Another redirect virus

[nyyankees51]

Hi folks, I am running Windows XP Home Edition on an HP netbook. It was infected by what appears to be a browser redirect virus. It started by disabling Mozilla Firefox, which I uninstalled thinking it was just a problem with Firefox. Then I started using Internet Explorer 8. When I searched for Firefox on Google to reinstall it, I clicked on the link and was redirected to "plxlestatservlce.com" which gave me an error message. I ran Malwarebytes Anti-Malware and a couple Windows programs to no avail. And just as I was registering my account, IE froze and then opened two windows to other websites, then a dialog box saying "Windows Security has found critical process activity on your system and will perform fast scan of system files", so I ended the process. Here is my HijackThis log. Any help is much appreciated.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:04:43 PM, on 11/28/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe

C:\SPLASH.SYS\config\DVMExportService.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\HP\HPBTWD.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP QuickSync\QuickSync.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\HP QuickSync\jre\bin\javaw.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:ackleyd@cox.net

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - (no file)

O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0560.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0560.0\msneshellx.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [HP BTW Detect Program] C:\Program Files\HP\HPBTWD.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [HP] C:\Program Files\Hewlett-Packard\HP QuickSync\QuickSync.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Valentine Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6770.cab

O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe

O23 - Service: BOTService - Sonic Solutions - C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe

O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\SPLASH.SYS\config\DVMExportService.exe

O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 6942 bytes

Many thanks!

[negster22]

Hi nyyankees51,

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Some background information on what we're planning to do can be found >HERE<

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[nyyankees51]

It appears to have worked! (I ran negster22's version.) Here's the log:

2010/11/29 14:16:52.0250 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56

2010/11/29 14:16:52.0250 ================================================================================

2010/11/29 14:16:52.0250 SystemInfo:

2010/11/29 14:16:52.0250

2010/11/29 14:16:52.0250 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/29 14:16:52.0250 Product type: Workstation

2010/11/29 14:16:52.0250 ComputerName: VALENTINE

2010/11/29 14:16:52.0250 UserName: Valentine Family

2010/11/29 14:16:52.0250 Windows directory: C:\WINDOWS

2010/11/29 14:16:52.0250 System windows directory: C:\WINDOWS

2010/11/29 14:16:52.0250 Processor architecture: Intel x86

2010/11/29 14:16:52.0250 Number of processors: 2

2010/11/29 14:16:52.0250 Page size: 0x1000

2010/11/29 14:16:52.0250 Boot type: Normal boot

2010/11/29 14:16:52.0250 ================================================================================

2010/11/29 14:16:52.0656 Initialize success

2010/11/29 14:17:02.0953 ================================================================================

2010/11/29 14:17:02.0953 Scan started

2010/11/29 14:17:02.0968 Mode: Manual;

2010/11/29 14:17:02.0968 ================================================================================

2010/11/29 14:17:03.0375 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/11/29 14:17:03.0437 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/29 14:17:03.0468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/11/29 14:17:03.0531 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/11/29 14:17:03.0593 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/29 14:17:03.0687 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/29 14:17:03.0734 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/29 14:17:03.0796 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/11/29 14:17:03.0843 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/11/29 14:17:03.0890 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/11/29 14:17:03.0921 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/11/29 14:17:04.0015 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/11/29 14:17:04.0046 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/11/29 14:17:04.0093 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/11/29 14:17:04.0140 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/11/29 14:17:04.0296 AR5416 (c72a33563a6fd73f2f1eb5b346b8cf6d) C:\WINDOWS\system32\DRIVERS\athw.sys

