Jump to content

Google redirects, slow computer, can't find the cause!


Sam LG

Recommended Posts

I've been doing some research and seen that a few people have experienced the same problems as me which have been the following:

Google will redirect to sites such as default.com, webdeorr.net, icityfind.com, askjeeves, kdirectory.co.uk and more (in ANY browser which for me is Firefox, Chrome and IE)

INternet connection and general speed of computer is slow

Desktop icons are seperated in half with a gap running horizontally halfway through the screen

Even if not on google, sites might pop up every now and then on browser

I heard it was perhaps Java or Adobe FLash so i unintstalled and reinstalled it all - nothing.

I ran Malwarebytes but it's now coming up with 0 infections and is seemingly clean

Combofix tdsskiller have also been tried

I ran a System Restore to earliest point, still didn't work

This was the last malware bytes log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5173

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/26/2010 7:20:19 PM

mbam-log-2010-11-26 (19-20-19).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|H:\|I:\|J:\|K:\|)

Objects scanned: 360985

Time elapsed: 2 hour(s), 22 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

BUT this was the first

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5096

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/11/2010 8:05:33 PM

mbam-log-2010-11-11 (20-05-33).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 354066

Time elapsed: 2 hour(s), 50 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 6

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 52

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kcodj (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bgiwevozuji (Trojan.Agent.U) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{bba34d47-d72c-771f-cd63-e4903be83370} (Trojan.ZbotR.Gen) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{3c66789b-587b-7969-4b09-320823ead303} (Trojan.ZbotR.Gen) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{ee9d835e-f7ab-d79b-284f-4f42890370c5} (Trojan.ZbotR.Gen) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_application (Hijacker.Application) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljeha (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Sam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MI1OOB09\tkbvqkfdls[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Users\Sam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MI1OOB09\tkbvqkfdls[2].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Users\Sam\Desktop\Win Utilities\cxa2261a\cxa2261a\crd.exe (TheftMarker.Crude) -> Quarantined and deleted successfully.

C:\Users\Sam\Desktop\Other Folders\old laptop files\Samsung PC Studio 3\util\SMSMoveD500.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\Users\Sam\Desktop\Other Folders\old laptop files\Samsung PC Studio 3\util\SMSMoveX800.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\Users\Sam\Desktop\Other Folders\old laptop files\Samsung PC Studio 3\util\SMSMoveZ510.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\Windows\System32\kcodj.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Windows\System32\rcodb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Windows\System32\cxc2396a\crd.exe (TheftMarker.Crude) -> Quarantined and deleted successfully.

C:\Windows\Temp\1684730444.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\170187606.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\1735053838.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\2028035305.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\2106990383.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\239331182.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\2593135240.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\2765581421.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\user.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\3045936152.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\nvsvc32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\smss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\hexdump.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\login.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\lsass.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\drweb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\4075467402.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\814350713.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\avp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\cmd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\csrss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\win16.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\3538946004.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\3566645635.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\3589180379.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\3705196915.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\3707927883.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\3734434285.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Temp\viqb.exe (Spyware.Amber) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Roaming\sdra64.exe (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\Desktop\User Protection Support.lnk (Rogue.Protection) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Users\Sam\AppData\Local\Temp\0.08543747611674446.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\Sam\AppData\Local\Temp\0.41668873344022306.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Windows\Temp\0.25553629921988186.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Windows\Temp\0.1222243556229543.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Windows\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Users\Public\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\Users\Sam\AppData\Local\mivintor.dll (Trojan.Agent.U) -> Delete on reboot.

any chance someone can help me here? I'm stuck. Whatever it is, it seems to be buried deep.

Link to post
Share on other sites

here;s the DDS bit:

DDS (Ver_10-11-27.01) - NTFSx86

Run by Sam at 17:21:05.07 on Mon 11/29/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.640 [GMT 0:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Users\Sam\AppData\Local\TVersity\Media Server\MediaServer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\CtHelper.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Free Download Manager\fdm.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Sam\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.yahoo.com

mStart Page = hxxp://uk.yahoo.com

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103112718.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun

uRun: [Google Update] "c:\users\sam\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [F5D9050] c:\program files\belkin\f5d9050\Belkinwcui.exe

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-7 64288]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-2-4 386840]

R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-10-11 64304]

R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-11 164840]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-11 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-11 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-11 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-11 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-11 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-11 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-11 55840]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-4 152960]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-11 313288]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-1-29 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1375992]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-11-13 15264]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-4 52104]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-11 84264]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-2-4 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-2-4 40552]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\drivers\Ph3xIB32.sys [2009-6-10 1311232]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-8 1343400]

=============== Created Last 30 ================

2010-11-24 00:13:28 2493643 ----a-w- c:\windows\system32\abgx360.exe

2010-11-23 16:46:49 -------- d-----w- c:\users\sam\appdata\local\MetaGeek,_LLC

2010-11-23 16:42:52 -------- d-----w- c:\program files\MetaGeek

2010-11-23 15:23:36 -------- d-sh--w- C:\$RECYCLE.BIN

2010-11-23 15:18:34 -------- d-----w- c:\users\sam\appdata\local\temp

2010-11-23 15:11:20 -------- d-----w- c:\users\sam\appdata\local\Adobe

2010-11-23 15:08:38 -------- d-----w- C:\Device

2010-11-23 14:45:14 98816 ----a-w- c:\windows\sed.exe

2010-11-23 14:45:14 89088 ----a-w- c:\windows\MBR.exe

2010-11-23 14:45:14 256512 ----a-w- c:\windows\PEV.exe

2010-11-23 14:45:14 161792 ----a-w- c:\windows\SWREG.exe

2010-11-23 14:45:03 -------- d-----w- C:\ComboFix

2010-11-16 14:05:47 -------- d-----w- c:\windows\system32\wbem\Logs

2010-11-16 14:02:07 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-16 14:02:07 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-11-14 13:43:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-14 13:43:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-14 12:52:46 -------- d-----w- c:\users\sam\appdata\local\Windows Live

2010-11-14 12:51:49 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2010-11-14 12:51:48 3181568 ----a-w- c:\windows\system32\mf.dll

2010-11-14 12:51:48 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2010-11-13 13:58:37 -------- d-----w- c:\program files\iTunes

