Jump to content

Antivirus 8 issues


Recommended Posts

So thanks in advance for your help...So this all started a few days ago when my roommate told me the computer kept popping up an rogue antivirus program trying to get him to buy..I new it was a hoax so immediately went to bleeping computer and saw MBAM should have gotten rid of the Antivirus 8.

I downloaded it and ran the full scan which took hours...in the morning the scan revealed 14 infected objects and i fixed the issues...I tryed to log into IE8 to make sure the computer was up to date on all . ie8 allowed me to go to google but the moment i tried going to Norton.com my browser was hijacked and I was sent to antimalwarelist.com and prompted to click to fix the issue...

I reran MBAM but nothing came up...i loaded kaspersky anti virus tool and after two LONG scans(and one delete session) I fixed quite a few issues but a trojan kept appearing(albiet in my symantic Crypt) Kaspersky said it could only delete or skip the trojan... before the second scan I used an old hijackthis and removed a few items i knew didn't belong(It was after a few glasses of wine so I hope I didnt hurt anything and can't tell you what they were:in my defense i did google all the said items and knew they were malicious before any deletions)

I had to finally stop the second scan after 16hrs of it not finishing.

My computer browser is now letting me access the internet with no problems but I'm worried that I haven't cleaned my computer completely.. I have updated my symantic EP

While starting my post to do list I will noe that defogger NEVER prompted me to restart..I just restarted after a few minutes of no prompts. when I rebooted i tried again but once again was not prompted for the reboot so I just continued...during the 1st GMER scan you see on my log I had an abnormal termination: I got a blue screen telling me i should get rid of any new software...i ignored and tried again and provide my log below.

here are my logs

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5076

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/8/2010 4:16:30 PM

mbam-log-2010-11-08 (16-16-30).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 258116

Time elapsed: 1 hour(s), 21 minute(s), 32 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 12

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 7

Files Infected: 8

Memory Processes Infected:

C:\Program Files\AV8\av8.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{150ea8e7-a97c-4816-ad02-4865eef8c5ff} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\winantispyware 2007 (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Compaq_Owner\Application Data\Error Safe Free (Rogue.Errorsafe) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\Error Safe Free\Logs (Rogue.Errorsafe) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\SystemDoctor (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\SystemDoctor\Logs (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\SystemDoctor Free (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\SystemDoctor Free\Logs (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

C:\Program Files\AV8 (Rogue.Antivirus8) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\AV8\av8.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\Error Safe Free\Logs\update.log (Rogue.Errorsafe) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\SystemDoctor\activator_info.txt (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\SystemDoctor\Logs\Activate.log (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\SystemDoctor\Logs\update.log (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\SystemDoctor Free\Logs\update.log (Rogue.SystemDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Desktop\Antivirus8.LNK (Rogue.Antivirus8) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq_Owner\Desktop\Antivirus8.LNK (Rogue.Antivirus8) -> Quarantined and deleted successfullly.

DDS REPORT:

DDS (Ver_10-11-09.01) - NTFSx86

Run by Compaq_Owner at 17:18:37.26 on Tue 11/09/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.666 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab

DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} - hxxp://host.oddcast.com/hostClientIE.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yuplapp.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab

DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} - hxxp://webcamnow.com/fs5/ax/ActiveXWebCam.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab35645.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab

Filter: text/html - {4aba6444-93f8-48f7-8924-67a4a878ba7d} -

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-30 55152]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-7 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101108.022\NAVENG.SYS [2010-11-8 86064]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101108.022\NAVEX15.SYS [2010-11-8 1371184]

R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2005-10-14 91830]

S2 gupdate1c9b4ecbc609ea0;Google Update Service (gupdate1c9b4ecbc609ea0);c:\program files\google\update\GoogleUpdate.exe [2009-4-4 133104]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2010-11-08 22:57:11 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-08 22:57:11 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-11-07 09:17:42 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes

2010-11-07 09:17:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-07 09:17:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-07 09:17:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-07 09:17:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-07 08:13:54 -------- d-----w- c:\program files\Bonjour

2010-10-23 02:20:19 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-23 02:20:17 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-23 02:19:17 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 17:19:34.65 ===============

my GMER Log File:

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-11-09 22:15:48

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 ST380013AS rev.3.20

Running: br87f1uz.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\kgtyiuow.sys

