Jump to content

Recommended Posts

AntiMalware is constantly telling me it's blocking outgoing connections, even when I'm not actively surfing or anything. While I was running the requested scans and Firefox was just resting on this forum (where I was reading the instructions) AntiMalware kept telling me about blocked IP addresses. I'm glad it's blocking them, but I have to think I still have some sort of malware on my system that's causing this. I notice the messages mostly when I have a browser running, but not exclusively then.

I believe I've attached all the requested logs.

--Bryan

attach.zip

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi,

Please do not attach your logs as it is harder for me to read them that way. Post them instead:

ComboFix 10-12-30.03 - Ann 12/31/2010 13:39:21.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.690 [GMT -5:00]

Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe

AV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Microsoft

c:\documents and settings\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat

c:\documents and settings\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat

C:\PRESARIO.txt

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At25.job

c:\windows\Tasks\At26.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

c:\windows\winhelp.ini

D:\Autorun.inf

G:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_USNJSVC

-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))

.

2010-12-17 03:52 . 2010-12-17 03:52 -------- d-----w- c:\documents and settings\Ann\Application Data\Amazon

2010-12-17 03:46 . 2010-12-17 03:46 -------- d-----w- c:\program files\Amazon

2010-12-16 13:27 . 2010-12-28 15:57 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-12-16 13:27 . 2010-12-16 13:27 -------- d-----w- c:\documents and settings\Ann\Application Data\Corel

2010-12-16 02:59 . 2010-12-16 02:59 -------- d-----w- c:\documents and settings\Ann\Application Data\FRISK Software

2010-12-16 01:44 . 2010-12-16 01:44 -------- d-----w- c:\program files\Common Files\Protexis

2010-12-16 01:44 . 2010-12-16 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel

2010-12-16 01:43 . 2010-12-16 01:43 -------- d-----w- c:\program files\Common Files\Corel

2010-12-16 01:41 . 2010-12-16 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Borland

2010-12-16 01:41 . 2010-12-16 01:41 -------- d-----w- c:\program files\Common Files\Borland Shared

2010-12-16 01:34 . 2010-12-16 01:34 -------- d-----w- c:\program files\Corel

2010-12-14 16:53 . 2010-12-14 16:53 -------- d-----w- c:\documents and settings\Ann\Application Data\TrojanHunter

2010-12-02 13:45 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-12-02 09:14 . 2010-12-02 09:14 -------- d-----w- c:\documents and settings\Bryan\Application Data\TrojanHunter

2010-12-02 08:46 . 2010-12-14 16:58 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-12-02 07:06 . 2010-12-14 16:58 -------- d-----w- c:\program files\Sophos

2010-12-02 04:21 . 2010-12-02 04:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\EPSON

2010-12-02 01:47 . 2010-12-02 01:47 -------- d-sh--w- c:\documents and settings\Bryan\PrivacIE

2010-12-02 01:46 . 2010-12-02 01:46 -------- d-----w- c:\documents and settings\Bryan\Local Settings\Application Data\Google

2010-12-01 23:14 . 2010-12-01 23:14 -------- d-----w- c:\documents and settings\Bryan\Application Data\Malwarebytes

2010-12-01 22:36 . 2010-12-01 22:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-12-01 22:32 . 2010-12-01 22:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-12-01 22:20 . 2010-12-01 22:20 86528 --sha-r- c:\windows\system32\tspkgk.dll

2010-12-01 22:19 . 2010-12-01 22:19 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 23:09 . 2008-10-06 01:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2008-10-06 01:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-17 03:57 . 2009-05-27 19:40 89680 ------w- c:\documents and settings\Ann\MSSSerif120.fon

2007-08-06 16:07 . 2007-11-22 01:43 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll

2007-09-28 23:57 . 2007-09-28 23:57 6275816 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2007-07-18 18:54 . 2007-11-22 01:43 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll

2007-09-28 23:57 . 2007-09-28 23:57 6275816 ----a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DIMDownloading your update..1285781009224"="c:\program files\Corel\WordPerfect Office X5\Programs\DIM.exe" [2010-02-18 107880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360]

"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]

"UPSMON"="c:\program files\UPSMON\UPSMON.exe" [2005-03-30 429568]

"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2010-07-05 1674032]

