Jump to content

Malware removal help please


Recommended Posts

Noticed on Sunday that my USB pen and MP3 player were no longer recognized by my PC. Then google searches started to be redirected. Also Windows Updates seem to be blocked. Have tried several anti-malware programs with not much success. Finally stumbled upon this forum and have followed the "I'm infected - What do I do now?" suggestions.

Thank you so much for whatever help you can provide!

DDS (Ver_10-12-12.02) - NTFSx86

Run by Chrystal at 18:16:34.67 on 29/12/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.991.393 [GMT 0:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Chrystal\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.goodsearch.com/Default.aspx

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {90c39cb5-4269-45fb-9e41-7a2e5c34995b} - No File

BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll

TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

Trusted Zone: irs.gov\www

Trusted Zone: live365.com\www

Trusted Zone: musicmatch.com\online

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01111C00-3E00-11D2-8470-0060089874ED} - hxxp://help.rr.com/Foundrysdccommon/download/tgctlar.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxp://www.winkflash.com/photo/loaders/SAXFile.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149769324546

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.telewest.co.uk/motive/files/MotivePreQual.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrystal\applic~1\mozilla\firefox\profiles\5476ut44.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/Default.aspx

FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62125&p=

FF - component: c:\documents and settings\chrystal\application data\mozilla\firefox\profiles\5476ut44.default\extensions\{861d02ef-6fd9-4ce1-954a-90ee3a4de31c}\components\Engine.dll

FF - component: c:\documents and settings\chrystal\application data\mozilla\firefox\profiles\5476ut44.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\chrystal\application data\mozilla\firefox\profiles\5476ut44.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll

FF - plugin: c:\documents and settings\chrystal\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll

FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org

FF - Ext: AAdvantage eShoppingSM Toolbar: {861d02ef-6fd9-4ce1-954a-90ee3a4de31c} - %profile%\extensions\{861d02ef-6fd9-4ce1-954a-90ee3a4de31c}

FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox

FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-26 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-11-21 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-11-21 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-11-21 243024]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-12-28 98392]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-12-28 532224]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-11-21 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-11-21 308136]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-12-27 312152]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-11-5 26872]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-11-5 488952]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2010-12-28 439632]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-4 13592]

S3 BCASPROT;Advanced System Protector;c:\program files\systweak\advanced system protector\sasprot32.sys [2010-12-27 6656]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]

=============== Created Last 30 ================

2010-12-29 14:01:27 -------- d-----w- C:\SYSTEM.SAV

2010-12-29 14:01:25 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll

2010-12-29 14:01:25 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll

2010-12-29 14:01:25 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe

2010-12-29 14:01:25 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll

2010-12-29 14:01:25 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll

2010-12-29 14:01:23 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll

2010-12-29 14:01:23 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll

2010-12-29 12:05:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro

2010-12-28 21:09:52 -------- d-----w- c:\program files\WinPcap

2010-12-28 17:30:07 388096 ----a-r- c:\docume~1\chrystal\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2010-12-28 17:30:06 -------- d-----w- c:\program files\Trend Micro

2010-12-28 12:01:41 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-12-28 11:20:49 -------- d-----w- c:\docume~1\chrystal\applic~1\CheckPoint

2010-12-28 11:19:51 -------- d-----w- c:\program files\Conduit

2010-12-28 11:19:51 -------- d-----w- c:\docume~1\chrystal\locals~1\applic~1\Conduit

2010-12-28 11:19:50 -------- d-----w- c:\docume~1\chrystal\locals~1\applic~1\ZoneAlarm_Security

2010-12-28 11:19:49 -------- d-----w- c:\program files\ZoneAlarm_Security

2010-12-28 11:18:59 -------- d-----w- c:\program files\CheckPoint

2010-12-28 11:18:29 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-12-28 11:18:28 -------- d-----w- c:\windows\system32\ZoneLabs

2010-12-28 11:18:22 -------- d-----w- c:\program files\Zone Labs

2010-12-28 11:17:48 -------- d-----w- c:\windows\Internet Logs

2010-12-27 16:15:46 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{14d23c52-7eb7-4956-b4da-b6130baed09d}\mpengine.dll