---- System - GMER 1.0.15 ----

SSDT 8A4AC498 ZwAlertResumeThread

SSDT 8A4C9288 ZwAlertThread

SSDT 89E8B7A0 ZwAllocateVirtualMemory

SSDT 89E83910 ZwConnectPort

SSDT 8A49AE98 ZwCreateMutant

SSDT 8A40D988 ZwCreateThread

SSDT 8A490E98 ZwFreeVirtualMemory

SSDT 89EA46B8 ZwImpersonateAnonymousToken

SSDT 8A4C7658 ZwImpersonateThread

SSDT 89DFAE88 ZwMapViewOfSection

SSDT 89EA4228 ZwOpenEvent

SSDT 89EB50E8 ZwOpenProcessToken

SSDT 89B7E368 ZwOpenThreadToken

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xBA7936A0]

SSDT 89EB5FD0 ZwResumeThread

SSDT 89EAC0B0 ZwSetContextThread

SSDT 89DF4950 ZwSetInformationProcess

SSDT 89B81790 ZwSetInformationThread

SSDT 89EA30F8 ZwSuspendProcess

SSDT 8A51E5A0 ZwSuspendThread

SSDT 89EB5E58 ZwTerminateProcess

SSDT 89EA6FD0 ZwTerminateThread

SSDT 89EB50B0 ZwUnmapViewOfSection

SSDT 89BF8E98 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 238 804E28A4 4 Bytes CALL 46D813F9

.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 8 Bytes JMP 51E5A089

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Am I OK now? the last thread i was reading had the guy using combofix to fix the whole thing which is WAY beyond my comfort zone so here I am...help?

Cellarmaster~

Attach.zip

Link to post
Share on other sites

:lol:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Thanks for your help LDTate

I followed your instructions and nothing interesting happened...here's the scan

2010/11/11 08:46:50.0171 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22

2010/11/11 08:46:50.0171 ================================================================================

2010/11/11 08:46:50.0171 SystemInfo:

2010/11/11 08:46:50.0171

2010/11/11 08:46:50.0171 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/11 08:46:50.0171 Product type: Workstation

2010/11/11 08:46:50.0171 ComputerName: **********

2010/11/11 08:46:50.0171 UserName: Compaq_Owner

2010/11/11 08:46:50.0171 Windows directory: C:\WINDOWS

2010/11/11 08:46:50.0171 System windows directory: C:\WINDOWS

2010/11/11 08:46:50.0171 Processor architecture: Intel x86

2010/11/11 08:46:50.0171 Number of processors: 1

2010/11/11 08:46:50.0171 Page size: 0x1000

2010/11/11 08:46:50.0171 Boot type: Normal boot

2010/11/11 08:46:50.0171 ================================================================================

2010/11/11 08:46:50.0515 Initialize success

2010/11/11 08:46:54.0078 ================================================================================

2010/11/11 08:46:54.0078 Scan started

2010/11/11 08:46:54.0078 Mode: Manual;

2010/11/11 08:46:54.0078 ================================================================================

2010/11/11 08:46:55.0953 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/11 08:46:56.0000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/11 08:46:56.0062 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/11 08:46:56.0140 AegisP (f498fd605c08404b20a48954c722ff74) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/11/11 08:46:56.0203 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/11 08:46:56.0296 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/11/11 08:46:56.0453 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS

2010/11/11 08:46:56.0515 ALCXWDM (45bf4e8d77d700ff54d6d1097750f64e) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/11 08:46:56.0640 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2010/11/11 08:46:56.0734 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/11 08:46:56.0859 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/11 08:46:56.0890 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/11 08:46:56.0953 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/11 08:46:57.0000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/11 08:46:57.0062 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/11 08:46:57.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/11 08:46:57.0203 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/11/11 08:46:57.0343 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/11 08:46:57.0390 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/11 08:46:57.0421 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/11 08:46:57.0515 COH_Mon (6186b6b953bdc884f0f379b84b3e3a98) C:\WINDOWS\system32\Drivers\COH_Mon.sys

2010/11/11 08:46:57.0640 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/11 08:46:57.0718 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/11 08:46:57.0796 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/11 08:46:57.0859 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/11 08:46:57.0906 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/11 08:46:57.0968 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/11 08:46:58.0156 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2010/11/11 08:46:58.0218 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2010/11/11 08:46:58.0406 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/11 08:46:58.0453 fasttx2k (1e580770bdece924494b368ac980749e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys

2010/11/11 08:46:58.0500 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/11 08:46:58.0546 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/11 08:46:58.0593 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/11 08:46:58.0625 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/11 08:46:58.0687 fssfltr (960f5e5e4e1f720465311ac68a99c2df) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2010/11/11 08:46:58.0750 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/11 08:46:58.0796 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/11 08:46:58.0859 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/11 08:46:58.0937 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/11 08:46:58.0968 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/11 08:46:59.0015 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/11 08:46:59.0109 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/11 08:46:59.0218 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/11 08:46:59.0312 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/11/11 08:46:59.0375 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/11 08:46:59.0578 IntcAzAudAddService (44792ccbc7b41b42ec068c6416d17de1) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/11/11 08:46:59.0687 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/11 08:46:59.0718 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/11 08:46:59.0765 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/11 08:46:59.0828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/11 08:46:59.0875 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/11 08:46:59.0906 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/11 08:46:59.0937 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/11 08:46:59.0984 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/11 08:47:00.0031 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/11 08:47:00.0062 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/11 08:47:00.0109 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/11 08:47:00.0140 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/11 08:47:00.0234 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/11 08:47:00.0281 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/11 08:47:00.0312 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/11 08:47:00.0390 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/11 08:47:00.0421 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/11 08:47:00.0484 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/11 08:47:00.0562 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/11 08:47:00.0609 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/11 08:47:00.0656 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/11 08:47:00.0703 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/11 08:47:00.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/11 08:47:00.0765 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/11 08:47:00.0812 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/11/11 08:47:00.0859 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/11 08:47:00.0906 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/11/11 08:47:01.0125 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101110.021\NAVENG.SYS

2010/11/11 08:47:01.0203 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101110.021\NAVEX15.SYS

2010/11/11 08:47:01.0375 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/11 08:47:01.0421 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/11/11 08:47:01.0468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/11 08:47:01.0515 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/11 08:47:01.0546 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/11 08:47:01.0609 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/11 08:47:01.0640 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/11 08:47:01.0687 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/11 08:47:01.0734 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/11 08:47:01.0765 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/11 08:47:01.0812 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/11 08:47:01.0906 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/11 08:47:01.0937 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/11 08:47:01.0968 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/11 08:47:02.0031 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/11 08:47:02.0109 P0630VID (68cb569ede9cfb3b0bf17966428df025) C:\WINDOWS\system32\DRIVERS\P0630Vid.sys

2010/11/11 08:47:02.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/11 08:47:02.0171 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/11 08:47:02.0218 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/11 08:47:02.0250 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/11 08:47:02.0328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/11 08:47:02.0359 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/11 08:47:02.0578 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/11 08:47:02.0609 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/11 08:47:02.0671 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys

2010/11/11 08:47:02.0703 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/11 08:47:02.0750 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/11 08:47:02.0796 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/11 08:47:02.0937 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/11 08:47:02.0984 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/11 08:47:03.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/11 08:47:03.0062 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/11 08:47:03.0093 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/11 08:47:03.0125 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/11 08:47:03.0187 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/11 08:47:03.0218 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/11 08:47:03.0281 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS

2010/11/11 08:47:03.0406 SbcpHid (aaf28ab6effd8990bfe20398e92f101e) C:\WINDOWS\system32\Drivers\SbcpHid.sys

2010/11/11 08:47:03.0500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/11 08:47:03.0609 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/11 08:47:03.0656 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/11 08:47:03.0718 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/11 08:47:03.0828 SiS315 (7467e510c81b19a6b590a3868f499b23) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2010/11/11 08:47:03.0859 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2010/11/11 08:47:03.0890 SiSkp (14ed728e44b0e7a169217127d8510ca9) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2010/11/11 08:47:03.0921 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/11/11 08:47:04.0000 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS

2010/11/11 08:47:04.0203 SPBBCDrv (77780509a16a1df7f2d8531d21ddb9b9) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2010/11/11 08:47:04.0265 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/11 08:47:04.0328 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/11 08:47:04.0359 SRTSP (5e4985a84f13abf5727bed3c50bd7031) C:\WINDOWS\system32\Drivers\SRTSP.SYS

2010/11/11 08:47:04.0421 SRTSPL (8117dca2cdf9d11c441c473dc9631655) C:\WINDOWS\system32\Drivers\SRTSPL.SYS