"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE" [2010-03-12 136600]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk

backup=c:\windows\pss\Lotus QuickStart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^AOL OpenRide.lnk]

path=c:\documents and settings\Ann\Start Menu\Programs\Startup\AOL OpenRide.lnk

backup=c:\windows\pss\AOL OpenRide.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bryan^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]

path=c:\documents and settings\Bryan\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk

backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]

2005-09-01 20:24 942080 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-02-17 14:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2005-12-01 20:02 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2004-12-14 10:23 663552 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-02-22 10:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg]

1997-11-23 08:16 20992 ----a-w- c:\progra~1\ULEADS~1\ULEADP~1\SSaver\USSSHREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"EarthLinkMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=

"c:\\Program Files\\Online Services\\Aol\\InstallAol.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [11/28/2007 9:50 PM 700632]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/5/2008 8:57 PM 363344]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/5/2008 8:57 PM 20952]

S0 kpylirel;kpylirel; [x]

S2 MLPTDR_C;MLPTDR_C;c:\windows\system32\MLPTDR_C.SYS [5/31/2002 5:04 PM 19296]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]

S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [10/23/2007 10:32 PM 408064]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]

S4 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]

S4 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [11/3/2010 4:40 PM 83624]

.

Contents of the 'Scheduled Tasks' folder

2010-12-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2010-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 00:46]

2010-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 00:46]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = 192.168.1.3:3128

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

TCP: {DE062798-F8BE-461F-90A3-B4F34C3B3450} = 207.69.188.185,207.69.188.186

FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ofxf3dwh.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=

FF - prefs.js: network.proxy.ftp - 192.168.1.3

FF - prefs.js: network.proxy.ftp_port - 3128

FF - prefs.js: network.proxy.gopher - 192.168.1.3

FF - prefs.js: network.proxy.gopher_port - 3128

FF - prefs.js: network.proxy.http - 192.168.1.3

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.socks - 192.168.1.3

FF - prefs.js: network.proxy.socks_port - 3128

FF - prefs.js: network.proxy.ssl - 192.168.1.3

FF - prefs.js: network.proxy.ssl_port - 3128

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-31 13:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\3.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(788)

c:\windows\system32\WININET.dll

c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

- - - - - - - > 'explorer.exe'(3140)

c:\windows\system32\WININET.dll

c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\DRIVERS\CDANTSRV.EXE

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\windows\system32\wdfmgr.exe

c:\program files\UPSMON\UPSMON_Service.Exe

c:\program files\UPSMON\UPSInt2.exe

.

**************************************************************************

.

Completion time: 2010-12-31 13:59:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-31 18:59

Pre-Run: 87,160,160,256 bytes free

Post-Run: 88,089,759,744 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5C573DE238FB1500F38B568AD1E0F4E4

Link to post
Share on other sites

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
C:\windows\system32\drivers\kpylirel.sys
c:\windows\system32\tspkgk.dll

Driver::
kpylirel

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Thanks for your continued assistance.

(A little background)

The kpylirel.sys file you mentioned was one I discovered earlier last month and submitted to Malwarebytes mid-December, since it didn't detect it. At the time my PC was trying to make hundreds of SMTP connections at a time. I booted Knoppix off a CD in order to remove it, as I was unable to manually remove it while windows was running. As far as I can tell, the kpylirel.sys file has not re-appeared. Removing kpylirel.sys stopped the SMTP connections, but I am still getting many blocked outgoing connections attempts reported by Anti-Malware (and an unknown number of allowed connections?) when I'm not running anything other than Firefox, using this forum.

This was in addition to several other malware programs I discovered and removed (manually & via scanning with Anti-Malware and F-Prot antivirus) including WhiteSmoke Translator and Toolbar. These last ones I discovered within minutes of the infection because the PC was running very slowly and I just happened to ask my son to let me use it -- about 10 minutes after the creation date on the WhiteSmoke stuff.

(Current)

I followed your instructions and Combofix.exe reported finding the TDL3 rootkit, later reported rootkit activity & rebooted and continued.