2010-12-27 16:11:20 -------- d-----w- c:\program files\Microsoft Security Client

2010-12-27 11:28:12 -------- d-----w- c:\docume~1\chrystal\applic~1\Systweak

2010-12-27 11:28:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Systweak

2010-12-27 11:27:48 -------- d-----w- c:\program files\Systweak

2010-12-27 11:27:27 17136 ----a-w- c:\windows\system32\sasnative32.exe

2010-12-27 10:07:52 -------- d-----w- c:\docume~1\chrystal\applic~1\IObit

2010-12-27 10:07:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit

2010-12-27 10:07:47 -------- d-----w- c:\program files\IObit

2010-12-26 20:42:21 -------- d-----w- c:\docume~1\chrystal\applic~1\Malwarebytes

2010-12-26 20:42:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-26 20:42:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-26 20:42:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-26 20:42:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-26 19:21:53 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-12-26 19:06:43 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-12-26 19:06:31 -------- d-----w- c:\docume~1\chrystal\locals~1\applic~1\Sunbelt Software

2010-12-26 18:36:45 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{4b65a1c5-5321-4316-9cd0-882e47092eea}\mpengine.dll

2010-12-26 17:03:33 -------- d-----w- c:\windows\system32\wbem\repository\FS

2010-12-26 17:03:33 -------- d-----w- c:\windows\system32\wbem\Repository

2010-12-26 16:23:32 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-16 12:27:05 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-16 12:24:51 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-07 20:53:59 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-12-07 20:53:58 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-12-07 20:53:44 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-12-07 20:50:57 512000 -c----w- c:\windows\system32\dllcache\jscript.dll

2010-12-06 20:25:40 -------- d-----w- c:\windows\system32\scripting

2010-12-06 20:25:36 -------- d-----w- c:\windows\l2schemas

2010-12-06 20:25:35 -------- d-----w- c:\windows\system32\en

2010-12-06 20:25:35 -------- d-----w- c:\windows\system32\bits

2010-12-06 20:04:59 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll

2010-12-06 20:03:55 10752 ------w- c:\windows\system32\smtpapi.dll

==================== Find3M ====================

2010-11-21 13:39:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-11-21 11:26:44 90112 ----a-w- c:\windows\DUMP690a.tmp