2010/11/29 14:17:04.0437 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/11/29 14:17:04.0484 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/11/29 14:17:04.0515 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/11/29 14:17:04.0609 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/29 14:17:04.0656 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/29 14:17:04.0718 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/29 14:17:04.0765 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/29 14:17:04.0828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/29 14:17:04.0921 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/11/29 14:17:04.0953 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/29 14:17:05.0015 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/11/29 14:17:05.0031 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/11/29 14:17:05.0078 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/29 14:17:05.0109 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/29 14:17:05.0156 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/29 14:17:05.0281 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/29 14:17:05.0328 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/11/29 14:17:05.0390 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/29 14:17:05.0453 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/11/29 14:17:05.0515 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/11/29 14:17:05.0546 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/11/29 14:17:05.0609 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/29 14:17:05.0687 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/29 14:17:05.0734 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/29 14:17:05.0765 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/29 14:17:05.0843 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/29 14:17:05.0890 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/11/29 14:17:05.0937 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/29 14:17:06.0031 DVMIO (6368d6a6dda2e44eecc592eb50950463) C:\SPLASH.SYS\config\dvmio.sys

2010/11/29 14:17:06.0125 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/29 14:17:06.0187 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/11/29 14:17:06.0218 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/29 14:17:06.0265 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/11/29 14:17:06.0296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/11/29 14:17:06.0359 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/29 14:17:06.0390 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/29 14:17:06.0453 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/29 14:17:06.0500 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/29 14:17:06.0578 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/29 14:17:06.0640 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/11/29 14:17:06.0703 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/29 14:17:06.0750 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/11/29 14:17:06.0812 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/11/29 14:17:06.0843 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/29 14:17:07.0078 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/11/29 14:17:07.0328 iaStor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2010/11/29 14:17:07.0437 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/29 14:17:07.0531 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/11/29 14:17:07.0593 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/29 14:17:07.0625 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/29 14:17:07.0687 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/11/29 14:17:07.0718 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/29 14:17:07.0750 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/29 14:17:07.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/29 14:17:07.0859 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/29 14:17:07.0906 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/29 14:17:07.0953 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/29 14:17:08.0000 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/29 14:17:08.0078 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/29 14:17:08.0125 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/29 14:17:08.0156 L1c (140f9b777fa84e2f5eeea5cadc112e53) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys

2010/11/29 14:17:08.0281 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/29 14:17:08.0343 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/29 14:17:08.0421 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/29 14:17:08.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/29 14:17:08.0531 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/29 14:17:08.0562 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/11/29 14:17:08.0609 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/29 14:17:08.0687 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/29 14:17:08.0750 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/29 14:17:08.0828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/29 14:17:08.0859 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/29 14:17:08.0906 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/29 14:17:08.0937 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/29 14:17:08.0984 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/11/29 14:17:09.0015 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/29 14:17:09.0062 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/11/29 14:17:09.0109 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/29 14:17:09.0140 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/11/29 14:17:09.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/29 14:17:09.0234 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/29 14:17:09.0265 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/29 14:17:09.0312 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/29 14:17:09.0359 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/29 14:17:09.0421 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/29 14:17:09.0531 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/29 14:17:09.0593 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/29 14:17:09.0656 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/29 14:17:09.0718 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/29 14:17:09.0750 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/29 14:17:09.0812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/11/29 14:17:09.0843 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/29 14:17:09.0875 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/29 14:17:09.0921 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/29 14:17:09.0984 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/29 14:17:10.0031 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/29 14:17:10.0187 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/11/29 14:17:10.0234 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/11/29 14:17:10.0343 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/29 14:17:10.0390 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/29 14:17:10.0421 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/29 14:17:10.0468 PxHelp20 (5491e4e7d93804f43abe8ce3c39f5a86) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/29 14:17:10.0515 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/11/29 14:17:10.0562 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/11/29 14:17:10.0609 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/11/29 14:17:10.0640 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/11/29 14:17:10.0671 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/11/29 14:17:10.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/29 14:17:10.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/29 14:17:10.0828 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/29 14:17:10.0859 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/29 14:17:10.0906 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/29 14:17:10.0937 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/29 14:17:11.0015 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/29 14:17:11.0109 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/29 14:17:11.0171 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/29 14:17:11.0281 RSUSBSTOR (030442f08aec1a5d7cf035cc514374b9) C:\WINDOWS\system32\Drivers\RTS5121.sys

2010/11/29 14:17:11.0328 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/11/29 14:17:11.0437 SahdIa32 (0b2d5d2341437d7d7e1a6c7bbce3786a) C:\WINDOWS\system32\Drivers\SahdIa32.sys