Here's the log:

ComboFix 11-01-02.04 - Ann 01/03/2011   9:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.558 [GMT -5:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ann\Desktop\CFScript.txt
AV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}
* Resident AV is active


FILE ::
"c:\windows\system32\drivers\kpylirel.sys"
"c:\windows\system32\tspkgk.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tspkgk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KPYLIREL
-------\Service_kpylirel


((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-03 14:27 . 2011-01-03 14:28 -------- d-----w- C:\32788R22FWJFW.0.tmp
2010-12-31 19:06 . 2010-12-31 19:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2010-12-31 19:06 . 2010-12-31 19:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2010-12-17 03:52 . 2010-12-17 03:52 -------- d-----w- c:\documents and settings\Ann\Application Data\Amazon
2010-12-17 03:46 . 2010-12-17 03:46 -------- d-----w- c:\program files\Amazon
2010-12-16 13:27 . 2010-12-28 15:57 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-12-16 13:27 . 2010-12-16 13:27 -------- d-----w- c:\documents and settings\Ann\Application Data\Corel
2010-12-16 02:59 . 2010-12-16 02:59 -------- d-----w- c:\documents and settings\Ann\Application Data\FRISK Software
2010-12-16 01:44 . 2010-12-16 01:44 -------- d-----w- c:\program files\Common Files\Protexis
2010-12-16 01:44 . 2010-12-16 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-12-16 01:43 . 2010-12-16 01:43 -------- d-----w- c:\program files\Common Files\Corel
2010-12-16 01:41 . 2010-12-16 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Borland
2010-12-16 01:41 . 2010-12-16 01:41 -------- d-----w- c:\program files\Common Files\Borland Shared
2010-12-16 01:34 . 2010-12-16 01:34 -------- d-----w- c:\program files\Corel
2010-12-14 16:53 . 2010-12-14 16:53 -------- d-----w- c:\documents and settings\Ann\Application Data\TrojanHunter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2008-10-06 01:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2008-10-06 01:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-17 03:57 . 2009-05-27 19:40 89680 ------w- c:\documents and settings\Ann\MSSSerif120.fon
2007-08-06 16:07 . 2007-11-22 01:43 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-28 23:57 . 2007-09-28 23:57 6275816 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-07-18 18:54 . 2007-11-22 01:43 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2007-09-28 23:57 . 2007-09-28 23:57 6275816 ----a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DIMDownloading your update..1285781009224"="c:\program files\Corel\WordPerfect Office X5\Programs\DIM.exe" [2010-02-18 107880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"UPSMON"="c:\program files\UPSMON\UPSMON.exe" [2005-03-30 429568]
"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2010-07-05 1674032]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE" [2010-03-12 136600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup=c:\windows\pss\Lotus QuickStart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=c:\documents and settings\Ann\Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=c:\windows\pss\AOL OpenRide.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bryan^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Bryan\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
2005-09-01 20:24 942080 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 14:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-12-01 20:02 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 10:23 663552 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-02-22 10:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg]
1997-11-23 08:16 20992 ----a-w- c:\progra~1\ULEADS~1\ULEADP~1\SSaver\USSSHREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"EarthLinkMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Online Services\\Aol\\InstallAol.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [11/28/2007 9:50 PM 700632]
R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [11/3/2010 4:40 PM 83624]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/5/2008 8:57 PM 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/5/2008 8:57 PM 20952]
S2 MLPTDR_C;MLPTDR_C;c:\windows\system32\MLPTDR_C.SYS [5/31/2002 5:04 PM 19296]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [10/23/2007 10:32 PM 408064]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S4 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 192.168.1.3:3128
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
TCP: {DE062798-F8BE-461F-90A3-B4F34C3B3450} = 207.69.188.185,207.69.188.186
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ofxf3dwh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
FF - prefs.js: network.proxy.ftp - 192.168.1.3
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 192.168.1.3
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 192.168.1.3
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 192.168.1.3
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 192.168.1.3
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 10:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L160P0 rev.BAJ41G10 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86135555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8613b7b0]; MOV EAX, [0x8613b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x860F1AB8]
3 CLASSPNP[0xF7640FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000006d[0x86147F18]
5 ACPI[0xF74D7620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8615CD98]
\Driver\atapi[0x861439C8] -> IRP_MJ_CREATE -> 0x86135555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6L160P0__________________________BAJ41G10#334c41313159475120
2020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8613539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\WININET.dll
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WININET.dll
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\DRIVERS\CDANTSRV.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPSMON\UPSMON_Service.Exe
c:\program files\UPSMON\UPSInt2.exe
.
**************************************************************************
.
Completion time: 2011-01-03 10:16:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-03 15:16
ComboFix2.txt 2010-12-31 18:59

Pre-Run: 88,065,761,280 bytes free
Post-Run: 88,115,363,840 bytes free

- - End Of File - - F76D84FE23B4080128789EAB62B7FDFE

--Bryan

Link to post
Share on other sites

I hope you don't mind, but I peeked at another forum post that listed the same IP addresses being blocked that I'm experiencing. Malwarebytes forum thread As suggested in that thread, I downloaded Kaspersky's TDSSKiller and ran it and it seems to have cleared up the problem. It found TDSS.tdl4 rootkit and removed it. Here's the log:

2011/01/03 20:10:50.0375	TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/03 20:10:50.0375 ===========================================================================
=====
2011/01/03 20:10:50.0375 SystemInfo:
2011/01/03 20:10:50.0375
2011/01/03 20:10:50.0375 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/03 20:10:50.0375 Product type: Workstation
2011/01/03 20:10:50.0375 ComputerName: PRESARIO
2011/01/03 20:10:50.0375 UserName: Ann
2011/01/03 20:10:50.0375 Windows directory: C:\WINDOWS
2011/01/03 20:10:50.0375 System windows directory: C:\WINDOWS
2011/01/03 20:10:50.0375 Processor architecture: Intel x86
2011/01/03 20:10:50.0375 Number of processors: 1
2011/01/03 20:10:50.0375 Page size: 0x1000
2011/01/03 20:10:50.0375 Boot type: Normal boot
2011/01/03 20:10:50.0375 ===========================================================================
=====
2011/01/03 20:10:52.0171 Initialize success
2011/01/03 20:10:57.0093 ===========================================================================
=====
2011/01/03 20:10:57.0093 Scan started
2011/01/03 20:10:57.0093 Mode: Manual;
2011/01/03 20:10:57.0093 ===========================================================================
=====
2011/01/03 20:10:59.0187 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/01/03 20:10:59.0453 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/03 20:10:59.0609 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/03 20:10:59.0812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/03 20:10:59.0984 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2011/01/03 20:11:00.0171 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/03 20:11:00.0390 AgereSoftModem (51a66c689ad9b9a953f75496209ae520) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/01/03 20:11:00.0875 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/01/03 20:11:01.0046 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/03 20:11:01.0468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/03 20:11:01.0609 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/03 20:11:01.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/03 20:11:01.0953 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/03 20:11:02.0000 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/01/03 20:11:02.0109 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
2011/01/03 20:11:02.0250 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/03 20:11:02.0390 BW2NDIS5 (71cb7616cb36d43ea787c41ab55fe458) C:\WINDOWS\system32\Drivers\BW2NDIS5.sys
2011/01/03 20:11:02.0562 C-Dilla (2423d6259dd63a6f1ffd3d3684b941e5) C:\WINDOWS\system32\drivers\CDANT.SYS
2011/01/03 20:11:02.0750 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/03 20:11:02.0859 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/03 20:11:03.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/03 20:11:03.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/03 20:11:03.0406 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/03 20:11:03.0921 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/03 20:11:04.0109 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/03 20:11:04.0609 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/03 20:11:04.0687 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/03 20:11:04.0843 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/03 20:11:04.0984 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/03 20:11:05.0140 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/03 20:11:05.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/03 20:11:05.0468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/03 20:11:05.0609 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/03 20:11:05.0750 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/03 20:11:05.0984 FPAV_RTP (a98b9d16a38df7afdc1a465925d03884) C:\WINDOWS\system32\DRIVERS\FStopW.sys
2011/01/03 20:11:06.0218 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/03 20:11:06.0359 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/03 20:11:06.0484 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
2011/01/03 20:11:06.0656 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/03 20:11:06.0734 hamachi (64b48a0d899deca24c424a2cac3ecffa) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/01/03 20:11:06.0859 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/03 20:11:06.0937 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/03 20:11:07.0156 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/03 20:11:07.0437 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/03 20:11:07.0687 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/01/03 20:11:08.0046 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/03 20:11:08.0359 IntcAzAudAddService (90e1b42e49d9e91e5accaaaaefa10ce8) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/01/03 20:11:08.0671 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/03 20:11:08.0796 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/03 20:11:08.0890 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/03 20:11:09.0000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/03 20:11:09.0125 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/03 20:11:09.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/03 20:11:09.0437 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/03 20:11:09.0562 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/03 20:11:09.0828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/03 20:11:09.0937 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/03 20:11:10.0093 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/03 20:11:10.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/03 20:11:10.0625 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys
2011/01/03 20:11:10.0796 MLPTDR_C (a0559040b0df7403ddcd9574cb2694de) C:\WINDOWS\system32\MLPTDR_C.sys
2011/01/03 20:11:10.0921 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/03 20:11:11.0046 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/03 20:11:11.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/03 20:11:11.0328 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/03 20:11:11.0484 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/03 20:11:11.0671 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/03 20:11:11.0937 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/03 20:11:12.0343 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/01/03 20:11:12.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/03 20:11:12.0578 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/03 20:11:12.0687 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/03 20:11:12.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/03 20:11:12.0812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/03 20:11:12.0859 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/03 20:11:12.0953 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/03 20:11:13.0078 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/03 20:11:13.0234 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/03 20:11:13.0359 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/03 20:11:13.0500 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/03 20:11:13.0734 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/03 20:11:13.0937 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/03 20:11:14.0109 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/03 20:11:14.