2010-11-20 15:47:19 90112 ----a-w- c:\windows\DUMP7724.tmp

2010-11-20 14:37:39 90112 ----a-w- c:\windows\DUMP7ffd.tmp

2010-11-20 14:36:08 90112 ----a-w- c:\windows\DUMP7fbf.tmp

2010-11-20 14:34:37 90112 ----a-w- c:\windows\DUMP807a.tmp

2010-11-20 14:33:05 90112 ----a-w- c:\windows\DUMP7ec5.tmp

2010-11-20 14:31:34 90112 ----a-w- c:\windows\DUMP80c8.tmp

2010-11-20 14:30:03 90112 ----a-w- c:\windows\DUMP7faf.tmp

2010-11-20 14:08:03 90112 ----a-w- c:\windows\DUMP755f.tmp

2010-11-20 14:06:34 90112 ----a-w- c:\windows\DUMP6a72.tmp

2010-11-20 14:05:05 90112 ----a-w- c:\windows\DUMP76d5.tmp

2010-11-20 14:03:36 90112 ----a-w- c:\windows\DUMP7658.tmp

2010-11-20 14:02:08 90112 ----a-w- c:\windows\DUMP759d.tmp

2010-11-20 14:00:39 90112 ----a-w- c:\windows\DUMP7501.tmp

2010-11-20 13:59:11 90112 ----a-w- c:\windows\DUMP7639.tmp

2010-11-20 13:57:43 90112 ----a-w- c:\windows\DUMP7464.tmp

2010-11-20 13:54:46 90112 ----a-w- c:\windows\DUMP75ad.tmp

2010-11-20 13:53:17 90112 ----a-w- c:\windows\DUMP7649.tmp

2010-11-20 13:51:48 90112 ----a-w- c:\windows\DUMP762a.tmp

2010-11-20 13:50:20 90112 ----a-w- c:\windows\DUMP7530.tmp

2010-11-20 13:48:51 90112 ----a-w- c:\windows\DUMP761a.tmp

2010-11-20 12:13:07 90112 ----a-w- c:\windows\DUMP8339.tmp

2010-11-20 11:43:58 90112 ----a-w- c:\windows\DUMP6afe.tmp

2010-11-20 11:01:45 90112 ----a-w- c:\windows\DUMP6958.tmp

2010-11-20 10:49:53 90112 ----a-w- c:\windows\DUMP6f26.tmp

2010-11-20 10:48:27 90112 ----a-w- c:\windows\DUMP6a04.tmp

2010-11-20 10:47:02 90112 ----a-w- c:\windows\DUMP6e88.tmp

2010-11-20 10:45:35 90112 ----a-w- c:\windows\DUMP72ce.tmp

2010-11-20 10:44:09 90112 ----a-w- c:\windows\DUMP7510.tmp

2010-11-20 10:42:40 90112 ----a-w- c:\windows\DUMP6ed7.tmp

2010-11-20 10:41:14 90112 ----a-w- c:\windows\DUMP6f73.tmp

2010-11-20 10:39:48 90112 ----a-w- c:\windows\DUMP6e69.tmp

2010-11-20 10:38:22 90112 ----a-w- c:\windows\DUMP7550.tmp

2010-11-20 10:36:54 90112 ----a-w- c:\windows\DUMP755e.tmp

2010-11-20 10:35:26 90112 ----a-w- c:\windows\DUMP756f.tmp

2010-11-20 10:33:58 90112 ----a-w- c:\windows\DUMP6f25.tmp

2010-11-20 10:32:32 90112 ----a-w- c:\windows\DUMP73d8.tmp

2010-11-20 10:31:04 90112 ----a-w- c:\windows\DUMP6f15.tmp

2010-11-20 10:29:38 90112 ----a-w- c:\windows\DUMP6ee6.tmp

2010-11-20 10:28:12 90112 ----a-w- c:\windows\DUMP756e.tmp

2010-11-20 10:26:44 90112 ----a-w- c:\windows\DUMP75cc.tmp

2010-11-20 10:25:16 90112 ----a-w- c:\windows\DUMP754f.tmp

2010-11-20 10:14:03 90112 ----a-w- c:\windows\DUMP6bc9.tmp

2010-11-20 10:12:38 90112 ----a-w- c:\windows\DUMP72fd.tmp

2010-11-20 10:11:12 90112 ----a-w- c:\windows\DUMP72de.tmp

2010-11-20 10:10:05 90112 ----a-w- c:\windows\DUMP7222.tmp

2010-11-20 10:08:40 90112 ----a-w- c:\windows\DUMP6c94.tmp

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-18 09:28:58 90112 ----a-w- c:\windows\DUMP800d.tmp

2010-11-18 09:15:30 90112 ----a-w- c:\windows\DUMP7781.tmp

2010-11-18 09:14:15 90112 ----a-w- c:\windows\DUMP86d3.tmp

2010-11-18 09:12:47 90112 ----a-w- c:\windows\DUMP858b.tmp

2010-11-18 09:07:29 90112 ----a-w- c:\windows\DUMP86a4.tmp

2010-11-18 09:06:17 90112 ----a-w- c:\windows\DUMP8627.tmp

2010-11-18 09:04:50 90112 ----a-w- c:\windows\DUMP855c.tmp

2010-11-18 09:03:23 90112 ----a-w- c:\windows\DUMP7f61.tmp

2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll

2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx

2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD400BB-23JHA1 rev.06.01C06 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x868C7555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x868cd7b0]; MOV EAX, [0x868cd82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86878AB8]

3 CLASSPNP[0xF74C7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000063[0x86892F18]

5 ACPI[0xF743E620] -> nt!IofCallDriver[0x804E37D5] -> [0x868B3940]

\Driver\atapi[0x868EC460] -> IRP_MJ_CREATE -> 0x868C7555

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-23JHA1______________________06.01C06#4457572d4143434d383130363537203020202020#{5

3f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x868C739B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 18:17:56.50 ===============

mbam_log_2010_12_26__20_49_04_.txt

mbam_log_2010_12_29__16_53_02_.txt

Attach.zip

hijackthis291210.txt

Link to post
Share on other sites

Hello and welcome! Looks like you have a nasty rootkit on board.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Hello Elise. Thank you for the advice and instructions.

We discovered the problem not long after it happened we think (if I understand the warning messages in the System error log correctly) and thankfully hadn't used it for any online banking. So I hope we are safe in that area.

The PC with the malware is an older one and I tried to reinstall Windows on it about a month or so ago but it failed. So I'm following your instructions in order to clean it. I understand that it may never be safe and will keep it offline indefinitely. I may try to reinstall an OS on it someday possibly but not in the near future.

I also have a wireless laptop. If this rootkit thing is on the wired PC could it have somehow propagated itself to the laptop via the router somehow? Is that possible or am I just being paranoid?

I had lots of difficulties removing the anti-virus program. But finally did and got the combofix to run. I'm attaching the log.