2010-11-13 13:58:37 -------- d-----w- c:\program files\iPod

2010-11-13 13:52:27 -------- d-----w- c:\program files\Bonjour

2010-11-12 21:44:44 0 ----a-w- c:\users\sam\appdata\local\Yfujukifurizevu.bin

2010-11-11 17:09:51 -------- d-----w- c:\users\sam\appdata\roaming\Malwarebytes

2010-11-11 17:09:35 -------- d-----w- c:\progra~2\Malwarebytes

2010-11-11 17:09:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-11 16:54:43 -------- d-----w- c:\users\sam\appdata\roaming\Ugaxod

2010-11-09 00:19:57 -------- d-----w- c:\windows\system32\the.walking.dead.s01e02.hdtv.xvid-fqm

2010-11-08 12:03:44 -------- d-----w- c:\users\sam\appdata\roaming\Replay Media Catcher 4

2010-11-08 11:29:21 -------- dc-h--w- c:\progra~2\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-05 14:01:11 -------- d-----w- C:\YouTubeVideos

2010-11-01 14:08:25 -------- d-----w- c:\progra~2\regid.1986-12.com.adobe

==================== Find3M ====================

2010-11-13 12:51:08 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-10-13 22:28:54 141792 ----a-w- c:\windows\system32\mfevtps.exe

2010-10-12 14:11:16 58904 ----a-w- c:\windows\system32\sysfolderazipcnt.dll

2010-10-12 14:11:16 58904 ----a-w- c:\windows\system32\azipcontmn.dll

2010-10-07 12:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 12:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 15:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-23 00:47:28 49016 ----a-w- c:\windows\system32\sirenacm.dll

2010-09-21 14:03:14 208768 ----a-w- c:\windows\system32\LIVESSP.DLL

2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600 Disk: ST3400820AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8A6B2446]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6b8504]; MOV EAX, [0x8a6b8580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x87681458] -> \Device\Harddisk0\DR0[0x8A692528]

3 CLASSPNP[0x8D39359E] -> ntkrnlpa!IofCallDriver[0x87681458] -> [0x8A5D3918]

5 ACPI[0x87FAC3B2] -> ntkrnlpa!IofCallDriver[0x87681458] -> \IdeDeviceP0T0L0-0[0x8A5C1908]

\Driver\atapi[0x8A696F38] -> IRP_MJ_CREATE -> 0x8A6B2446

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST3400820AS_____________________________3.AAD___#5&26101adf&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user != kernel MBR !!!

sectors 781422766 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 17:22:10.09 ===============

with the other one attached to this post alongside the GMER one

I checked the Show All on Gmer because it was already unchecked and I presumed you'd want it to show all rather than not..?

Thanks for this

Sam

Hello Sam LG and welcome to Malwarebytes. Please follow these guidelines while we work on your PC:

[*]Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I

Attach.txt

Gmer.txt

Link to post
Share on other sites

Sam LG:

It looks like you've run ComboFix on this PC. While you may see ComboFix being used quite often, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool). Going forward, I highly recommend you heed such instructions. As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

icon11.gif Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced at root. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

Please include the following in your next post:

  • TDSSKiller log

Link to post
Share on other sites

OK i've found it but I'm now worried because my other hard drive D: has disappeared which has all my videos, pictures, music etc. on

here's the file

Sam LG:

It looks like you've run ComboFix on this PC. While you may see ComboFix being used quite often, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool). Going forward, I highly recommend you heed such instructions. As stated by the author of ComboFix:

icon11.gif Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced at root. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

Please include the following in your next post:

  • TDSSKiller log

TDSSKiller.2.4.10.0_29.11.2010_18.54.30_log.txt

Link to post
Share on other sites

Sam LG:

Let's have a closer look:

icon11.gif Delete your existing copy of ComboFix and download a fresh one from either of the links below, saving it to your desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

ComboFix 10-11-29.02 - Sam 11/29/2010 19:43:13.2.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1110 [GMT 0:00]

Running from: c:\users\Sam\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))

.

2010-11-29 19:52 . 2010-11-29 19:52 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-11-29 19:08 . 2010-11-29 19:08 -------- d-----w- c:\users\Sam\AppData\Local\Apple

2010-11-24 00:13 . 2010-11-24 00:13 2493643 ----a-w- c:\windows\system32\abgx360.exe

2010-11-23 18:25 . 2010-11-23 18:25 -------- d-----w- c:\users\Sam\AppData\Roaming\Media Player Classic

2010-11-23 16:46 . 2010-11-23 16:46 -------- d-----w- c:\users\Sam\AppData\Local\MetaGeek,_LLC

2010-11-23 16:42 . 2010-11-23 16:42 -------- d-----w- c:\program files\MetaGeek

2010-11-23 15:18 . 2010-11-29 19:52 -------- d-----w- c:\users\Sam\AppData\Local\temp

2010-11-23 15:11 . 2010-11-24 12:03 -------- d-----w- c:\users\Sam\AppData\Local\Adobe

2010-11-23 15:08 . 2010-11-23 15:08 -------- d-----w- C:\Device

2010-11-17 16:37 . 2010-11-29 12:23 -------- d-----w- c:\users\Sam\AppData\Roaming\skypePM

2010-11-16 14:05 . 2010-11-16 14:05 -------- d-----w- c:\windows\system32\wbem\Logs

2010-11-16 14:02 . 2010-11-23 18:28 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-16 14:02 . 2010-11-16 14:01 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2010-11-11 16:54 . 2010-11-11 20:05 -------- d-----w- c:\users\Sam\AppData\Roaming\Ugaxod

2010-11-09 00:19 . 2010-11-09 00:20 -------- d-----w- c:\windows\system32\the.walking.dead.s01e02.hdtv.xvid-fqm

2010-11-08 12:03 . 2010-11-08 12:07 -------- d-----w- c:\users\Sam\AppData\Roaming\Replay Media Catcher 4

2010-11-08 11:29 . 2010-11-13 20:47 -------- dc-h--w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-05 14:01 . 2010-11-08 12:38 -------- d-----w- C:\YouTubeVideos

