562 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/25 19:41:42.0703 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/25 19:41:42.0765 fasttx2k (1e580770bdece924494b368ac980749e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys

2010/10/25 19:41:42.0890 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/10/25 19:41:42.0984 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/10/25 19:41:43.0093 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/10/25 19:41:43.0203 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/10/25 19:41:43.0312 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/25 19:41:43.0390 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/25 19:41:43.0484 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/10/25 19:41:43.0609 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/25 19:41:43.0734 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS

2010/10/25 19:41:43.0906 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/10/25 19:41:43.0984 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/10/25 19:41:44.0046 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/10/25 19:41:44.0140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/25 19:41:44.0328 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/10/25 19:41:44.0406 ialm (537efe2f9adcd01073f59e9d3d24164e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/10/25 19:41:44.0562 icsak (66793a4cbe9b5aa07882e3f3622f4ffe) C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys

2010/10/25 19:41:44.0812 IFPUSB (58874c620e6243561589712232f34b12) C:\WINDOWS\system32\Drivers\ifpusb.sys

2010/10/25 19:41:44.0921 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/25 19:41:45.0078 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys

2010/10/25 19:41:45.0187 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/10/25 19:41:45.0281 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/10/25 19:41:45.0390 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/25 19:41:45.0468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/25 19:41:45.0609 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/25 19:41:45.0687 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/10/25 19:41:45.0796 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/25 19:41:45.0890 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/25 19:41:46.0031 ISWKL (f0dec1fdc2e67aedd8cc00b48eee0d43) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys

2010/10/25 19:41:46.0250 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/25 19:41:46.0390 kl1 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\kl1.sys

2010/10/25 19:41:46.0515 KLIF (a11c971434468fa05815eec8228d63fd) C:\WINDOWS\system32\DRIVERS\klif.sys

2010/10/25 19:41:46.0640 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/25 19:41:46.0750 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/25 19:41:47.0093 ltmodem5 (829ef680a308c12e2a80e5e0da0d958d) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys

2010/10/25 19:41:47.0218 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys

2010/10/25 19:41:47.0312 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys

2010/10/25 19:41:47.0437 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/25 19:41:47.0687 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/10/25 19:41:47.0796 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/25 19:41:47.0890 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/25 19:41:48.0093 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/25 19:41:48.0312 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/25 19:41:48.0437 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/25 19:41:48.0734 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/25 19:41:48.0890 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/25 19:41:49.0093 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/25 19:41:49.0265 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/25 19:41:49.0484 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/10/25 19:41:49.0703 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/25 19:41:49.0843 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/25 19:41:49.0937 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/25 19:41:50.0031 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/25 19:41:50.0125 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/25 19:41:50.0281 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/25 19:41:50.0421 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/25 19:41:50.0625 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/10/25 19:41:50.0687 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/25 19:41:50.0859 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/25 19:41:51.0000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/10/25 19:41:51.0140 nv (694de491fbf0573625ffe6a8a474b7b5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/10/25 19:41:51.0390 nv_agp (01621905ae34bc24aaa2fddb93977299) C:\WINDOWS\system32\DRIVERS\nv_agp.sys

2010/10/25 19:41:51.0468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/25 19:41:51.0546 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/25 19:41:51.0625 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/10/25 19:41:51.0703 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/10/25 19:41:51.0859 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/25 19:41:51.0968 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/25 19:41:52.0078 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/25 19:41:52.0343 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/10/25 19:41:52.0453 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/10/25 19:41:52.0890 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys

2010/10/25 19:41:53.0062 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/25 19:41:53.0156 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/10/25 19:41:53.0281 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys

2010/10/25 19:41:53.0437 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/25 19:41:53.0562 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/25 19:41:53.0656 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2010/10/25 19:41:54.0171 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/25 19:41:54.0265 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/25 19:41:54.0359 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/25 19:41:54.0515 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/25 19:41:54.0593 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/25 19:41:54.0687 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/25 19:41:54.0781 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/25 19:41:54.0890 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/25 19:41:55.0171 RT61 (581e74880aeb1dba1cb5ac8e6e6c0a69) C:\WINDOWS\system32\DRIVERS\RT61.sys

2010/10/25 19:41:55.0250 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS

2010/10/25 19:41:55.0390 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/25 19:41:55.0515 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/10/25 19:41:55.0593 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/10/25 19:41:55.0750 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/10/25 19:41:55.0906 SiS315 (7a363269d1b57526410fa23fc92cdfa1) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2010/10/25 19:41:56.0000 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2010/10/25 19:41:56.0078 SiSkp (7ef8e5c266133638e7e06be03fcbeff3) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2010/10/25 19:41:56.0234 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/10/25 19:41:56.0328 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/10/25 19:41:56.0531 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/25 19:41:56.0640 SunkFilt (f658d6420b14bedb49c19e39e7d03594) C:\WINDOWS\System32\Drivers\sunkfilt.sys