2010/11/29 14:17:11.0468 SaibIa32 (7a5f65b16249af2bc9d18d815f5d7172) C:\WINDOWS\system32\Drivers\SaibIa32.sys

2010/11/29 14:17:11.0531 SaibVd32 (e333c9515822de586a3ff759a0c9b7bf) C:\WINDOWS\system32\Drivers\SaibVd32.sys

2010/11/29 14:17:11.0609 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/29 14:17:11.0687 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/11/29 14:17:11.0765 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/29 14:17:11.0875 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/11/29 14:17:11.0921 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/11/29 14:17:12.0031 SNP2UVC (473f35e2a378b854731e67c377a3bea7) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys

2010/11/29 14:17:12.0125 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/11/29 14:17:12.0171 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/29 14:17:12.0218 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/29 14:17:12.0328 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/29 14:17:12.0453 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/11/29 14:17:12.0500 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/29 14:17:12.0546 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/29 14:17:12.0609 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/11/29 14:17:12.0656 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/11/29 14:17:12.0687 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/11/29 14:17:12.0734 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/11/29 14:17:12.0796 SynTP (8da49473f997d4c5d821f1e358f94f2d) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/11/29 14:17:12.0843 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/29 14:17:12.0906 SysCow (9c1c6212623484331cce11ebbbfa3139) C:\WINDOWS\system32\drivers\syscow32x.sys

2010/11/29 14:17:13.0000 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/29 14:17:13.0031 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/29 14:17:13.0093 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/29 14:17:13.0140 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/29 14:17:13.0203 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/11/29 14:17:13.0296 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/29 14:17:13.0328 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/11/29 14:17:13.0375 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/29 14:17:13.0484 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/29 14:17:13.0578 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/29 14:17:13.0609 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/29 14:17:13.0671 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/29 14:17:13.0734 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/29 14:17:13.0765 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/29 14:17:13.0812 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/11/29 14:17:13.0859 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/29 14:17:13.0921 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/11/29 14:17:13.0968 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/29 14:17:13.0984 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/29 14:17:14.0062 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/29 14:17:14.0140 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys

2010/11/29 14:17:14.0218 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/29 14:17:14.0328 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/11/29 14:17:14.0437 WSIMD (0091d78c5f8fde0cdf2b214823de6e48) C:\WINDOWS\system32\DRIVERS\wsimd.sys

2010/11/29 14:17:14.0500 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/11/29 14:17:14.0562 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/29 14:17:14.0609 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/29 14:17:14.0734 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/29 14:17:14.0734 ================================================================================

2010/11/29 14:17:14.0734 Scan finished

2010/11/29 14:17:14.0734 ================================================================================

2010/11/29 14:17:14.0765 Detected object count: 1

2010/11/29 14:17:36.0000 \HardDisk0 - will be cured after reboot

2010/11/29 14:17:36.0000 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/11/29 14:17:48.0937 Deinitialize success

It's not doing what it was doing before so I think it worked. Is there any way to know for sure? Many thanks!

[negster22]

We can run a couple more helpful troubleshooting programs to verify there's nothing infected remaining on your system.

Please download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Please launch the rootkit scanner as follows to produce a quick scan report ONLY!:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the scan is finished (a few seconds), save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
  

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
    

  [*]For Internet Explorer:

  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
    

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers and programs.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  
• If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
  

1. To Launch Combofix

Click Start --> Run, and Copy/Paste or Enter this command exactly as shown (including the quotes):

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post ARKQ.txt and C:\ComboFix.txt in your next reply.

[nyyankees51]

Here are the logs:

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit quick scan 2010-11-29 19:15:50

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.HH10

Running: 5lwyl6d9.exe; Driver: C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\agtcipow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

*****

ComboFix 10-11-29.03 - Valentine Family 11/29/2010 19:25:49.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.637 [GMT -5:00]

Running from: c:\documents and settings\Valentine Family\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Valentine Family\Recent\lot_details.url

c:\windows\system32\sqlite3.dll

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))

.