2010-11-01 14:08 . 2010-11-01 14:08 -------- d-----w- c:\programdata\regid.1986-12.com.adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-13 12:51 . 2010-03-28 22:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-11-13 12:51 . 2010-03-29 23:53 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-10-13 22:28 . 2010-10-11 13:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-10-13 22:28 . 2010-10-11 13:37 141792 ----a-w- c:\windows\system32\mfevtps.exe

2010-10-13 22:28 . 2010-10-11 13:36 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-10-13 22:28 . 2010-10-11 13:36 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-10-13 22:28 . 2010-10-11 13:36 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys

2010-10-13 22:28 . 2010-10-11 13:36 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-10-13 22:28 . 2010-10-11 13:36 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys

2010-10-13 22:28 . 2010-10-11 13:36 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-10-13 22:28 . 2010-02-04 14:29 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-10-13 22:28 . 2010-02-04 14:29 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-10-13 22:28 . 2010-02-04 14:29 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-10-12 14:11 . 2010-10-12 13:46 58904 ----a-w- c:\windows\system32\sysfolderazipcnt.dll

2010-10-12 14:11 . 2010-10-12 13:46 58904 ----a-w- c:\windows\system32\azipcontmn.dll

2010-10-07 12:23 . 2010-10-07 12:23 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 12:23 . 2010-10-07 12:23 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 15:44 . 2010-09-28 15:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-09-28 15:44 . 2010-09-28 15:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-23 00:47 . 2010-09-23 00:47 49016 ----a-w- c:\windows\system32\sirenacm.dll

2010-09-21 14:03 . 2010-09-21 14:03 208768 ----a-w- c:\windows\system32\LIVESSP.DLL

2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-08 04:30 . 2010-10-13 09:53 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28 . 2010-10-13 09:53 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22 . 2010-10-13 09:53 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48 . 2010-10-13 09:53 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-09-01 04:23 . 2010-10-13 09:53 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2010-09-01 02:34 . 2010-10-13 09:53 2327552 ----a-w- c:\windows\system32\win32k.sys

2010-10-13 22:28 . 2010-10-11 13:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

<pre>
c:\windows\System32\config\systemprofile\AppData\Roaming\Adobe\AdobeUpdate .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-31 3399727]

"Google Update"="c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-02-20 135664]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"F5D9050"="c:\program files\Belkin\F5D9050\Belkinwcui.exe" [N/A]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DevconDefaultDB"="c:\windows\system32\READREG" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux9"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-11-25 1375992]

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-06-23 99352]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-01-29 79360]

R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-06-23 555032]

R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-06-23 100888]

R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-06-23 100888]

R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-06-23 566296]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-11-13 15264]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]

R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2009-07-13 1311232]

R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-08 1343400]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-06 64288]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-05 691696]

S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]

S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-13 141792]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-06-23 99352]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-06-23 555032]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-06-23 566296]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1385836357-1252526137-3990224140-1000Core.job

- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-20 12:54]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1385836357-1252526137-3990224140-1000UA.job

- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-20 12:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://uk.yahoo.com

mStart Page = hxxp://uk.yahoo.com

uInternet Settings,ProxyOverride = *.local

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-11-29 19:55:01

ComboFix-quarantined-files.txt 2010-11-29 19:55

ComboFix2.txt 2010-11-23 15:18

Pre-Run: 106,248,949,760 bytes free

Post-Run: 106,410,233,856 bytes free

- - End Of File - - 2BB3F935BCE305D70D09A65718B211F5

Sam LG:

Let's have a closer look:

icon11.gif Delete your existing copy of ComboFix and download a fresh one from either of the links below, saving it to your desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Sam LG:

Are you still not able to see or access your other drive? If you still can't access it, please tell me more about it (ie: internal or external, bootable or not bootable, etc.) Please do this for me next:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://forums.malwarebytes.org/index.php?showtopic=68896
Collect::
c:\windows\system32\sysfolderazipcnt.dll
c:\windows\system32\azipcontmn.dll
DirLook::
c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}
Folder::
c:\users\Sam\AppData\Roaming\Ugaxod
RenV::
c:\windows\System32\config\systemprofile\AppData\Roaming\Adobe\AdobeUpdate .exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

D:/ was an internal hard drive but C:\ is what I boot from

Here's the content of combofix

ComboFix 10-11-29.05 - Sam 11/30/2010 9:44.3.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.979 [GMT 0:00]

Running from: c:\users\Sam\Desktop\ComboFix.exe

Command switches used :: c:\users\Sam\Desktop\CFScript.txt

file zipped: c:\windows\system32\azipcontmn.dll

file zipped: c:\windows\system32\sysfolderazipcnt.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Sam\AppData\Roaming\Ugaxod

c:\users\Sam\AppData\Roaming\Ugaxod\ubru.abu

c:\windows\system32\azipcontmn.dll

c:\windows\system32\sysfolderazipcnt.dll

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))

.

2010-11-30 09:53 . 2010-11-30 09:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-11-29 19:08 . 2010-11-29 19:08 -------- d-----w- c:\users\Sam\AppData\Local\Apple

2010-11-29 19:03 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2010-11-24 00:13 . 2010-11-24 00:13 2493643 ----a-w- c:\windows\system32\abgx360.exe

2010-11-23 18:25 . 2010-11-23 18:25 -------- d-----w- c:\users\Sam\AppData\Roaming\Media Player Classic

2010-11-23 16:46 . 2010-11-23 16:46 -------- d-----w- c:\users\Sam\AppData\Local\MetaGeek,_LLC

2010-11-23 16:42 . 2010-11-23 16:42 -------- d-----w- c:\program files\MetaGeek

2010-11-23 15:18 . 2010-11-30 09:53 -------- d-----w- c:\users\Sam\AppData\Local\temp

2010-11-23 15:11 . 2010-11-24 12:03 -------- d-----w- c:\users\Sam\AppData\Local\Adobe

2010-11-23 15:08 . 2010-11-23 15:08 -------- d-----w- C:\Device

2010-11-17 16:37 . 2010-11-29 12:23 -------- d-----w- c:\users\Sam\AppData\Roaming\skypePM

2010-11-16 14:05 . 2010-11-16 14:05 -------- d-----w- c:\windows\system32\wbem\Logs

2010-11-16 14:02 . 2010-11-23 18:28 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-16 14:02 . 2010-11-16 14:01 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2010-11-09 00:19 . 2010-11-09 00:20 -------- d-----w- c:\windows\system32\the.walking.dead.s01e02.hdtv.xvid-fqm