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/03 20:11:14.0593 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/03 20:11:14.0984 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/03 20:11:15.0265 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/03 20:11:15.0718 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/03 20:11:16.0171 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/03 20:11:16.0984 nv (77be0cee4e4a17474650d38ccc9d5579) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/03 20:11:18.0000 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/01/03 20:11:18.0312 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/01/03 20:11:18.0515 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/03 20:11:18.0937 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/03 20:11:19.0281 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/03 20:11:19.0687 OMAWGU(Belkin Corporation) (0c2cb1c6e7d23ff74832839f2fb25163) C:\WINDOWS\system32\DRIVERS\OMAWGU.sys
2011/01/03 20:11:20.0218 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/03 20:11:21.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/03 20:11:21.0468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/03 20:11:21.0812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/03 20:11:22.0890 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/03 20:11:23.0343 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/03 20:11:24.0890 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/03 20:11:25.0203 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/03 20:11:25.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/03 20:11:26.0031 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/03 20:11:26.0640 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/03 20:11:27.0750 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/03 20:11:27.0968 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/03 20:11:28.0234 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/03 20:11:28.0578 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/03 20:11:29.0015 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/03 20:11:29.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/03 20:11:29.0531 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/03 20:11:30.0125 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/03 20:11:30.0546 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/01/03 20:11:30.0984 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/03 20:11:31.0203 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/03 20:11:31.0515 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/03 20:11:31.0812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/03 20:11:32.0187 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/03 20:11:32.0671 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/03 20:11:32.0828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/03 20:11:33.0250 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/03 20:11:33.0500 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/03 20:11:33.0781 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/03 20:11:34.0000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/03 20:11:34.0843 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/03 20:11:35.0187 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/03 20:11:35.0484 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/03 20:11:35.0609 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/03 20:11:35.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/03 20:11:36.0421 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/03 20:11:36.0609 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/03 20:11:36.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/03 20:11:37.0265 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/03 20:11:37.0562 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/03 20:11:37.0828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/03 20:11:38.0062 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/03 20:11:38.0250 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/03 20:11:38.0515 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/03 20:11:38.0750 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/03 20:11:38.0968 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/03 20:11:39.0156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/03 20:11:39.0390 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/03 20:11:39.0687 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/01/03 20:11:40.0062 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/03 20:11:40.0562 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/01/03 20:11:40.0796 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/03 20:11:40.0937 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/03 20:11:41.0093 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/03 20:11:41.0093 ===========================================================================
=====
2011/01/03 20:11:41.0093 Scan finished
2011/01/03 20:11:41.0093 ===========================================================================
=====
2011/01/03 20:11:41.0125 Detected object count: 1
2011/01/03 20:12:02.0046 \HardDisk1 - will be cured after reboot
2011/01/03 20:12:02.0046 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/01/03 20:12:05.0796 Deinitialize success

Thank you so much for your assistance!

--Bryan

Link to post
Share on other sites

Hi,

Letting you run TDSSKiller would have been my next step. :)

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Looks clean. ESET found a false positive -- an upload script I wrote to push changed files to a web server via FTP. Otherwise the computer is clean as a whistle. Since running TDSSKiller I haven't had any blocked outgoing IP address issues either.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5461

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/4/2011 8:24:44 PM
mbam-log-2011-01-04 (20-24-44).txt

Scan type: Quick scan
Objects scanned: 175082
Time elapsed: 8 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

C:\Documents and Settings\Ann\My Documents\Ohio Conference\Web page\Upload.js	probably unknown SCRIPT virus	deleted - quarantined

--Bryan

Link to post
Share on other sites

Hi,

Your logs appear to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. :)

Remove Combofix now that we're done with it.

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files

Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall

You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated

It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.

  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?

If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,

Gammo :)

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.