Jump to content

"address has been blocked" by nod32 help!!!


pelegrinu
 Share

Recommended Posts

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Versiunea bazei de date: 5176

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

11/23/2010 7:39:48 PM

mbam-log-2010-11-23 (19-39-48).txt

Modul de scanare: Scanare rapida

Obiecte scanate: 144403

Timp trecut: 6 minute, 11 secunde

Procese din Memorie Infectate: 0

Module de Memorie Infectate: 0

Chei de Registru Infectate: 16

Valori de Registru Infectate: 3

Date din Registru Infectate: 3

Foldere Infectate: 0

Fisiere Infectate: 5

Procese din Memorie Infectate:

(Nu au fost detectate obiecte malicioase)

Module de Memorie Infectate:

(Nu au fost detectate obiecte malicioase)

Chei de Registru Infectate:

HKEY_CLASSES_ROOT\funwebproductsinstaller.start (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproductsinstaller.start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1d4db7d1-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{1d4db7d0-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\C8H1KKCTZV (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\HJRUDZ5DT2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Valori de Registru Infectate:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hjrudz5dt2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Date din Registru Infectate:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Foldere Infectate:

(Nu au fost detectate obiecte malicioase)

Fisiere Infectate:

C:\Documents and Settings\Pelegrin\Local Settings\Temp\Jkv.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Pelegrin\Application Data\scgdfgasfbh.bat (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hello ,

And -_- My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Hello ,

And -_- My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

OTL logfile created on: 11/25/2010 7:15:30 PM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Pelegrin\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 19.53 Gb Total Space | 8.99 Gb Free Space | 46.02% Space Free | Partition Type: NTFS

Drive D: | 154.75 Gb Total Space | 61.09 Gb Free Space | 39.48% Space Free | Partition Type: NTFS

Drive F: | 58.59 Gb Total Space | 43.18 Gb Free Space | 73.70% Space Free | Partition Type: NTFS

Computer Name: PELEGRIN-3602FE | User Name: Pelegrin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/25 19:14:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pelegrin\Desktop\OTL.exe

PRC - [2010/10/28 16:30:57 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/10/12 08:50:52 | 002,346,496 | ---- | M] () -- D:\BARDIWIN\bainfoc.exe

PRC - [2010/09/25 16:45:22 | 000,328,056 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe

PRC - [2010/08/18 18:34:23 | 006,628,864 | ---- | M] (Sybase, Inc.) -- D:\TECDOC_CD\4_2010\pb\tof.exe

PRC - [2010/06/30 22:19:10 | 000,356,352 | ---- | M] (Transaction Software, D 81829 Munich) -- D:\TECDOC_CD\4_2010\db\tbmux32.exe

PRC - [2010/06/30 22:19:08 | 002,457,600 | ---- | M] (Transaction Software, D 81829 Munich) -- D:\TECDOC_CD\4_2010\db\tbkern32.exe

PRC - [2009/10/20 13:59:18 | 000,111,928 | ---- | M] (SweetIM Technologies Ltd.) -- C:\Program Files\SweetIM\Messenger\SweetIM.exe

PRC - [2008/07/01 08:01:04 | 001,447,168 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe

PRC - [2007/12/21 07:21:16 | 000,468,224 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe

PRC - [2007/04/03 18:50:00 | 001,603,152 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

PRC - [2007/02/04 11:02:14 | 000,079,400 | ---- | M] (Nuance Communications, Inc.) -- F:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe

PRC - [2006/11/27 15:44:48 | 000,135,221 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

PRC - [2006/11/27 15:44:26 | 000,065,593 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

PRC - [2006/04/13 14:14:26 | 000,020,543 | ---- | M] (Apache Software Foundation) -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

PRC - [2004/08/03 23:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/11/25 19:14:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Pelegrin\Desktop\OTL.exe

MOD - [2009/10/20 13:59:02 | 000,023,864 | ---- | M] (SweetIM Technologies Ltd.) -- C:\Program Files\SweetIM\Messenger\mgAdaptersProxy.dll

MOD - [2007/02/05 08:29:04 | 000,139,264 | ---- | M] (Nuance Communications, Inc.) -- F:\Program Files\ScanSoft\OmniPageSE4\OpHookSE4.dll

MOD - [2006/07/11 18:35:38 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\SweetIM\Messenger\msvcr71.dll

MOD - [2004/08/03 23:57:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)