2010-11-08 12:03 . 2010-11-08 12:07 -------- d-----w- c:\users\Sam\AppData\Roaming\Replay Media Catcher 4

2010-11-08 11:29 . 2010-11-13 20:47 -------- dc-h--w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-05 14:01 . 2010-11-08 12:38 -------- d-----w- C:\YouTubeVideos

2010-11-01 14:08 . 2010-11-01 14:08 -------- d-----w- c:\programdata\regid.1986-12.com.adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-13 12:51 . 2010-03-28 22:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-11-13 12:51 . 2010-03-29 23:53 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-10-13 22:28 . 2010-10-11 13:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-10-13 22:28 . 2010-10-11 13:37 141792 ----a-w- c:\windows\system32\mfevtps.exe

2010-10-13 22:28 . 2010-10-11 13:36 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-10-13 22:28 . 2010-10-11 13:36 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-10-13 22:28 . 2010-10-11 13:36 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys

2010-10-13 22:28 . 2010-10-11 13:36 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-10-13 22:28 . 2010-10-11 13:36 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys

2010-10-13 22:28 . 2010-10-11 13:36 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-10-13 22:28 . 2010-02-04 14:29 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-10-13 22:28 . 2010-02-04 14:29 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-10-13 22:28 . 2010-02-04 14:29 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-10-07 12:23 . 2010-10-07 12:23 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 12:23 . 2010-10-07 12:23 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 15:44 . 2010-09-28 15:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-09-28 15:44 . 2010-09-28 15:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-23 00:47 . 2010-09-23 00:47 49016 ----a-w- c:\windows\system32\sirenacm.dll

2010-09-21 14:03 . 2010-09-21 14:03 208768 ----a-w- c:\windows\system32\LIVESSP.DLL

2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-08 04:30 . 2010-10-13 09:53 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28 . 2010-10-13 09:53 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22 . 2010-10-13 09:53 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48 . 2010-10-13 09:53 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-10-13 22:28 . 2010-10-11 13:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097} ----

2010-11-08 11:29 . 2010-11-08 11:29 90 -c--a-w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}\instance.dat

2010-11-08 11:29 . 2010-11-08 11:29 9 -c--a-w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}\Ad-AwareInstall.lan

2010-11-08 11:29 . 2010-11-08 11:29 5031 -c--a-w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}\Ad-AwareInstall.par

2010-11-08 11:29 . 2010-11-08 11:29 454 -c--a-w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}\Ad-AwareInstall.dat

2010-11-08 11:29 . 2010-09-23 07:46 574219 -c--a-w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}\mia.lib

2010-11-08 11:29 . 2010-09-23 07:46 21611885 -c--a-w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}\Ad-AwareInstall.res

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-31 3399727]

"Google Update"="c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-02-20 135664]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DevconDefaultDB"="c:\windows\system32\READREG" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux9"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-11-25 1375992]

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-06-23 99352]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-01-29 79360]

R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-06-23 555032]

R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-06-23 100888]

R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-06-23 100888]

R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-06-23 566296]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-11-13 15264]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]

R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2009-07-13 1311232]

R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-08 1343400]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-06 64288]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-05 691696]

S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]

S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-13 141792]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-06-23 99352]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-06-23 555032]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-06-23 566296]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1385836357-1252526137-3990224140-1000Core.job

- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-20 12:54]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1385836357-1252526137-3990224140-1000UA.job

- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-20 12:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://uk.yahoo.com

mStart Page = hxxp://uk.yahoo.com

uInternet Settings,ProxyOverride = *.local

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-F5D9050 - c:\program files\Belkin\F5D9050\Belkinwcui.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-11-30 09:55:21

ComboFix-quarantined-files.txt 2010-11-30 09:55

ComboFix2.txt 2010-11-29 19:55

ComboFix3.txt 2010-11-23 15:18

Pre-Run: 112,068,317,184 bytes free

Post-Run: 111,691,202,560 bytes free

- - End Of File - - F2217B10C13BDF7F9CD699D8981F3C06

Sam LG:

Are you still not able to see or access your other drive? If you still can't access it, please tell me more about it (ie: internal or external, bootable or not bootable, etc.) Please do this for me next:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://forums.malwarebytes.org/index.php?showtopic=68896
Collect::
c:\windows\system32\sysfolderazipcnt.dll
c:\windows\system32\azipcontmn.dll
DirLook::
c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}
Folder::
c:\users\Sam\AppData\Roaming\Ugaxod
RenV::
c:\windows\System32\config\systemprofile\AppData\Roaming\Adobe\AdobeUpdate .exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Sam LG:

Just to verify - Since running TDSSKiller, your internal hard drive (d:\) that is used only for storage is no longer visible to you. Is that correct? Other than that issue, how is your computer running? Please do this while I do some checking about that drive:

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

icon11.gif Please run ESET Online Scanner

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

  • MBAM log
  • ESET log

Link to post
Share on other sites

My D:\ drive has disappeared completely yes. I wouldn't even have a clue how to get it back. Computer seems to be running a lot better now so something is going right!

Here;s the ESet log

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=467cf940764efc4192fc5e193e121dde

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-11-30 05:43:43

# local_time=2010-11-30 05:43:43 (+0000, GMT Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5121 16777213 100 75 373429 8306310 0 0

# compatibility_mode=5893 16776574 100 94 21289679 43599463 0 0

# compatibility_mode=8192 67108863 100 0 3848 3848 0 0

# scanned=204713

# found=4

# cleaned=0

# scan_time=5951

C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EQ trojan 00000000000000000000000000000000 I

C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\5f3a5acd-1b951e47 a variant of Java/Exploit.Agent.NAL trojan 00000000000000000000000000000000 I

C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\13d9cb54-2b15fcc0 a variant of Java/Exploit.Agent.NAL trojan 00000000000000000000000000000000 I

C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\6f3d3058-6aa37108 a variant of Java/Exploit.Agent.NAL trojan 00000000000000000000000000000000 I

and the Malware Bytes one

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5219

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/30/2010 3:50:50 PM

mbam-log-2010-11-30 (15-50-50).txt

Scan type: Quick scan

Objects scanned: 146755

Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\plugs\kb1599984.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Sam LG:

Just to verify - Since running TDSSKiller, your internal hard drive (d:\) that is used only for storage is no longer visible to you. Is that correct? Other than that issue, how is your computer running? Please do this while I do some checking about that drive:

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

icon11.gif Please run ESET Online Scanner

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

  • MBAM log
  • ESET log

Link to post
Share on other sites

Sam LG:

I've asked for assistance from some colleagues with your storage drive issue. In the meantime, these steps will take care of those ESET detections:

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Users\Public\Documents\Server\hlp.dat"

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

I'll get back with you as soon as I have more information about your drive. Thanks for your patience.