Thanks again,

Chrystal

ComboFix.txt

Link to post
Share on other sites

Hi Chrystal,

This rootkit itself does not spread, but its hard to be sure since other malware can be present as well.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

2010/12/30 18:51:13.0593 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2010/12/30 18:51:13.0593 ================================================================================

2010/12/30 18:51:13.0593 SystemInfo:

2010/12/30 18:51:13.0593

2010/12/30 18:51:13.0593 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/30 18:51:13.0593 Product type: Workstation

2010/12/30 18:51:13.0593 ComputerName: CHRYSTALSPC

2010/12/30 18:51:13.0593 UserName: Chrystal

2010/12/30 18:51:13.0593 Windows directory: C:\WINDOWS

2010/12/30 18:51:13.0593 System windows directory: C:\WINDOWS

2010/12/30 18:51:13.0593 Processor architecture: Intel x86

2010/12/30 18:51:13.0593 Number of processors: 1

2010/12/30 18:51:13.0593 Page size: 0x1000

2010/12/30 18:51:13.0593 Boot type: Normal boot

2010/12/30 18:51:13.0593 ================================================================================

2010/12/30 18:51:13.0828 Initialize success

2010/12/30 18:51:20.0187 ================================================================================

2010/12/30 18:51:20.0187 Scan started

2010/12/30 18:51:20.0187 Mode: Manual;

2010/12/30 18:51:20.0187 ================================================================================

2010/12/30 18:51:20.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/30 18:51:21.0046 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/12/30 18:51:21.0359 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/30 18:51:21.0593 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/30 18:51:22.0218 ALCXWDM (a73c58f6214795044e49d4b120c89d9d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/12/30 18:51:22.0609 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2010/12/30 18:51:23.0234 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/30 18:51:23.0437 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/30 18:51:23.0750 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/30 18:51:23.0937 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/30 18:51:24.0046 BCASPROT (794ce0f2d1fd719b9cd8cb1f1f4402fd) C:\Program Files\Systweak\Advanced System Protector\sasprot32.sys

2010/12/30 18:51:24.0218 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/30 18:51:24.0593 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/30 18:51:24.0734 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/12/30 18:51:25.0046 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/30 18:51:25.0156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/30 18:51:25.0406 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/30 18:51:25.0875 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/30 18:51:26.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/30 18:51:26.0281 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/30 18:51:26.0328 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/30 18:51:26.0437 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/30 18:51:26.0718 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/30 18:51:26.0812 drvmcdb (7f056a52bcba3102d2d37a4a2646c807) C:\WINDOWS\system32\drivers\drvmcdb.sys

2010/12/30 18:51:26.0984 drvnddm (d3c1e501ed42e77574b3095309dd4075) C:\WINDOWS\system32\drivers\drvnddm.sys

2010/12/30 18:51:27.0156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/30 18:51:27.0312 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/12/30 18:51:27.0437 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/30 18:51:27.0640 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/12/30 18:51:27.0828 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/30 18:51:28.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/30 18:51:28.0187 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/30 18:51:28.0531 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/12/30 18:51:28.0765 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/12/30 18:51:28.0890 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/30 18:51:29.0031 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/12/30 18:51:29.0250 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/30 18:51:29.0609 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/30 18:51:29.0796 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/30 18:51:30.0140 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/30 18:51:30.0312 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/30 18:51:30.0484 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/30 18:51:30.0718 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/30 18:51:30.0906 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/30 18:51:31.0156 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/30 18:51:31.0343 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/30 18:51:31.0437 ISWKL (5c7c9ea45700f5187f71eb7b0dab18c5) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys

2010/12/30 18:51:31.0640 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/30 18:51:31.0828 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/30 18:51:32.0015 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/30 18:51:32.0156 Lavasoft Kernexplorer (0bd6d3f477df86420de942a741dabe37) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys

2010/12/30 18:51:32.0328 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/12/30 18:51:32.0578 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys

2010/12/30 18:51:32.0750 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/30 18:51:32.0906 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/30 18:51:33.0062 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/30 18:51:33.0203 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/30 18:51:33.0343 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/30 18:51:33.0484 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys

2010/12/30 18:51:33.0812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/30 18:51:34.0000 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/30 18:51:34.0203 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/30 18:51:34.0375 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/30 18:51:34.0453 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/30 18:51:34.0609 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/30 18:51:34.0796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/30 18:51:34.0890 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys

2010/12/30 18:51:35.0046 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/30 18:51:35.0203 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/12/30 18:51:35.0406 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/30 18:51:35.0546 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/12/30 18:51:35.0656 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/30 18:51:35.0812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/30 18:51:35.0921 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/30 18:51:36.0062 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/30 18:51:36.0203 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/30 18:51:36.0296 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/30 18:51:36.0531 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2010/12/30 18:51:36.0718 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/30 18:51:36.0906 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/30 18:51:37.0093 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/30 18:51:37.0281 nv (c060c87ff7bcf8943b99aef5e044de2a) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/12/30 18:51:37.0437 NVENET (1cf77b30dee5c75dea1eee697281802c) C:\WINDOWS\system32\DRIVERS\NVENET.sys