SRV - [2010/06/30 22:19:10 | 000,356,352 | ---- | M] (Transaction Software, D 81829 Munich) [Auto | Running] -- D:\TECDOC_CD\4_2010\db\tbmux32.exe -- (Transbase TECDOC CD 4_2010 Service)

SRV - [2008/07/01 08:08:00 | 000,019,200 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)

SRV - [2007/12/21 07:21:16 | 000,468,224 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)

SRV - [2006/11/27 15:44:48 | 000,135,221 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe -- (nSvcIp)

SRV - [2006/11/27 15:44:26 | 000,065,593 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe -- (nSvcLog)

SRV - [2006/04/13 14:14:26 | 000,020,543 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe -- (ForcewareWebInterface)

========== Driver Services (SafeList) ==========

DRV - [2010/05/01 12:32:18 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)

DRV - [2008/11/23 11:23:04 | 000,097,792 | ---- | M] (T0r0 2008) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NSHE.SYS -- (NSHE)

DRV - [2008/07/01 08:04:38 | 000,054,280 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)

DRV - [2008/07/01 08:04:36 | 000,030,728 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)

DRV - [2008/07/01 08:04:34 | 000,071,688 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)

DRV - [2008/07/01 07:57:14 | 000,053,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)

DRV - [2008/07/01 07:56:22 | 000,039,944 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)

DRV - [2007/10/16 17:38:30 | 004,615,168 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2006/11/27 10:33:54 | 000,019,968 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)

DRV - [2006/11/27 10:33:50 | 000,058,368 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)

DRV - [2006/11/22 09:01:48 | 000,693,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)

DRV - [2006/10/31 08:35:00 | 003,964,256 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2006/10/18 10:31:38 | 000,105,472 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)

DRV - [2005/03/16 08:23:54 | 000,013,696 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)

DRV - [2005/01/07 16:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =

IE - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\..\URLSearchHook: {a2e40772-4e84-4066-b8f1-f96c4eedbd93} - C:\Program Files\Seve_Tv\tbSev2.dll (Conduit Ltd.)

IE - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - Reg Error: Key error. File not found

IE - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

IE - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"

FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"

FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"

FF - prefs.js..browser.search.param.yahoo-type: "${8}"

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - prefs.js..browser.startup.homepage: "http://www.google.ro/"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/29 08:42:03 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/28 16:31:00 | 000,000,000 | ---D | M]

[2010/02/13 15:37:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pelegrin\Application Data\Mozilla\Extensions

[2010/11/25 12:44:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pelegrin\Application Data\Mozilla\Firefox\Profiles\ddbd1e6q.default\extensions

[2010/07/31 07:26:21 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Pelegrin\Application Data\Mozilla\Firefox\Profiles\ddbd1e6q.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2010/11/25 12:44:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/05/11 19:39:27 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/08/07 07:12:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

[2010/11/07 13:01:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2010/01/16 03:24:43 | 000,001,179 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipediaro.xml

O1 HOSTS File: ([2001/08/23 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)

O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)

O2 - BHO: (Seve Tv Toolbar) - {a2e40772-4e84-4066-b8f1-f96c4eedbd93} - C:\Program Files\Seve_Tv\tbSev2.dll (Conduit Ltd.)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)

O3 - HKLM\..\Toolbar: (Seve Tv Toolbar) - {a2e40772-4e84-4066-b8f1-f96c4eedbd93} - C:\Program Files\Seve_Tv\tbSev2.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O3 - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\..\Toolbar\ShellBrowser: (Seve Tv Toolbar) - {A2E40772-4E84-4066-B8F1-F96C4EEDBD93} - C:\Program Files\Seve_Tv\tbSev2.dll (Conduit Ltd.)

O3 - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\..\Toolbar\WebBrowser: (Seve Tv Toolbar) - {A2E40772-4E84-4066-B8F1-F96C4EEDBD93} - C:\Program Files\Seve_Tv\tbSev2.dll (Conduit Ltd.)