Please do this for me also:

icon11.gif Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:

ComboFix3.txt

Post the log that opens, please.

Link to post
Share on other sites

Sam LG:

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

diskmgmt.msc

Capture and post a screen shot of the window that opens for me, please. Here are instructions if you need them LINK

Do you have any idea why this is disabled?:

Class GUID: {4d36e97b-e325-11ce-bfc1-08002be10318}

Description: VIA VT6421 RAID Controller

Device ID: PCI\VEN_1106&DEV_3249&SUBSYS_32491106&REV_50\3&2411E6FE&1&50

Manufacturer: VIA Technologies, Inc.

Name: VIA VT6421 RAID Controller

PNP Device ID: PCI\VEN_1106&DEV_3249&SUBSYS_32491106&REV_50\3&2411E6FE&1&50

Service: vsmraid

Link to post
Share on other sites

Hey,

I've attached the screenshot. I don't know what that is thats been disabled. Is it a bad thing?

Sam LG:

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

diskmgmt.msc

Capture and post a screen shot of the window that opens for me, please. Here are instructions if you need them LINK

Do you have any idea why this is disabled?:

post-61012-1291233621_thumb.png

Link to post
Share on other sites

Sam LG:

I need to warn you that the information you posted for us shows that you are in danger of losing everything on that disk. I have one of the most well respected experts in the field helping me with this behind the scenes. It is vital that you NOT try to do anything on your own to recover the data (ie: recovery software). I have quite a few things for you to do:

icon11.gif Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:

devmgmt.msc

That should open your Device Manager. Find the following devices and re-enable them (right click > Enable)

Class GUID: {4d36e97b-e325-11ce-bfc1-08002be10318}

Description: VIA VT6421 RAID Controller

Device ID: PCI\VEN_1106&DEV_3249&SUBSYS_32491106&REV_50\3&2411E6FE&1&50

Manufacturer: VIA Technologies, Inc.

Name: VIA VT6421 RAID Controller

PNP Device ID: PCI\VEN_1106&DEV_3249&SUBSYS_32491106&REV_50\3&2411E6FE&1&50

Service: vsmraid

Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}

Description: Creative Game Port

Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\3&2411E6FE&1&49

Manufacturer: Creative

Name: Creative Game Port

PNP Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\3&2411E6FE&1&49

Service:

If you get any error messages, please write down exactly what they say and post them for us. Once you are done, reboot once.

icon11.gif Run DDS for me again and post the new DDS.txt and Attach.txt logs.

Q.gif I know I've asked you before, but it's important that we know, to the best of your ability, exactly when that drive disappeared. Are you certain it was visible prior to running TDSSKiller?

icon11.gif Open notepad and copy/paste the text in the quotebox below into it:

@ECHO OFF

CD /D "%~DP0"

FOR /L %%G IN ( 0,1,1 ) DO @(

"%WINDIR%\MBR.exe" -d%%G -c 0 1 MBR_DISK%%G.DAT

)>>MBR.txt

DEL MBR.log

Zip -m Uploadthis "%CD%\MBR_*.DAT" "%CD%\mbr.txt"

Zip Uploadthis "%ProgramData%\Malwarebytes\Malwarebytes' Anti-Malware\Logs\*.txt"

Zip Uploadthis "%APPDATA%\Malwarebytes\Malwarebytes' Anti-Malware\Logs\*.txt"

Zip Uploadthis "%SYSTEMDRIVE%\Qoobox\ComboFix*.txt"

Zip Uploadthis "%SYSTEMDRIVE%\ComboFix.txt"

Zip Uploadthis "%WINDIR%\ntbtlog.txt"

DEL %0

Save this as logs.bat Choose to "Save type as - All Files"

It should look like this (yours may vary slightly): bat_icon.gif

Double click on logs.bat & allow it to run. This should place a zipfile named UploadThis.zip

icon11.gif Please visit this site

  • In the Link to topic where this file was requested: field, enter the following:
    http://forums.malwarebytes.org/index.php?showtopic=68896


  • In the Browse to the file you want to submit: field, click on browse and navigate to the UploadThis.zip file that was created.
  • In the comments field enter the following:
    Logs from RPMcMurphy's thread with missing storage drive
  • Press the send file button.

icon11.gif Download the Event Viewer Tool by Vino Rosso VEW and save it to your Desktop:

  • Double-click VEW.exe
  • Under 'Select log to query', select:
    ?Application
    ?System
  • Under 'Select type to list', select all of the items available
  • Click the radio button for 'Date of events'
  • Enter 11-22-2010 and today's date for your range
  • Then click the Run button.
  • Notepad will open with the output log.
  • Please post the Output log in your next reply

Please include the following in your next post:

  • Advise if you were able to re-enable those devices - include any error messsages
  • DDS.txt and Attach.txt logs
  • Answer my inquiry about exactly when the drive disappeared
  • Confirm that you were able to create and run the batch file and upload the resulting zip file
  • The Vino Event View log output

Link to post
Share on other sites

DDS:

DDS (Ver_10-11-27.01) - NTFSx86

Run by Sam at 11:53:31.82 on Thu 12/02/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.689 [GMT 0:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Users\Sam\AppData\Local\TVersity\Media Server\MediaServer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\CtHelper.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Free Download Manager\fdm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\mmc.exe

C:\Users\Sam\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.yahoo.com

mStart Page = hxxp://uk.yahoo.com

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103112718.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun

uRun: [Google Update] "c:\users\sam\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe

dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-11 55840]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]

=============== Created Last 30 ================

2010-12-02 11:29:03 -------- d-----w- c:\users\sam\appdata\local\{3DE55FCF-57EC-4490-B481-49C6190D541E}