2010/12/30 18:51:37.0593 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/30 18:51:37.0671 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/30 18:51:37.0937 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/30 18:51:38.0093 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/30 18:51:38.0187 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/30 18:51:38.0359 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/30 18:51:38.0578 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/12/30 18:51:38.0703 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/12/30 18:51:39.0359 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/30 18:51:39.0546 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/12/30 18:51:39.0625 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/30 18:51:39.0812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/30 18:51:39.0984 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2010/12/30 18:51:40.0546 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/30 18:51:40.0671 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/30 18:51:40.0828 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/30 18:51:40.0968 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/30 18:51:41.0062 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/30 18:51:41.0218 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/30 18:51:41.0343 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/12/30 18:51:41.0515 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/30 18:51:41.0671 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/30 18:51:41.0781 SBRE (c1ae5d1f53285d79a0b73a62af20734f) C:\WINDOWS\system32\drivers\SBREdrv.sys

2010/12/30 18:51:41.0937 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/30 18:51:42.0125 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/30 18:51:42.0281 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/12/30 18:51:42.0421 SetupNT (549ea830a5d9edd9cd14311126c2849b) C:\WINDOWS\system32\SetupNT.sys

2010/12/30 18:51:42.0578 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/30 18:51:42.0765 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/12/30 18:51:42.0968 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/30 18:51:43.0125 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/30 18:51:43.0265 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/30 18:51:43.0421 sscdbhk5 (328e8bb94ec58480f60458fb4b8437a7) C:\WINDOWS\system32\drivers\sscdbhk5.sys

2010/12/30 18:51:43.0500 ssrtln (7ec8b427cee5c0cdac066320b93f1355) C:\WINDOWS\system32\drivers\ssrtln.sys

2010/12/30 18:51:43.0640 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/12/30 18:51:43.0781 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/30 18:51:43.0968 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/30 18:51:44.0406 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/30 18:51:44.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/30 18:51:44.0750 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/30 18:51:44.0843 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/30 18:51:44.0968 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/30 18:51:45.0046 tfsnboio (c229bf90443be8d3bd2b65d7f3ac0f35) C:\WINDOWS\system32\dla\tfsnboio.sys

2010/12/30 18:51:45.0171 tfsncofs (79ee9fcd7728e54ab8fbc30962f0416f) C:\WINDOWS\system32\dla\tfsncofs.sys

2010/12/30 18:51:45.0296 tfsndrct (9efb37e7de17d783a059b653f7e8afad) C:\WINDOWS\system32\dla\tfsndrct.sys

2010/12/30 18:51:45.0484 tfsndres (130254995ebedcb34d62e8d78ec9dbd0) C:\WINDOWS\system32\dla\tfsndres.sys

2010/12/30 18:51:45.0671 tfsnifs (9b40e1e4aeed849812a2e43a388a7e77) C:\WINDOWS\system32\dla\tfsnifs.sys

2010/12/30 18:51:45.0812 tfsnopio (818047ad850b312705aa17ca96b9427d) C:\WINDOWS\system32\dla\tfsnopio.sys

2010/12/30 18:51:45.0937 tfsnpool (4603e813bcc6dd465cd8d2afd37fa90d) C:\WINDOWS\system32\dla\tfsnpool.sys

2010/12/30 18:51:46.0062 tfsnudf (6fc2cd904a9a55acfdfc780a611a75ed) C:\WINDOWS\system32\dla\tfsnudf.sys

2010/12/30 18:51:46.0140 tfsnudfa (d4afa4d00f8db3fd1c15b3fe49c3a96c) C:\WINDOWS\system32\dla\tfsnudfa.sys

2010/12/30 18:51:46.0359 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/30 18:51:46.0609 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/30 18:51:46.0781 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/12/30 18:51:46.0984 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/12/30 18:51:47.0125 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/30 18:51:47.0218 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/12/30 18:51:47.0375 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/30 18:51:47.0484 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/12/30 18:51:47.0625 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/12/30 18:51:47.0750 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/30 18:51:47.0921 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/30 18:51:48.0156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/30 18:51:48.0406 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys

2010/12/30 18:51:48.0687 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/30 18:51:48.0890 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/30 18:51:49.0109 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/12/30 18:51:49.0250 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/12/30 18:51:49.0500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/12/30 18:51:49.0562 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/12/30 18:51:49.0578 ================================================================================