O3 - HKU\S-1-5-21-1409082233-113007714-1801674531-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [b

Link to post
Share on other sites

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 2)

Number of processors #1

==============================================

>Drivers

==============================================

0xACCDE000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4792320 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xBF9D3000 C:\WINDOWS\System32\nv4_disp.dll 4497408 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 91.63 )

0xB93A8000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3964928 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 91.63 )

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2056832 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2056832 bytes

0x804D7000 RAW 2056832 bytes

0x804D7000 WMIxWDM 2056832 bytes

0xBF800000 Win32k 1839104 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1839104 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBA6A7000 PCI_PNP5652 1048576 bytes

0xBA6A7000 spde.sys 1048576 bytes

0xBA6A7000 sptd 1048576 bytes

0xB9770000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 897024 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)

0xA2B90000 C:\WINDOWS\system32\drivers\hardlock.sys 696320 bytes (Aladdin Knowledge Systems Ltd., Hardlock Device Driver for Windows NT)

0xBA504000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xA941F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xA9516000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA2AD3000 C:\WINDOWS\system32\DRIVERS\srv.sys 339968 bytes (Microsoft Corporation, Server driver)

0xA2C62000 C:\WINDOWS\system32\DRIVERS\eamon.sys 315392 bytes (ESET, Amon monitor)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xB92F3000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)

0xB9327000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xBA661000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xA2CAF000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xBA4D7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xA948E000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xA94DC000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xBA60B000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xB986E000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xA2B6D000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xB984B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xB9893000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xA94BA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xACCBC000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xA93FE000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)

0x806CE000 ACPI_HAL 131968 bytes

0x806CE000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xBA5BA000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xBA631000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xA2B26000 C:\WINDOWS\system32\Drivers\NSHE.SYS 126976 bytes (T0r0 2008, DongleEmulator for HASP, Sentinel, etc)

0xBA4BC000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xA41C1000 C:\WINDOWS\System32\Drivers\dump_nvata.sys 106496 bytes

0xBA5D9000 nvata.sys 106496 bytes (NVIDIA Corporation, NVIDIA

Link to post
Share on other sites

That is a lot of malware! Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

ComboFix 10-11-24.04 - Pelegrin 11/25/2010 19:44:04.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1095 [GMT 2:00]

Running from: c:\documents and settings\Pelegrin\Desktop\ComboFix.exe

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Pelegrin\Application Data\completescan

c:\documents and settings\Pelegrin\Application Data\install

c:\documents and settings\Pelegrin\Recent\Thumbs.db

c:\program files\driver

c:\windows\system32\UNWISE.EXE

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-10-25 to 2010-11-25 )))))))))))))))))))))))))))))))

.

2010-11-24 19:00 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-24 19:00 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-24 19:00 . 2010-11-24 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-23 17:27 . 2010-11-23 17:27 -------- d-----w- c:\documents and settings\Pelegrin\Application Data\Malwarebytes

2010-11-23 17:27 . 2010-11-23 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-23 16:27 . 2010-11-23 16:27 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-11-23 16:26 . 2010-11-23 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-11-21 10:51 . 2010-11-21 10:51 -------- d-----w- c:\program files\MSBuild

2010-11-21 10:32 . 2010-11-21 10:32 -------- d-----w- c:\documents and settings\Pelegrin\Local Settings\Application Data\Help

2010-11-21 09:59 . 2010-11-21 09:59 -------- d-----w- c:\documents and settings\Pelegrin\Local Settings\Application Data\Recovery Toolbox for Excel

2010-11-20 10:38 . 2010-11-20 10:38 -------- d-----w- c:\windows\system32\wbem\Repository

2010-11-20 10:37 . 2010-11-20 10:37 -------- d--h--w- c:\windows\PIF

2010-11-20 09:28 . 2010-11-20 10:32 -------- d-----w- c:\documents and settings\Pelegrin\Local Settings\Application Data\ConduitEngine

2010-11-20 09:28 . 2010-11-20 10:37 -------- d-----w- c:\program files\ConduitEngine

2010-11-20 09:28 . 2010-11-20 09:28 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-15 02:50 . 2010-05-11 17:39 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 00:29 . 2009-07-08 07:35 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

------- Sigcheck -------

[-] 2010-01-07 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\TCPIP.SYS

[-] 2010-01-07 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\TCPIP.SYS

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{a2e40772-4e84-4066-b8f1-f96c4eedbd93}"= "c:\program files\Seve_Tv\tbSev2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{a2e40772-4e84-4066-b8f1-f96c4eedbd93}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a2e40772-4e84-4066-b8f1-f96c4eedbd93}]