2010-12-01 23:24:36 -------- d-----w- C:\Avid MediaFiles

2010-12-01 23:19:44 -------- d-----w- c:\users\sam\appdata\roaming\Avid

2010-12-01 23:19:20 -------- d-----w- c:\users\sam\appdata\roaming\PACE Anti-Piracy

2010-12-01 23:19:20 -------- d-----w- c:\users\sam\appdata\local\PACE Anti-Piracy

2010-12-01 23:19:20 -------- d-----w- c:\program files\common files\PACE Anti-Piracy

2010-12-01 23:19:20 -------- d-----w- c:\progra~2\PACE Anti-Piracy

2010-12-01 23:17:02 -------- d-----w- c:\progra~2\Avid

2010-12-01 23:06:43 -------- d-----w- c:\windows\system32\MEDIA

2010-12-01 23:05:31 -------- d-----w- c:\program files\common files\PACE

2010-12-01 22:53:35 -------- d-----w- c:\program files\common files\SafeNet Sentinel

2010-12-01 22:50:19 -------- d-----w- c:\program files\Digidesign

2010-12-01 22:50:18 -------- d-----w- c:\program files\common files\Digidesign

2010-12-01 22:48:22 -------- d-----w- c:\program files\common files\Avid

2010-12-01 22:45:21 -------- d-----w- c:\program files\Licenses

2010-12-01 22:45:07 -------- d-----w- c:\program files\Avid

2010-12-01 20:31:54 -------- d-----w- c:\users\sam\appdata\local\{36215A77-CDCA-425A-B685-813399EC9879}

2010-12-01 20:30:26 -------- d-----w- c:\windows\en

2010-12-01 20:14:57 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2010-12-01 20:14:57 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2010-12-01 20:14:56 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2010-12-01 20:14:40 15712 ----a-w- c:\program files\common files\windows live\.cache\6204c9af1cb919405\MeshBetaRemover.exe

2010-12-01 20:14:37 94040 ----a-w- c:\program files\common files\windows live\.cache\5f44db621cb919404\DSETUP.dll

2010-12-01 20:14:37 525656 ----a-w- c:\program files\common files\windows live\.cache\5f44db621cb919404\DXSETUP.exe

2010-12-01 20:14:37 1691480 ----a-w- c:\program files\common files\windows live\.cache\5f44db621cb919404\dsetup32.dll

2010-12-01 20:14:12 94040 ----a-w- c:\program files\common files\windows live\.cache\50a005d81cb919403\DSETUP.dll

2010-12-01 20:14:12 525656 ----a-w- c:\program files\common files\windows live\.cache\50a005d81cb919403\DXSETUP.exe

2010-12-01 20:14:12 1691480 ----a-w- c:\program files\common files\windows live\.cache\50a005d81cb919403\dsetup32.dll

2010-12-01 20:13:51 2983424 ----a-w- c:\windows\system32\UIRibbon.dll

2010-12-01 20:13:51 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll

2010-12-01 17:22:41 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-11-30 16:00:24 -------- d-----w- c:\program files\ESET

2010-11-30 09:58:17 -------- d-sh--w- C:\$RECYCLE.BIN

2010-11-29 19:08:10 -------- d-----w- c:\users\sam\appdata\local\Apple

2010-11-29 19:03:05 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

2010-11-24 00:13:28 2493643 ----a-w- c:\windows\system32\abgx360.exe

2010-11-23 16:46:49 -------- d-----w- c:\users\sam\appdata\local\MetaGeek,_LLC

2010-11-23 16:42:52 -------- d-----w- c:\program files\MetaGeek

2010-11-23 15:18:34 -------- d-----w- c:\users\sam\appdata\local\temp

2010-11-23 15:11:20 -------- d-----w- c:\users\sam\appdata\local\Adobe

2010-11-23 15:08:38 -------- d-----w- C:\Device

2010-11-23 14:45:14 98816 ----a-w- c:\windows\sed.exe

2010-11-23 14:45:14 89088 ----a-w- c:\windows\MBR.exe

2010-11-23 14:45:14 256512 ----a-w- c:\windows\PEV.exe

2010-11-23 14:45:14 161792 ----a-w- c:\windows\SWREG.exe

2010-11-16 14:05:47 -------- d-----w- c:\windows\system32\wbem\Logs

2010-11-16 14:02:07 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-16 14:02:07 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-11-14 13:43:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-14 13:43:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-14 12:52:46 -------- d-----w- c:\users\sam\appdata\local\Windows Live

2010-11-14 12:51:49 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2010-11-14 12:51:48 3181568 ----a-w- c:\windows\system32\mf.dll

2010-11-14 12:51:48 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2010-11-13 13:58:37 -------- d-----w- c:\program files\iTunes

2010-11-13 13:58:37 -------- d-----w- c:\program files\iPod

2010-11-13 13:52:27 -------- d-----w- c:\program files\Bonjour

2010-11-12 21:44:44 0 ----a-w- c:\users\sam\appdata\local\Yfujukifurizevu.bin

2010-11-11 17:09:51 -------- d-----w- c:\users\sam\appdata\roaming\Malwarebytes

2010-11-11 17:09:35 -------- d-----w- c:\progra~2\Malwarebytes

2010-11-11 17:09:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-10 02:54:18 49016 ----a-w- c:\windows\system32\sirenacm.dll

2010-11-10 02:28:46 301936 ----a-w- c:\windows\WLXPGSS.SCR

2010-11-09 00:19:57 -------- d-----w- c:\windows\system32\the.walking.dead.s01e02.hdtv.xvid-fqm

2010-11-08 12:03:44 -------- d-----w- c:\users\sam\appdata\roaming\Replay Media Catcher 4

2010-11-08 11:29:21 -------- dc-h--w- c:\progra~2\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-05 14:01:11 -------- d-----w- C:\YouTubeVideos

==================== Find3M ====================

2010-11-13 12:51:08 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-10-13 22:28:54 141792 ----a-w- c:\windows\system32\mfevtps.exe

2010-10-07 12:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 12:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 15:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-21 14:03:14 208768 ----a-w- c:\windows\system32\LIVESSP.DLL

2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 11:55:35.83 ===============

The things which look disabled I can't 'Enable', it just says Disable, I think I might have got rid of these drivers when I was flashing my xbox as they probably got in the way, but I have no idea what they are.