2010/10/25 19:41:56.0796 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/25 19:41:56.0906 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/25 19:41:57.0218 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

2010/10/25 19:41:57.0359 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/25 19:41:57.0484 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/25 19:41:57.0578 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/25 19:41:57.0671 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/25 19:41:57.0781 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/25 19:41:57.0968 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/25 19:41:58.0125 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/25 19:41:58.0281 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/10/25 19:41:58.0390 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/25 19:41:58.0484 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/25 19:41:58.0609 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/10/25 19:41:58.0703 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/10/25 19:41:58.0781 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/10/25 19:41:58.0890 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/25 19:41:58.0984 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/10/25 19:41:59.0046 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/10/25 19:41:59.0156 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys

2010/10/25 19:41:59.0218 viagfx (29d6a65fdc694cb1ef2cc6bbe5f79b3b) C:\WINDOWS\system32\DRIVERS\vtmini.sys

2010/10/25 19:41:59.0296 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys

2010/10/25 19:41:59.0375 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/25 19:41:59.0625 vsdatant (7f10c6c385a03f40b07d682bfaa07e2f) C:\WINDOWS\system32\vsdatant.sys

2010/10/25 19:41:59.0937 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/25 19:42:00.0046 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2010/10/25 19:42:00.0203 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/25 19:42:00.0468 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/10/25 19:42:00.0671 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/10/25 19:42:00.0765 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/10/25 19:42:00.0921 {6080A529-897E-4629-A488-ABA0C29B635E} (e6c22d34baef5196e1b23a4492c275b7) C:\WINDOWS\system32\drivers\ialmsbw.sys

2010/10/25 19:42:01.0015 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (6e53bd96b0ebad721cdd6320dbfc3f5f) C:\WINDOWS\system32\drivers\ialmkchw.sys

2010/10/25 19:42:01.0093 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/10/25 19:42:01.0109 ================================================================================

2010/10/25 19:42:01.0109 Scan finished

2010/10/25 19:42:01.0109 ================================================================================

2010/10/25 19:42:01.0140 Detected object count: 1

2010/10/25 19:42:16.0546 \HardDisk0\MBR - will be cured after reboot

2010/10/25 19:42:16.0546 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

2010/10/25 19:42:32.0250 Deinitialize success

Here is the log from Goored fix also:

GooredFix by jpshortstuff (03.07.10.1)

Log created at 19:38 on 25/10/2010 (Owner)

Firefox version [unable to determine]

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:00 20/12/2008]

"{FFB96CC1-7EB3-449D-B827-DB661701C6BB}"="C:\Program Files\CheckPoint\ZAForceField\TrustChecker" [02:30 17/03/2009]

"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext" [17:18 28/03/2010]

"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [12:03 05/10/2010]

-=E.O.F=-

:)

Please don't attach the scan results, use Copy/Paste

Your scan shows 2 anti-virus programs active

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

Please do not delete anything unless instructed to.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove either:

ZoneAlarm Extreme Security Antivirus

Norton AntiVirus

Next:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Link to post
Share on other sites

Thanks for your response. Below is the MBAM log. No redirects, browser is opening and no windows errors.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4950

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/26/2010 8:55:57 AM

mbam-log-2010-10-26 (08-55-57).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)

Objects scanned: 296147

Time elapsed: 1 hour(s), 43 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

I'd really like look deeper.

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hello, sorry for the slight delay. Work had me away from the computer. I downloaded combofix and the log it generated is pasted below. Thanks for your patience. Kate

ComboFix 10-10-27.A3 - Owner 10/28/2010 18:33:42.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.462 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\ps2.bat

c:\windows\viassary-hp.reg

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IAS

-------\Service_Ias

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))

.

2010-10-26 03:23 . 2010-10-26 03:23 -------- d-----w- c:\program files\iPod

2010-10-26 03:18 . 2010-10-26 03:18 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin8.dll

2010-10-26 03:18 . 2010-10-26 03:18 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

2010-10-26 03:18 . 2010-10-26 03:18 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

2010-10-26 03:18 . 2010-10-26 03:18 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

2010-10-26 03:18 . 2010-10-26 03:18 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

2010-10-26 03:18 . 2010-10-26 03:18 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-10-26 03:18 . 2010-10-26 03:18 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-10-26 03:18 . 2010-10-26 03:18 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-10-26 03:18 . 2010-10-26 03:18 -------- d-----w- c:\program files\QuickTime

2010-10-26 03:14 . 2010-10-26 05:20 -------- d-----w- c:\windows\LastGood.Tmp

2010-10-26 03:12 . 2010-10-26 03:12 -------- d-----w- c:\program files\Bonjour

2010-10-24 05:58 . 2009-10-12 23:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys

2010-10-24 05:57 . 2010-08-29 07:53 69120 ----a-w- c:\windows\system32\zlcomm.dll

2010-10-24 05:57 . 2010-08-29 07:53 103936 ----a-w- c:\windows\system32\zlcommdb.dll