2010/12/30 18:51:49.0578 Scan finished

2010/12/30 18:51:49.0578 ================================================================================

2010/12/30 18:51:49.0593 Detected object count: 1

2010/12/30 18:52:09.0640 \HardDisk0 - will be cured after reboot

2010/12/30 18:52:09.0640 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/12/30 18:52:28.0640 Deinitialize success

Link to post
Share on other sites

I'm hoping this has done the trick. Thanks, Chrystal

ComboFix 10-12-29.02 - Chrystal 30/12/2010 22:05:00.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.991.566 [GMT 0:00]

Running from: c:\documents and settings\Chrystal\My Documents\Downloads\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-30 )))))))))))))))))))))))))))))))

.

2010-12-30 15:15 . 2010-12-30 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-12-29 14:01 . 2010-12-29 14:01 -------- d-----w- C:\SYSTEM.SAV

2010-12-29 14:01 . 2002-12-05 14:12 692224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll

2010-12-29 14:01 . 2002-12-05 14:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll

2010-12-29 14:01 . 2002-12-02 15:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe

2010-12-29 14:01 . 2002-12-02 13:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll

2010-12-29 14:01 . 2002-12-02 13:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll

2010-12-29 14:01 . 2010-12-29 14:01 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll

2010-12-29 14:01 . 2010-12-29 14:01 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll

2010-12-29 12:05 . 2010-12-29 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro

2010-12-28 21:09 . 2010-12-28 21:09 -------- d-----w- c:\program files\WinPcap

2010-12-28 17:30 . 2010-12-28 17:30 388096 ----a-r- c:\documents and settings\Chrystal\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-12-28 17:30 . 2010-12-28 21:08 -------- d-----w- c:\program files\Trend Micro

2010-12-28 12:01 . 2010-12-26 19:06 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-12-28 11:20 . 2010-12-28 11:20 -------- d-----w- c:\documents and settings\Chrystal\Application Data\CheckPoint

2010-12-28 11:19 . 2010-12-29 15:47 -------- d-----w- c:\documents and settings\Chrystal\Local Settings\Application Data\Conduit

2010-12-28 11:19 . 2010-12-28 11:19 -------- d-----w- c:\program files\Conduit

2010-12-28 11:19 . 2010-12-29 15:47 -------- d-----w- c:\documents and settings\Chrystal\Local Settings\Application Data\ZoneAlarm_Security

2010-12-28 11:19 . 2010-12-28 11:19 -------- d-----w- c:\program files\ZoneAlarm_Security

2010-12-28 11:18 . 2010-12-28 11:18 -------- d-----w- c:\program files\CheckPoint

2010-12-28 11:18 . 2010-11-16 17:45 69120 ----a-w- c:\windows\system32\zlcomm.dll

2010-12-28 11:18 . 2010-11-16 17:45 104448 ----a-w- c:\windows\system32\zlcommdb.dll

2010-12-28 11:18 . 2010-11-16 17:45 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-12-28 11:18 . 2010-12-28 11:20 -------- d-----w- c:\windows\system32\ZoneLabs

2010-12-28 11:18 . 2010-12-28 11:18 -------- d-----w- c:\program files\Zone Labs

2010-12-28 11:17 . 2010-12-30 22:04 -------- d-----w- c:\windows\Internet Logs

2010-12-27 16:15 . 2010-11-16 12:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{14D23C52-7EB7-4956-B4DA-B6130BAED09D}\mpengine.dll

2010-12-27 16:11 . 2010-12-27 16:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2010-12-27 16:11 . 2010-12-27 16:12 -------- d-----w- c:\program files\Microsoft Security Client

2010-12-27 11:28 . 2010-12-27 11:28 -------- d-----w- c:\documents and settings\Chrystal\Application Data\Systweak

2010-12-27 11:28 . 2010-12-27 11:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Systweak

2010-12-27 11:27 . 2010-12-27 11:27 -------- d-----w- c:\program files\Systweak

2010-12-27 11:27 . 2008-11-10 19:49 17136 ----a-w- c:\windows\system32\sasnative32.exe

2010-12-27 10:55 . 2010-12-27 10:55 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-12-27 10:07 . 2010-12-28 17:26 -------- d-----w- c:\documents and settings\Chrystal\Application Data\IObit

2010-12-27 10:07 . 2010-12-27 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-12-27 10:07 . 2010-12-28 17:07 -------- d-----w- c:\program files\IObit