Ye sit was after TDS when D: disappeared, at the end of the log it says /Harddisk1 will be cured, so that was more than likely the cause.

Everything else attacked

Sam LG:

I need to warn you that the information you posted for us shows that you are in danger of losing everything on that disk. I have one of the most well respected experts in the field helping me with this behind the scenes. It is vital that you NOT try to do anything on your own to recover the data (ie: recovery software). I have quite a few things for you to do:

icon11.gif Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:

devmgmt.msc

That should open your Device Manager. Find the following devices and re-enable them (right click > Enable)

If you get any error messages, please write down exactly what they say and post them for us. Once you are done, reboot once.

icon11.gif Run DDS for me again and post the new DDS.txt and Attach.txt logs.

Q.gif I know I've asked you before, but it's important that we know, to the best of your ability, exactly when that drive disappeared. Are you certain it was visible prior to running TDSSKiller?

icon11.gif Open notepad and copy/paste the text in the quotebox below into it:

Save this as logs.bat Choose to "Save type as - All Files"

It should look like this (yours may vary slightly): bat_icon.gif

Double click on logs.bat & allow it to run. This should place a zipfile named UploadThis.zip

icon11.gif Please visit this site

  • In the Link to topic where this file was requested: field, enter the following:
    http://forums.malwarebytes.org/index.php?showtopic=68896


  • In the Browse to the file you want to submit: field, click on browse and navigate to the UploadThis.zip file that was created.
  • In the comments field enter the following:
  • Press the send file button.

icon11.gif Download the Event Viewer Tool by Vino Rosso VEW and save it to your Desktop:

  • Double-click VEW.exe
  • Under 'Select log to query', select:
    ?Application
    ?System
  • Under 'Select type to list', select all of the items available
  • Click the radio button for 'Date of events'
  • Enter 11-22-2010 and today's date for your range
  • Then click the Run button.
  • Notepad will open with the output log.
  • Please post the Output log in your next reply

Please include the following in your next post:

  • Advise if you were able to re-enable those devices - include any error messsages
  • DDS.txt and Attach.txt logs
  • Answer my inquiry about exactly when the drive disappeared
  • Confirm that you were able to create and run the batch file and upload the resulting zip file
  • The Vino Event View log output

Link to post
Share on other sites

attached I meant, but I don't know if they have...?

DDS:

DDS (Ver_10-11-27.01) - NTFSx86

Run by Sam at 11:53:31.82 on Thu 12/02/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.689 [GMT 0:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Users\Sam\AppData\Local\TVersity\Media Server\MediaServer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\CtHelper.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Free Download Manager\fdm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sam\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\mmc.exe

C:\Users\Sam\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.yahoo.com

mStart Page = hxxp://uk.yahoo.com

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103112718.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun

uRun: [Google Update] "c:\users\sam\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe

dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-11 55840]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]

=============== Created Last 30 ================

2010-12-02 11:29:03 -------- d-----w- c:\users\sam\appdata\local\{3DE55FCF-57EC-4490-B481-49C6190D541E}

2010-12-01 23:24:36 -------- d-----w- C:\Avid MediaFiles

2010-12-01 23:19:44 -------- d-----w- c:\users\sam\appdata\roaming\Avid

2010-12-01 23:19:20 -------- d-----w- c:\users\sam\appdata\roaming\PACE Anti-Piracy

2010-12-01 23:19:20 -------- d-----w- c:\users\sam\appdata\local\PACE Anti-Piracy

2010-12-01 23:19:20 -------- d-----w- c:\program files\common files\PACE Anti-Piracy

2010-12-01 23:19:20 -------- d-----w- c:\progra~2\PACE Anti-Piracy

2010-12-01 23:17:02 -------- d-----w- c:\progra~2\Avid

2010-12-01 23:06:43 -------- d-----w- c:\windows\system32\MEDIA

2010-12-01 23:05:31 -------- d-----w- c:\program files\common files\PACE

2010-12-01 22:53:35 -------- d-----w- c:\program files\common files\SafeNet Sentinel

2010-12-01 22:50:19 -------- d-----w- c:\program files\Digidesign

2010-12-01 22:50:18 -------- d-----w- c:\program files\common files\Digidesign

2010-12-01 22:48:22 -------- d-----w- c:\program files\common files\Avid

2010-12-01 22:45:21 -------- d-----w- c:\program files\Licenses

2010-12-01 22:45:07 -------- d-----w- c:\program files\Avid

2010-12-01 20:31:54 -------- d-----w- c:\users\sam\appdata\local\{36215A77-CDCA-425A-B685-813399EC9879}

2010-12-01 20:30:26 -------- d-----w- c:\windows\en

2010-12-01 20:14:57 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2010-12-01 20:14:57 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2010-12-01 20:14:56 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2010-12-01 20:14:40 15712 ----a-w- c:\program files\common files\windows live\.cache\6204c9af1cb919405\MeshBetaRemover.exe

2010-12-01 20:14:37 94040 ----a-w- c:\program files\common files\windows live\.cache\5f44db621cb919404\DSETUP.dll

2010-12-01 20:14:37 525656 ----a-w- c:\program files\common files\windows live\.cache\5f44db621cb919404\DXSETUP.exe

2010-12-01 20:14:37 1691480 ----a-w- c:\program files\common files\windows live\.cache\5f44db621cb919404\dsetup32.dll

2010-12-01 20:14:12 94040 ----a-w- c:\program files\common files\windows live\.cache\50a005d81cb919403\DSETUP.dll

2010-12-01 20:14:12 525656 ----a-w- c:\program files\common files\windows live\.cache\50a005d81cb919403\DXSETUP.exe

2010-12-01 20:14:12 1691480 ----a-w- c:\program files\common files\windows live\.cache\50a005d81cb919403\dsetup32.dll

2010-12-01 20:13:51 2983424 ----a-w- c:\windows\system32\UIRibbon.dll

2010-12-01 20:13:51 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll

2010-12-01 17:22:41 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-11-30 16:00:24 -------- d-----w- c:\program files\ESET