2010-11-30 00:14 . 2010-11-30 00:14 -------- d-----w- c:\windows\LastGood

2010-11-29 03:38 . 2010-11-29 03:38 -------- d-----w- c:\program files\Trend Micro

2010-11-26 19:33 . 2010-11-26 19:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-11-26 16:46 . 2010-11-30 00:15 -------- d-----w- c:\program files\Windows Live Safety Center

2010-11-26 16:07 . 2010-11-26 16:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 16:23 . 2010-09-18 16:23 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2010-10-13 17:45 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2010-10-13 17:45 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-18 06:53 . 2010-10-13 17:45 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-10 05:58 . 2010-10-13 17:45 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2010-10-13 17:45 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2010-10-13 17:45 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2010-09-01 11:51 285824 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Valentine Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-26 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

"HP BTW Detect Program"="c:\program files\HP\HPBTWD.exe" [2009-03-30 319488]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-30 148888]

"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=

"c:\\Documents and Settings\\Valentine Family\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Valentine Family\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [9/30/2009 4:41 PM 21488]

R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [9/30/2009 4:41 PM 15856]

R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [7/2/2009 1:10 AM 103792]

R1 DVMIO;DVMIO;c:\splash.sys\config\dvmio.sys [7/27/2009 2:01 PM 16984]

R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [9/30/2009 4:41 PM 25584]

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 9:05 PM 457200]

R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [7/9/2009 6:08 AM 199152]

R2 DvmMDES;DeviceVM Meta Data Export Service;c:\splash.sys\config\DVMExportService.exe [7/8/2009 9:55 PM 323584]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/31/2009 3:11 PM 39424]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/18/2010 11:56 PM 136176]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys --> c:\windows\system32\drivers\AESTAud.sys [?]

S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [9/30/2009 4:20 PM 160256]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AGTCIPOW

*Deregistered* - agtcipow

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job

- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 11:09]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-19 20:31]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-19 20:31]

2010-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1711344485-2863747044-838911637-1005Core.job

- c:\documents and settings\Valentine Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-26 01:16]

2010-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1711344485-2863747044-838911637-1005UA.job

- c:\documents and settings\Valentine Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-26 01:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb

uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:ackleyd@cox.net

uInternet Settings,ProxyServer = http=127.0.0.1:6522

.

- - - - ORPHANS REMOVED - - - -

BHO-{99E00A4C-D35E-11DD-BA95-9B6A56D89593} - (no file)

Toolbar-Locked - (no file)

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-29 19:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-11-29 19:40:00

ComboFix-quarantined-files.txt 2010-11-30 00:39

Pre-Run: 129,277,280,256 bytes free

Post-Run: 130,801,827,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 3BE56DEC1F66C9E22F8DB30A0351DBD7

Thanks!

[negster22]

Hi nyyankees51,

That looks good!

Your Gmer Anti-rootkit scan is clean (no rootkits visible) and so is your Combofix report!

We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 22, if you have not done that already.

You can check your currently installed JRE version >HERE<.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 22, then follow these steps:

1. Download the latest JRE version clicking the "Agree and Start Free Download" button.

2. Save the installer to your desktop.

3. Close any programs you may have running - especially your web browser.

4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

5. Reboot your system

6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform

7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for any Java applications.

8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
  
• Next, click on the Delete Files button
  
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    
  • Trace and Log Files
    

  [*]Click OK on Delete Temporary Files Window

  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  [*] Click OK to leave the Temporary Files Window

  [*]Click OK to leave the Java Control Panel.

As Java Cache can be an infection repository, You can quickly scan it periodically for infectious elements, by right-clicking the following folder and selecting the "Scan with <Your antivirus>" option:

The location of this folder usually is:

In XP:

C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\

In Vista and Windows 7:

C:\Users\<user_name>\AppData\LocalLow\Sun\Java\Deployment\cache\

==

Please uninstall the ARK Program by doing the following:

• Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
  
• Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)
  

To remove Combofix and it's quarantine folder:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\combofix.exe" /uninstall

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• Flush your system restore points and create a new restore point.
  
• Rehide your system files and folders
  
• Reset your system clock
  

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

[nyyankees51]

Thank you so much. I sincerely appreciate your help.

[negster22]

You're very Welcome and Good Luck to You!!

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!