2010-10-18 10:26 3908192 ----a-w- c:\program files\Seve_Tv\tbSev2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{a2e40772-4e84-4066-b8f1-f96c4eedbd93}"= "c:\program files\Seve_Tv\tbSev2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{a2e40772-4e84-4066-b8f1-f96c4eedbd93}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{A2E40772-4E84-4066-B8F1-F96C4EEDBD93}"= "c:\program files\Seve_Tv\tbSev2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{a2e40772-4e84-4066-b8f1-f96c4eedbd93}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-25 328056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="f:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-07-01 1447168]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"B

Link to post
Share on other sites

That took out quite some bad stuff, but still a rootkit to go.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

2010/11/25 20:05:18.0765 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12

2010/11/25 20:05:18.0765 ================================================================================

2010/11/25 20:05:18.0765 SystemInfo:

2010/11/25 20:05:18.0765

2010/11/25 20:05:18.0765 OS Version: 5.1.2600 ServicePack: 2.0

2010/11/25 20:05:18.0765 Product type: Workstation

2010/11/25 20:05:18.0765 ComputerName: PELEGRIN-3602FE

2010/11/25 20:05:18.0765 UserName: Pelegrin

2010/11/25 20:05:18.0765 Windows directory: C:\WINDOWS

2010/11/25 20:05:18.0765 System windows directory: C:\WINDOWS

2010/11/25 20:05:18.0765 Processor architecture: Intel x86

2010/11/25 20:05:18.0765 Number of processors: 1

2010/11/25 20:05:18.0765 Page size: 0x1000

2010/11/25 20:05:18.0765 Boot type: Normal boot

2010/11/25 20:05:18.0765 ================================================================================

2010/11/25 20:05:19.0015 Initialize success

2010/11/25 20:05:42.0062 ================================================================================

2010/11/25 20:05:42.0062 Scan started

2010/11/25 20:05:42.0062 Mode: Manual;

2010/11/25 20:05:42.0062 ================================================================================

2010/11/25 20:05:42.0281 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/25 20:05:42.0328 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/25 20:05:42.0406 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2010/11/25 20:05:42.0453 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys

2010/11/25 20:05:42.0687 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/25 20:05:42.0718 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/25 20:05:42.0828 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/25 20:05:42.0906 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/25 20:05:42.0953 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/25 20:05:42.0984 BIOS (be5d50529799b9bab6be879ec768b6cf) C:\WINDOWS\system32\drivers\BIOS.sys

2010/11/25 20:05:43.0031 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/25 20:05:43.0062 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/25 20:05:43.0140 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/25 20:05:43.0203 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/25 20:05:43.0468 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/25 20:05:43.0562 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/25 20:05:43.0640 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/25 20:05:43.0671 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/25 20:05:43.0734 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/25 20:05:43.0796 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/25 20:05:43.0890 eamon (9307bb1b5c3ed19517056e1f122d8c77) C:\WINDOWS\system32\DRIVERS\eamon.sys

2010/11/25 20:05:43.0937 easdrv (df91159321c0991a2e2eb97c84dc4110) C:\WINDOWS\system32\DRIVERS\easdrv.sys

2010/11/25 20:05:43.0984 epfw (e5fd8f94ea5e8be3e5aefbcadfdec2cf) C:\WINDOWS\system32\DRIVERS\epfw.sys

2010/11/25 20:05:44.0078 Epfwndis (e0b251dc16c6df74bd6b2b8f5aad7abb) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

2010/11/25 20:05:44.0093 epfwtdi (269adc224b5946ad75d8368ce91f5ed7) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys

2010/11/25 20:05:44.0140 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/25 20:05:44.0203 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/25 20:05:44.0281 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/25 20:05:44.0328 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/11/25 20:05:44.0375 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/11/25 20:05:44.0421 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/25 20:05:44.0468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/25 20:05:44.0515 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/25 20:05:44.0562 Hardlock (d95554949082fd29a04d351b58396718) C:\WINDOWS\system32\drivers\hardlock.sys