2010-11-30 09:58:17 -------- d-sh--w- C:\$RECYCLE.BIN

2010-11-29 19:08:10 -------- d-----w- c:\users\sam\appdata\local\Apple

2010-11-29 19:03:05 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

2010-11-24 00:13:28 2493643 ----a-w- c:\windows\system32\abgx360.exe

2010-11-23 16:46:49 -------- d-----w- c:\users\sam\appdata\local\MetaGeek,_LLC

2010-11-23 16:42:52 -------- d-----w- c:\program files\MetaGeek

2010-11-23 15:18:34 -------- d-----w- c:\users\sam\appdata\local\temp

2010-11-23 15:11:20 -------- d-----w- c:\users\sam\appdata\local\Adobe

2010-11-23 15:08:38 -------- d-----w- C:\Device

2010-11-23 14:45:14 98816 ----a-w- c:\windows\sed.exe

2010-11-23 14:45:14 89088 ----a-w- c:\windows\MBR.exe

2010-11-23 14:45:14 256512 ----a-w- c:\windows\PEV.exe

2010-11-23 14:45:14 161792 ----a-w- c:\windows\SWREG.exe

2010-11-16 14:05:47 -------- d-----w- c:\windows\system32\wbem\Logs

2010-11-16 14:02:07 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-16 14:02:07 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-11-14 13:43:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-14 13:43:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-14 12:52:46 -------- d-----w- c:\users\sam\appdata\local\Windows Live

2010-11-14 12:51:49 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2010-11-14 12:51:48 3181568 ----a-w- c:\windows\system32\mf.dll

2010-11-14 12:51:48 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2010-11-13 13:58:37 -------- d-----w- c:\program files\iTunes

2010-11-13 13:58:37 -------- d-----w- c:\program files\iPod

2010-11-13 13:52:27 -------- d-----w- c:\program files\Bonjour

2010-11-12 21:44:44 0 ----a-w- c:\users\sam\appdata\local\Yfujukifurizevu.bin

2010-11-11 17:09:51 -------- d-----w- c:\users\sam\appdata\roaming\Malwarebytes

2010-11-11 17:09:35 -------- d-----w- c:\progra~2\Malwarebytes

2010-11-11 17:09:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-10 02:54:18 49016 ----a-w- c:\windows\system32\sirenacm.dll

2010-11-10 02:28:46 301936 ----a-w- c:\windows\WLXPGSS.SCR

2010-11-09 00:19:57 -------- d-----w- c:\windows\system32\the.walking.dead.s01e02.hdtv.xvid-fqm

2010-11-08 12:03:44 -------- d-----w- c:\users\sam\appdata\roaming\Replay Media Catcher 4

2010-11-08 11:29:21 -------- dc-h--w- c:\progra~2\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-05 14:01:11 -------- d-----w- C:\YouTubeVideos

==================== Find3M ====================

2010-11-13 12:51:08 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-10-13 22:28:54 141792 ----a-w- c:\windows\system32\mfevtps.exe

2010-10-07 12:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 12:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 15:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-21 14:03:14 208768 ----a-w- c:\windows\system32\LIVESSP.DLL

2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 11:55:35.83 ===============

The things which look disabled I can't 'Enable', it just says Disable, I think I might have got rid of these drivers when I was flashing my xbox as they probably got in the way, but I have no idea what they are.

Ye sit was after TDS when D: disappeared, at the end of the log it says /Harddisk1 will be cured, so that was more than likely the cause.

Everything else attacked

VEW.txt

Attach.txt

Link to post
Share on other sites

Sam LG:

That was all helpful! Please do this for me:

icon11.gif Open notepad and copy/paste the text in the quotebox below into it:

@"%WINDIR%\MBR.exe" -d0 -c 0 63 MBR_DISK.ZIP

Save this as dump.bat Choose to "Save type as - All Files"

It should look like this, (yours may vary slightly): bat_icon.gif

Double click on dump.bat & allow it to run. This should place a zipfile named MBR_DISK.ZIP

icon11.gif Please visit this site

  • In the Link to topic where this file was requested: field, enter the following:
    http://forums.malwarebytes.org/index.php?showtopic=68896


  • In the Browse to the file you want to submit: field, click on browse and navigate to the MBR_DISK.ZIP file that was created.
  • In the comments field enter the following:
    MBR dump from RPMcMurphy's thread with missing storage drive
  • Press the send file button.

Please include the following in your next post:

  • Please confirm that you were able to successfully execute the batch and uploaded the file

Link to post
Share on other sites

Done! :(

Sam LG:

That was all helpful! Please do this for me:

icon11.gif Open notepad and copy/paste the text in the quotebox below into it:

Save this as dump.bat Choose to "Save type as - All Files"

It should look like this, (yours may vary slightly): bat_icon.gif

Double click on dump.bat & allow it to run. This should place a zipfile named MBR_DISK.ZIP

icon11.gif Please visit this site

  • In the Link to topic where this file was requested: field, enter the following:
    http://forums.malwarebytes.org/index.php?showtopic=68896


  • In the Browse to the file you want to submit: field, click on browse and navigate to the MBR_DISK.ZIP file that was created.
  • In the comments field enter the following:
  • Press the send file button.

Please include the following in your next post:

  • Please confirm that you were able to successfully execute the batch and uploaded the file

Link to post
Share on other sites

Sam LG:

Here are your next instructions. Please look them over carefully and ask any questions you have before you begin:

1) I have attached a zipped folder named SAM MBR.zip to this post. Extract the contents to your Desktop.

2) Then download to Desktop, HDHacker > http://www.freedownloadscenter.com/Utiliti...s/HDHacker.html

hdHacker_1.png

3) Launch HDHacker

4) Select Physical Drive (MBR) = 0

5) Click the button [Read sector from Disk]

6) Verify it's the correct disk by comparing with the picture above. It MUST look exactly the same. Do not proceed if it doesn't look the same.

hdHacker_2.png

7) Make sure Physical Drive (MBR) is still 0

8) Click the button [Load sector from Disk] and browse to the file "SAM_MBR.dat"

9) Once again, it must look exactly like the picture above.

10) Click the button [Write sector to Disk]

11) Close HDHacker and reboot the machine.

Please include the following in your next post:

  • Please confirm that you were able to successfully complete these steps and let me know if your storage drive is visible.

SAM_MBR.zip

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.