2010-12-26 20:42 . 2010-12-26 20:42 -------- d-----w- c:\documents and settings\Chrystal\Application Data\Malwarebytes

2010-12-26 20:42 . 2010-12-26 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-26 20:42 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-26 20:42 . 2010-12-26 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-26 20:42 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-26 19:21 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-12-26 19:06 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-12-26 19:06 . 2010-12-26 19:06 -------- d-----w- c:\documents and settings\Chrystal\Local Settings\Application Data\Sunbelt Software

2010-12-26 18:36 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{4B65A1C5-5321-4316-9CD0-882E47092EEA}\mpengine.dll

2010-12-26 17:03 . 2010-12-26 17:03 -------- d-----w- c:\windows\system32\wbem\Repository

2010-12-26 16:23 . 2010-12-26 19:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-16 12:27 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-16 12:24 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-07 20:53 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-12-07 20:53 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-12-07 20:53 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-12-07 20:50 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll

2010-12-06 20:25 . 2010-12-06 20:25 -------- d-----w- c:\windows\system32\scripting

2010-12-06 20:25 . 2010-12-06 20:25 -------- d-----w- c:\windows\l2schemas

2010-12-06 20:25 . 2010-12-06 20:25 -------- d-----w- c:\windows\system32\en

2010-12-06 20:25 . 2010-12-06 20:25 -------- d-----w- c:\windows\system32\bits

2010-12-06 20:04 . 2009-07-31 10:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll

2010-12-06 20:03 . 2008-04-14 00:12 10752 ------w- c:\windows\system32\smtpapi.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-21 11:26 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP690a.tmp

2010-11-20 15:47 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7724.tmp

2010-11-20 14:37 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7ffd.tmp

2010-11-20 14:36 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7fbf.tmp

2010-11-20 14:34 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP807a.tmp

2010-11-20 14:33 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7ec5.tmp

2010-11-20 14:31 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP80c8.tmp

2010-11-20 14:30 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7faf.tmp

2010-11-20 14:08 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP755f.tmp

2010-11-20 14:06 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6a72.tmp

2010-11-20 14:05 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP76d5.tmp

2010-11-20 14:03 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7658.tmp

2010-11-20 14:02 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP759d.tmp

2010-11-20 14:00 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7501.tmp

2010-11-20 13:59 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7639.tmp

2010-11-20 13:57 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7464.tmp

2010-11-20 13:54 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP75ad.tmp

2010-11-20 13:53 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7649.tmp

2010-11-20 13:51 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP762a.tmp

2010-11-20 13:50 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7530.tmp

2010-11-20 13:48 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP761a.tmp

2010-11-20 12:13 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP8339.tmp

2010-11-20 11:43 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6afe.tmp

2010-11-20 11:01 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6958.tmp

2010-11-20 10:49 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6f26.tmp

2010-11-20 10:48 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6a04.tmp

2010-11-20 10:47 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6e88.tmp

2010-11-20 10:45 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP72ce.tmp

2010-11-20 10:44 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7510.tmp

2010-11-20 10:42 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6ed7.tmp

2010-11-20 10:41 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6f73.tmp

2010-11-20 10:39 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6e69.tmp

2010-11-20 10:38 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7550.tmp

2010-11-20 10:36 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP755e.tmp

2010-11-20 10:35 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP756f.tmp

2010-11-20 10:33 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6f25.tmp

2010-11-20 10:32 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP73d8.tmp

2010-11-20 10:31 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6f15.tmp

2010-11-20 10:29 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6ee6.tmp

2010-11-20 10:28 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP756e.tmp

2010-11-20 10:26 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP75cc.tmp

2010-11-20 10:25 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP754f.tmp

2010-11-20 10:14 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6bc9.tmp

2010-11-20 10:12 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP72fd.tmp

2010-11-20 10:11 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP72de.tmp

2010-11-20 10:10 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP7222.tmp

2010-11-20 10:08 . 2010-11-18 21:51 90112 ----a-w- c:\windows\DUMP6c94.tmp

2010-11-18 18:12 . 2006-04-12 03:31 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-18 09:28 . 2006-04-11 22:18 90112 ----a-w- c:\windows\DUMP800d.tmp