2010/11/25 20:05:44.0671 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/25 20:05:44.0781 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/25 20:05:44.0890 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/25 20:05:44.0921 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/25 20:05:45.0125 IntcAzAudAddService (c464cf7a58c011a70188602b55c64e99) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/11/25 20:05:45.0296 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/11/25 20:05:45.0375 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/25 20:05:45.0421 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/25 20:05:45.0468 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/25 20:05:45.0515 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/25 20:05:45.0562 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/25 20:05:45.0609 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/25 20:05:45.0640 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/25 20:05:45.0671 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/25 20:05:45.0718 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/25 20:05:45.0828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/25 20:05:45.0875 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/25 20:05:45.0937 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/25 20:05:46.0015 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/25 20:05:46.0062 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/25 20:05:46.0125 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/25 20:05:46.0171 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/25 20:05:46.0218 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/25 20:05:46.0250 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/25 20:05:46.0281 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/25 20:05:46.0328 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/25 20:05:46.0390 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/25 20:05:46.0406 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/25 20:05:46.0453 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/25 20:05:46.0515 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/25 20:05:46.0546 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/25 20:05:46.0578 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/25 20:05:46.0625 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/25 20:05:46.0687 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/25 20:05:46.0750 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/25 20:05:46.0796 NSHE (f8e396f5e703d7a8f37d90f59c776268) C:\WINDOWS\system32\Drivers\NSHE.SYS

2010/11/25 20:05:46.0843 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/25 20:05:46.0906 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/25 20:05:47.0046 nv (eb2858f920b8135b807b5ccaa3ed73dc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/11/25 20:05:47.0234 nvata (ef9941593b2e9b436f64a87ddb570d1a) C:\WINDOWS\system32\DRIVERS\nvata.sys

2010/11/25 20:05:47.0281 NVENETFD (0ae6258709d58fb53638e8d28f4480d4) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2010/11/25 20:05:47.0359 nvnetbus (1296b33c223a58485d5eaa779752216a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2010/11/25 20:05:47.0406 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/25 20:05:47.0468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/25 20:05:47.0515 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/25 20:05:47.0593 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/25 20:05:47.0609 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/25 20:05:47.0656 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/25 20:05:47.0718 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/25 20:05:47.0765 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/25 20:05:47.0984 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/25 20:05:48.0031 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/25 20:05:48.0125 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/25 20:05:48.0156 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/25 20:05:48.0203 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/25 20:05:48.0421 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/25 20:05:48.0500 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/25 20:05:48.0531 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/25 20:05:48.0562 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/25 20:05:48.0609 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/25 20:05:48.0656 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/25 20:05:48.0718 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/25 20:05:48.0781 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/25 20:05:48.0812 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/25 20:05:48.0937 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/25 20:05:49.0000 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/25 20:05:49.0046 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/25 20:05:49.0078 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/25 20:05:49.0218 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/25 20:05:49.0281 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys

2010/11/25 20:05:49.0281 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b

2010/11/25 20:05:49.0281 sptd - detected Locked file (1)

2010/11/25 20:05:49.0328 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/25 20:05:49.0390 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/25 20:05:49.0453 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/25 20:05:49.0484 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/25 20:05:49.0625 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/25 20:05:49.0718 Tcpip (27a5959c94ee173a063ca06bd14f021a) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/25 20:05:49.0765 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/25 20:05:49.0796 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/25 20:05:49.0828 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/25 20:05:49.0921 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/25 20:05:50.0000 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/25 20:05:50.0046 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/25 20:05:50.0125 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/25 20:05:50.0171 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/25 20:05:50.0218 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/11/25 20:05:50.0250 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/25 20:05:50.0296 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/25 20:05:50.0328 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/25 20:05:50.0375 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2010/11/25 20:05:50.0453 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/25 20:05:50.0484 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/25 20:05:50.0546 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/25 20:05:50.0656 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/25 20:05:50.0656 ================================================================================

2010/11/25 20:05:50.0656 Scan finished

2010/11/25 20:05:50.0656 ================================================================================

2010/11/25 20:05:50.0687 Detected object count: 2

2010/11/25 20:06:38.0796 Locked file(sptd) - User select action: Skip

2010/11/25 20:06:38.0828 \HardDisk0 - will be cured after reboot

2010/11/25 20:06:38.0828 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/11/25 20:06:56.0687 Deinitialize success

Link to post
Share on other sites

ComboFix 10-11-24.04 - Pelegrin 11/25/2010 20:13:29.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1360 [GMT 2:00]

Running from: c:\documents and settings\Pelegrin\Desktop\ComboFix.exe

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

((((((((((((((((((((((((( Files Created from 2010-10-25 to 2010-11-25 )))))))))))))))))))))))))))))))

.