2010-10-24 05:57 . 2010-08-29 07:53 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-10-05 12:01 . 2010-10-05 12:01 -------- d-----w- c:\windows\system32\XPSViewer

2010-10-05 12:01 . 2010-10-05 12:01 -------- d-----w- c:\program files\MSBuild

2010-10-05 12:00 . 2010-10-05 12:00 -------- d-----w- c:\program files\Reference Assemblies

2010-10-05 12:00 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-10-05 11:59 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-10-05 11:59 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-10-05 11:59 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-10-05 11:59 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-10-05 11:59 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-10-05 11:59 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-10-05 11:59 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-10-05 11:59 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-10-05 11:59 . 2010-10-05 12:00 -------- d-----w- C:\e9eacf442e6bda2f8d37

2010-10-05 03:12 . 2010-10-05 03:12 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics

2010-10-02 16:00 . 2010-10-02 16:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-10-02 16:00 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-02 16:00 . 2010-10-02 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-10-02 16:00 . 2010-10-02 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-02 16:00 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-02 09:46 . 2010-10-02 09:46 827392 ----a-w- c:\windows\system32\FLASH.OCX

2010-10-02 09:46 . 2010-10-02 09:46 -------- d-sh--w- c:\windows\ftpcache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-29 00:14 . 2010-10-29 00:13 3889 ----a-w- c:\windows\viassary-hp.reg

2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-08-29 07:53 . 2009-03-17 02:30 72704 ----a-w- c:\windows\zllsputility.exe

2010-08-17 13:17 . 2004-02-16 18:47 58880 ----a-w- c:\windows\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]

"MRC"="c:\program files\PC Tune-Up\PCTuneUp.exe" [2007-10-12 2435072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LTMSG"="LTMSG.exe 7" [X]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-04 221184]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-12-06 3022848]

"nwiz"="nwiz.exe" [2003-12-06 753664]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 135168]

"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2010-10-26 1544192]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-05-09 53248]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-28 202256]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ZAFFRegisterTrustChecker"="-s" [X]

"ZAFFRegisterTrustCheckerIE"="-s" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-1-20 28672]

spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSub.exe [2004-1-21 557056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-6-4 36953]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]

Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-1-20 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mshta.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2/12/2009 5:12 AM 26352]

R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [2/12/2009 5:12 AM 493032]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/2/2010 11:00 AM 304464]

R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 1:40 PM 148768]

R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2/12/2009 5:11 AM 35568]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/2/2010 11:00 AM 20952]

S2 Iprip;Iprip;c:\windows\System32\svchost.exe -k netsvcs [2/16/2004 1:47 PM 14336]

S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2010-10-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-979828777-2108097179-356011310-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-10-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-979828777-2108097179-356011310-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

uDefault_Search_URL = hxxp://srch-us10.hpwis.com/

mSearch Bar = hxxp://srch-us10.hpwis.com/

mWindow Title = Microsoft Internet Explorer provided by Comcast

uInternet Settings,ProxyOverride = localhost;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-RecordNow! - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-28 19:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

tgcmd = "c:\program files\support.com\bin\tgcmd.exe" /server?cmd.exe" /server

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(708)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'explorer.exe'(3740)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

c:\program files\Zone Labs\ZoneAlarm\MailFrontier\mlfhook.dll

c:\windows\system32\nView.dll

c:\windows\system32\nvwddi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(620)

c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\COMMON~1\AOL\ACS\acsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\System32\nvsvc32.exe

c:\windows\wanmpsvc.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

c:\windows\LTMSG.exe

c:\windows\system32\rundll32.exe

c:\windows\ALCXMNTR.EXE

c:\progra~1\HEWLET~1\HPORGA~1\bin\nda.exe

c:\program files\HP\hpcoretech\comp\hptskmgr.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

c:\program files\HP\hpcoretech\comp\hpdarc.exe

c:\program files\CheckPoint\ZAForceField\ISWMGR.exe

c:\program files\CheckPoint\ZAForceField\ISWMGR.exe

.

**************************************************************************

.

Completion time: 2010-10-28 19:39:19 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-29 00:38

Pre-Run: 154,734,940,160 bytes free

Post-Run: 160,296,005,632 bytes free

- - End Of File - - EBAA33CD9F5A6B499EEA819A7861D6E3

Link to post
Share on other sites

Hi LDTate. My computer seems to be fine. I'm not observing any of the previous problems, and it seems to be running faster. Do you think it's clean? I'm hesitant now to do anything requiring personal information like banking and shopping after experiencing this. Thanks, Kate

Link to post
Share on other sites

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Link to post
Share on other sites

Thanks so much. I downloaded a lot of tools: Defogger, GMER, Gooredfix and TDSkiller. Any special instructions in uninstalling these or restoring any changed settings? I really appreciate your help and I will surely drop something in the tip jar. Thanks again. Kate

Link to post
Share on other sites

You can delete them all. Defogger, GMER, Gooredfix and TDSkiller

Make sure you do this before removing Defogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.