2010-11-18 09:15 . 2006-04-11 22:18 90112 ----a-w- c:\windows\DUMP7781.tmp

2010-11-18 09:14 . 2006-04-11 22:18 90112 ----a-w- c:\windows\DUMP86d3.tmp

2010-11-18 09:12 . 2006-04-11 22:18 90112 ----a-w- c:\windows\DUMP858b.tmp

2010-11-18 09:07 . 2006-04-11 22:18 90112 ----a-w- c:\windows\DUMP86a4.tmp

2010-11-18 09:06 . 2006-04-11 22:18 90112 ----a-w- c:\windows\DUMP8627.tmp

2010-11-18 09:04 . 2006-04-11 22:18 90112 ----a-w- c:\windows\DUMP855c.tmp

2010-11-18 09:03 . 2006-04-11 22:18 90112 ----a-w- c:\windows\DUMP7f61.tmp

2010-11-10 04:33 . 2006-04-17 02:37 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2010-11-05 05:05 . 2002-08-29 09:41 667136 ----a-w- c:\windows\system32\wininet.dll

2010-11-05 05:05 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx

2010-11-05 05:05 . 2006-04-12 04:11 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-11-03 12:59 . 2006-04-12 04:11 369664 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2002-08-29 08:14 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-24 21:25 . 2010-10-24 21:25 165264 ------w- c:\windows\system32\drivers\MpFilter.sys

2010-10-19 10:41 . 2009-10-04 15:52 222080 ------w- c:\windows\system32\MpSigStub.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-12-30_16.01.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-12-30 21:52 . 2010-12-30 21:52 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

2010-12-01 11:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-11-05 738808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0sasnative32

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]

2010-12-16 16:19 2402512 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2003-08-06 06:04 114741 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-01-09 12:17 135664 ----atw- c:\documents and settings\Chrystal\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]

2010-06-11 18:14 1280344 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

2006-01-19 16:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]

2010-11-30 13:20 997408 ----a-w- c:\program files\Microsoft Security Client\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2003-01-10 14:04 4263936 ----a-r- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2003-01-10 14:04 315392 ----a-r- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]

2002-02-05 03:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2005-01-27 13:35 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2003-02-13 06:01 155648 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-16 09:06 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trend Micro RUBotted V2.0 Beta]

2010-12-17 09:33 1103184 ----a-w- c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 15:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [26/12/2010 19:06 64288]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [28/12/2010 12:01 98392]

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [27/12/2010 10:07 312152]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [05/11/2010 11:41 26872]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [05/11/2010 11:41 488952]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 18:19 50704]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [28/12/2010 21:08 439632]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/12/2010 09:05 1389400]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [04/11/2006 00:19 13592]

S3 BCASPROT;Advanced System Protector;c:\program files\Systweak\Advanced System Protector\sasprot32.sys [27/12/2010 11:28 6656]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [03/12/2010 09:05 15264]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25

.

Contents of the 'Scheduled Tasks' folder

2010-12-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-12-27 c:\windows\Tasks\defrag.job

- c:\windows\system32\defrag.exe [2002-08-29 00:12]

2010-12-30 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2001-08-23 00:12]

2010-12-30 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]

2010-12-29 c:\windows\Tasks\Windows Defender.job

- c:\progra~1\WINDOW~4\MSASCui.exe [2006-11-04 00:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.goodsearch.com/Default.aspx

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

Trusted Zone: irs.gov\www

Trusted Zone: live365.com\www

Trusted Zone: musicmatch.com\online

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Chrystal\Application Data\Mozilla\Firefox\Profiles\5476ut44.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/Default.aspx

FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62125&p=

FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org

FF - Ext: AAdvantage eShoppingSM Toolbar: {861d02ef-6fd9-4ce1-954a-90ee3a4de31c} - %profile%\extensions\{861d02ef-6fd9-4ce1-954a-90ee3a4de31c}

FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-30 22:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\ActiveX Compatibility\{9B2719DD-B696-11D0-A48*-00C04F*91AC0}]

"Compatibility Flags"=dword:00000400

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(760)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(1220)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-12-30 22:14:00

ComboFix-quarantined-files.txt 2010-12-30 22:13

ComboFix2.txt 2010-12-30 16:06

Pre-Run: 13,571,903,488 bytes free

Post-Run: 13,550,735,360 bytes free

- - End Of File - - E23BBFBA0A28E7A59F129A65228937AF

Link to post
Share on other sites

Hello there, that looks good indeed!

Your version of Adobe Reader is outdated. Older versions have known security vulnerabilities that can be exploited by Malware. I recommend you visit the Adobe site and download the latest version.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 23 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

TWO ANTIVIRUS PROGRAMS

---------------------------------------

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either AdAware Antivirus or Microsoft Security Essentials.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Hi Chrystal, no more malware there. :)

Do you have any problem left (is the MP3 player/USB problem resolved)?

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and GMER (this is a random named file).

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

  • 1 month later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.