2010-11-24 19:00 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-24 19:00 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-24 19:00 . 2010-11-24 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-23 17:27 . 2010-11-23 17:27 -------- d-----w- c:\documents and settings\Pelegrin\Application Data\Malwarebytes

2010-11-23 17:27 . 2010-11-23 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-23 16:27 . 2010-11-23 16:27 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-11-23 16:26 . 2010-11-23 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-11-21 10:51 . 2010-11-21 10:51 -------- d-----w- c:\program files\MSBuild

2010-11-21 10:32 . 2010-11-21 10:32 -------- d-----w- c:\documents and settings\Pelegrin\Local Settings\Application Data\Help

2010-11-21 09:59 . 2010-11-21 09:59 -------- d-----w- c:\documents and settings\Pelegrin\Local Settings\Application Data\Recovery Toolbox for Excel

2010-11-20 10:38 . 2010-11-20 10:38 -------- d-----w- c:\windows\system32\wbem\Repository

2010-11-20 10:37 . 2010-11-20 10:37 -------- d--h--w- c:\windows\PIF

2010-11-20 09:28 . 2010-11-20 10:32 -------- d-----w- c:\documents and settings\Pelegrin\Local Settings\Application Data\ConduitEngine

2010-11-20 09:28 . 2010-11-20 10:37 -------- d-----w- c:\program files\ConduitEngine

2010-11-20 09:28 . 2010-11-20 09:28 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-15 02:50 . 2010-05-11 17:39 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 00:29 . 2009-07-08 07:35 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

------- Sigcheck -------

[-] 2010-01-07 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\TCPIP.SYS

[-] 2010-01-07 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\TCPIP.SYS

.

((((((((((((((((((((((((((((( SnapShot@2010-11-25_17.49.16 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-11-25 18:08 . 2010-11-25 18:08 16384 c:\windows\Temp\Perflib_Perfdata_29c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{a2e40772-4e84-4066-b8f1-f96c4eedbd93}"= "c:\program files\Seve_Tv\tbSev2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{a2e40772-4e84-4066-b8f1-f96c4eedbd93}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a2e40772-4e84-4066-b8f1-f96c4eedbd93}]

2010-10-18 10:26 3908192 ----a-w- c:\program files\Seve_Tv\tbSev2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{a2e40772-4e84-4066-b8f1-f96c4eedbd93}"= "c:\program files\Seve_Tv\tbSev2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{a2e40772-4e84-4066-b8f1-f96c4eedbd93}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{A2E40772-4E84-4066-B8F1-F96C4EEDBD93}"= "c:\program files\Seve_Tv\tbSev2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{a2e40772-4e84-4066-b8f1-f96c4eedbd93}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-25 328056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="f:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-07-01 1447168]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"B

Link to post
Share on other sites

Not so fast, we're not yet done here. -_-

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please launch MBAM and update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Finally, some serious updating. Service pack 2 for XP is no longer supported by Microsoft, leaving you wide open for all kind of threats.

UPDATE XP

--------------

Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.

Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5184

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

11/25/2010 9:41:37 PM

mbam-log-2010-11-25 (21-41-37).txt

Scan type: Full scan (C:\|D:\|F:\|)

Objects scanned: 230965

Time elapsed: 29 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

F:\System Volume Information\_restore{A8742B6C-C5D5-45FE-9E00-D67121697DE4}\RP254\A0098999.dll (Trojan.Agent) -> Quarantined and deleted successfully.

F:\System Volume Information\_restore{A8742B6C-C5D5-45FE-9E00-D67121697DE4}\RP255\A0099335.dll (Trojan.Agent) -> Quarantined and deleted successfully.

F:\System Volume Information\_restore{A8742B6C-C5D5-45FE-9E00-D67121697DE4}\RP256\A0100662.dll (Trojan.Agent) -> Quarantined and deleted successfully.

F:\unix_net\TL_LOCAL\TL4_NET.EXE (Trojan.Banker) -> Quarantined and deleted successfully.

F:\unix_net\TL_MODEM\_IN_BOX\UPDATE\tl_local\TL4_NET.EXE (Trojan.Banker) -> Quarantined and deleted successfully.

Link to post
Share on other sites

You can dequarantine that, using MBAM, but do only so if you are absolutely sure it is not a harmful file. You might want to upload it to www.virustotal.com

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Did you also finish the Windows Updates?

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean -_-

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete Rootkit Unhooker and OTL.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

I take it you have the Romanian version of MBAM installed: Open the program, click the "carantina" tab. Select the file(s) you want to restore and click "restaureaza".

Note that it is quite likely these files may be a threat and can reinfect your computer!!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.