2010/11/11 08:47:04.0468 SRTSPX (5e89104af0dc94b659ea8ec3e66c3eeb) C:\WINDOWS\system32\Drivers\SRTSPX.SYS

2010/11/11 08:47:04.0546 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/11 08:47:04.0625 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/11/11 08:47:04.0671 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/11 08:47:04.0703 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/11 08:47:04.0812 SYMDNS (bfb08010de58edf425c001f5a1241ede) C:\WINDOWS\System32\Drivers\SYMDNS.SYS

2010/11/11 08:47:04.0843 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2010/11/11 08:47:04.0890 SYMFW (b1dce877daa26e4bdbf2343a6cd29e6b) C:\WINDOWS\System32\Drivers\SYMFW.SYS

2010/11/11 08:47:04.0937 SYMIDS (653ecfcb1c95b028ff507b6ed1b8dc14) C:\WINDOWS\System32\Drivers\SYMIDS.SYS

2010/11/11 08:47:04.0968 SYMNDIS (5cf66c01093f2bcfcfc8fce2a47853ab) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS

2010/11/11 08:47:05.0015 SYMREDRV (be3c117150c055e50a4caf23e548c856) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2010/11/11 08:47:05.0078 SYMTDI (7b0af4e22b32f8c5bfba5a5d53522160) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2010/11/11 08:47:05.0203 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/11 08:47:05.0296 SysPlant (f993e24ebbef8e9626fbea12a6b739f2) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys

2010/11/11 08:47:05.0375 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/11 08:47:05.0484 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/11 08:47:05.0531 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/11 08:47:05.0609 Teefer2 (62f7d6e6f7f4ee9e300ed9a945534486) C:\WINDOWS\system32\DRIVERS\teefer2.sys

2010/11/11 08:47:05.0671 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/11 08:47:05.0765 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/11 08:47:05.0859 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/11 08:47:05.0937 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/11/11 08:47:05.0968 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/11 08:47:06.0031 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/11 08:47:06.0078 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/11/11 08:47:06.0109 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/11 08:47:06.0171 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/11 08:47:06.0203 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/11 08:47:06.0250 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/11 08:47:06.0296 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/11 08:47:06.0343 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys

2010/11/11 08:47:06.0390 viagfx (19bba101cb87d18ff04e7f24e1792ab0) C:\WINDOWS\system32\DRIVERS\vtmini.sys

2010/11/11 08:47:06.0437 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/11 08:47:06.0468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/11 08:47:06.0531 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/11 08:47:06.0593 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2010/11/11 08:47:06.0656 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/11 08:47:06.0781 WPS (e5788aeeb08055e006d5074adfa5e1e8) C:\WINDOWS\system32\drivers\wpsdrvnt.sys

2010/11/11 08:47:06.0828 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys

2010/11/11 08:47:06.0859 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/11/11 08:47:06.0937 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/11 08:47:06.0968 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/11 08:47:07.0046 WUSB54GPV4SRV (18eeb910627ddaf40f822966f887bad8) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys

2010/11/11 08:47:07.0140 ================================================================================

2010/11/11 08:47:07.0140 Scan finished

2010/11/11 08:47:07.0140 ================================================================================

:D

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Run a new MBAM scan

So here is the log...my roommate cllosed MBAM so im not sure what action he took on the three issues...i opened MBAM and the three objects are in quarantine...should I delete them?

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5096

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/11/2010 10:34:14 PM

mbam-log-2010-11-11 (22-34-14).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 248018

Time elapsed: 1 hour(s), 12 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

well its running much better...i ran a new scan and had two objects infected...my Symantec Endpoint protection also quarantined 15ish trojans yesterday afternoon during its routine inspection....?

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5109

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/14/2010 11:18:00 AM

mbam-log-2010-11-14 (11-18-00).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 248014

Time elapsed: 1 hour(s), 21 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Thanks for being patient with me, sorry abut the delay, here's the combo fix report:

ComboFix 10-11-18.01 - Compaq_Owner 11/18/2010 15:43:18.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.821 [GMT -6:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Compaq_Owner\Application Data\DriveCleaner Free

c:\documents and settings\Compaq_Owner\Application Data\DriveCleaner Free\Logs\update.log

c:\documents and settings\Compaq_Owner\Application Data\DriveCleaner

c:\documents and settings\Compaq_Owner\Application Data\DriveCleaner\activator_info.txt

c:\documents and settings\Compaq_Owner\Application Data\DriveCleaner\Logs\Activate.log

c:\documents and settings\Compaq_Owner\Application Data\DriveCleaner\Logs\update.log

c:\documents and settings\Compaq_Owner\err.log

c:\documents and settings\Compaq_Owner\ResErrors.log

c:\program files\Common Files\asks~1

c:\program files\Common Files\curity~1

c:\program files\Common Files\dobe~1

c:\program files\Common Files\fnts~1

c:\program files\Common Files\mcroso~1

c:\program files\Common Files\ppatch~1

c:\program files\Common Files\ssembl~1

c:\program files\Common Files\wnsxs~1

c:\program files\dobe~1

c:\program files\ecurit~1

c:\program files\icroso~1.net

c:\program files\mcroso~1

c:\program files\racle~1

c:\program files\Shared

c:\program files\sstem3~1

c:\program files\ystem3~1

c:\windows\appatc~1

c:\windows\asembl~1

c:\windows\crosof~1

c:\windows\dobe~1

c:\windows\racle~1

c:\windows\sks~1

c:\windows\sstem~1

c:\windows\sstem3~1

c:\windows\stem~1

c:\windows\stem32~1

c:\windows\system32\crosof~1.net

c:\windows\system32\dobe~1

c:\windows\system32\fnts~1

c:\windows\system32\icroso~1

c:\windows\system32\sembly~1

c:\windows\system32\sks~1

c:\windows\system32\sstem~1

c:\windows\system32\stem32~1

c:\windows\system32\stera.log

c:\windows\system32\ymante~1

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FOPN

((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))

.

2010-11-08 22:57 . 2010-09-15 10:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2010-11-08 22:57 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-07 09:51 . 2010-11-07 09:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-11-07 09:29 . 2010-11-07 09:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-11-07 09:28 . 2010-11-07 09:28 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-11-07 09:17 . 2010-11-07 09:17 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2010-11-07 09:17 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-07 09:17 . 2010-11-07 09:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-07 09:17 . 2010-11-07 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-07 09:17 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-07 08:21 . 2010-11-07 08:22 -------- d-----w- c:\program files\QuickTime

2010-11-07 08:13 . 2010-11-07 08:13 -------- d-----w- c:\program files\Bonjour

2010-10-23 02:20 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-23 02:20 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-23 02:19 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 17:23 . 2004-08-29 18:21 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-29 18:21 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-29 18:21 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-29 18:21 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:29 . 2009-02-15 04:46 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-11 04:32 . 2008-06-20 06:12 167936 ----a-w- c:\windows\system32\drivers\WpsHelper.sys

2010-09-10 05:58 . 2004-08-29 18:24 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-29 18:21 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-08-29 18:21 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-08-29 19:09 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-29 18:24 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-29 18:24 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-29 18:23 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2004-08-29 18:23 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-17 03:24 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-29 18:20 617472 ----a-w- c:\windows\system32\comctl32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"SoundMan"="SOUNDMAN.EXE" [2005-04-07 90112]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^bios.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\bios.exe

backup=c:\windows\pss\bios.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^My_Love.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\My_Love.exe

backup=c:\windows\pss\My_Love.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk

backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^NaturalColorLoad.lnk]

path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\NaturalColorLoad.lnk

backup=c:\windows\pss\NaturalColorLoad.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2010 10:55 PM 102448]

R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [10/14/2005 8:47 PM 91830]

S2 gupdate1c9b4ecbc609ea0;Google Update Service (gupdate1c9b4ecbc609ea0);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2009 12:15 AM 133104]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 6:32 PM 23888]

.

Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-04 06:15]

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-04 06:15]

2007-07-07 c:\windows\Tasks\System Restore.job

- c:\windows\system32\Restore\rstrui.exe [2004-08-29 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

SafeBoot-Symantec Antvirus

AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-18 15:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5932)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

.

**************************************************************************

.

Completion time: 2010-11-18 16:00:23 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-18 22:00

Pre-Run: 41,909,006,336 bytes free

Post-Run: 42,263,232,512 bytes free

- - End Of File - - 4A6E659DE2F5FDB79D26B82F4D118B04

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\documents and settings\All Users\Start Menu\Programs\Startup\bios.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\My_Love.exe
c:\windows\pss\bios.exe
c:\windows\pss\My_Love.exe


Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^bios.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^My_Love.exe]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.