Jump to content

Hijacked still

KennyC

By KennyC
in Resolved Malware Removal Logs

 Share

Recommended Posts

KennyC

KennyC

Posted
Posted

I had gone through several steps instructed to including combofix and tds killer and just when I thought it was all clear it came back full force. It redirects my internet and prevents windows update. Also my Avira antivir continues to find atleast four viruses at a time. Below is the required logs the gmer scan restarted my computer mid scan so I could not attach that right away.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Compaq_Owner at 13:19:00.28 on Fri 01/14/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.453 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

svchost.exe

C:\Program Files\WOT Services\MSN Toolbar\AMPing.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe

c:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0\bin\jusched.exe

C:\WINDOWS\explorer.exe

L:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mWinlogon: Userinit=userinit.exe,c:\program files\hp\hp software update\hpwuschd2srv.exe,c:\program files\microsoft\desktoplayer.exe,

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll

BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll

TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll

TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [statusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto

mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0417.0\mswinext.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1295022336328

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-14 11608]

R2 AMPingService;AMPingService;c:\program files\wot services\msn toolbar\AMPing.exe [2011-1-14 26112]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-14 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-14 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-14 61960]

=============== Created Last 30 ================

2011-01-14 18:18:34 0 ----a-w- c:\documents and settings\compaq_owner\defogger_reenable

2011-01-14 18:02:39 0 d-----w- c:\docume~1\compaq~1\applic~1\Avira

2011-01-14 17:26:33 0 d-----w- c:\windows\system32\NtmsData

2011-01-14 17:02:03 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-14 17:02:02 0 d-----w- c:\program files\Avira

2011-01-14 17:02:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-01-14 16:20:06 0 d-----w- c:\program files\WOT

2011-01-14 16:19:39 0 d-----w- c:\program files\MSN Toolbar

2011-01-14 16:18:14 0 d-----w- c:\program files\MSN Toolbar Installer

2011-01-14 16:18:12 0 d-----w- c:\program files\WOT Services

2011-01-14 16:17:37 251 ----a-w- c:\windows\setup.iss

2011-01-14 15:21:52 54156 ---ha-w- c:\windows\QTFont.qfn

2011-01-14 15:21:52 1409 ----a-w- c:\windows\QTFont.for

2011-01-14 14:13:53 0 d-sha-r- C:\cmdcons

2011-01-13 17:49:09 120 ----a-w- c:\windows\Stoxalog.dat

2011-01-13 17:47:58 0 d-----w- c:\program files\Yontoo Layers Client

2011-01-13 17:47:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer

2011-01-13 16:46:08 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes

2011-01-13 16:46:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-13 16:45:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-01-13 16:45:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-13 16:45:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-13 16:11:58 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-12-17 14:06:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-12-17 14:06:17 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys

2010-12-17 14:06:10 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-12-17 14:06:10 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

==================== Find3M ====================

2011-01-14 17:52:19 218112 ----a-w- c:\windows\system32\dllcache\wordpad.exe

2011-01-14 17:52:18 819200 ----a-w- c:\windows\system32\dllcache\setup_wm.exe

2011-01-14 17:52:18 73728 ----a-w- c:\windows\system32\dllcache\wmplayer.exe

2011-01-14 17:52:17 991232 ----a-w- c:\windows\system32\dllcache\migrate.exe

2011-01-14 17:52:17 344064 ----a-w- c:\windows\system32\dllcache\mpvis.dll

2011-01-14 17:48:32 45568 ----a-w- c:\windows\system32\dllcache\wab.exe

2011-01-14 17:48:32 1315328 ----a-w- c:\windows\system32\dllcache\msoe.dll

2011-01-14 17:46:42 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe

2011-01-14 17:44:01 4194304 ----a-w- c:\windows\system32\cdintf400.dll

2011-01-14 17:42:21 200704 ----a-w- c:\windows\system32\dllcache\msadox.dll

2011-01-14 17:42:21 180224 ----a-w- c:\windows\system32\dllcache\msadomd.dll

2011-01-14 17:42:21 102400 ----a-w- c:\windows\system32\dllcache\msjro.dll

2011-01-14 17:42:20 536576 ----a-w- c:\windows\system32\dllcache\msado15.dll

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-18 18:12:44 81920 ------w- c:\windows\system32\dllcache\isign32.dll

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-09 14:52:35 249856 ------w- c:\windows\system32\dllcache\odbc32.dll

2010-11-09 14:52:35 143360 ------w- c:\windows\system32\dllcache\msadco.dll

2010-11-03 12:26:18 173568 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-11-02 15:17:02 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2010-10-28 15:58:49 281088 ----a-w- c:\windows\system32\dllcache\webcheck.dll

2010-10-28 15:58:48 90112 ----a-w- c:\windows\system32\mshta.exe

2010-10-28 15:58:48 90112 ----a-w- c:\windows\system32\dllcache\mshta.exe

2010-10-28 15:58:48 238080 ----a-w- c:\windows\system32\dllcache\msrating.dll

2010-10-28 15:58:48 139264 ----a-w- c:\windows\system32\dllcache\inseng.dll

2010-10-28 15:58:47 63488 ----a-w- c:\windows\system32\dllcache\corpol.dll

2010-10-28 15:58:47 63488 ----a-w- c:\windows\system32\corpol.dll

2010-10-28 14:14:23 208 ----a-w- c:\docume~1\compaq~1\applic~1\wklnhst.dat

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\dllcache\atmfd.dll

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-26 13:25:00 1853312 ------w- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 13:20:58.10 ===============

Attach.txt

Link to post
Share on other sites
KennyC

KennyC

Posted
  • Author
Posted

K here u go sir!

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5512

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/14/2011 2:23:30 PM

mbam-log-2011-01-14 (14-23-30).txt

Scan type: Quick scan

Objects scanned: 135437

Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (userinit.exe,c:\program files\hp\hp software update\hpwuschd2srv.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites
KennyC

KennyC

Posted
  • Author
Posted

found 4 this time :P

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5512

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/14/2011 2:38:48 PM

mbam-log-2011-01-14 (14-38-48).txt

Scan type: Quick scan

Objects scanned: 135376

Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (userinit.exe,c:\program files\microsoft\desktoplayer.exe,,c:\program files\hp\hp software update\hpwuschd2srv.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\explorersrv.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\program files\microsoft\desktoplayer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\program files\quicktime\qttasksrv.exe (Worm.Ramnit) -> Quarantined and deleted successfully.

Link to post
Share on other sites
KennyC

KennyC

Posted
  • Author
Posted

DDS (Ver_10-03-17.01) - NTFSx86

Run by Compaq_Owner at 14:58:15.32 on Fri 01/14/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.345 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\WOT Services\MSN Toolbar\AMPing.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe

C:\WINDOWS\ALCXMNTR.EXE

c:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe

C:\Program Files\Java\jre1.5.0\bin\jusched.exe

C:\Program Files\Microsoft Office\Office\EXCEL.EXE

C:\WINDOWS\msagent\AgentSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Avira\AntiVir Desktop\avscan.exe

L:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mWinlogon: Userinit=userinit.exe,c:\program files\hp\hp software update\hpwuschd2srv.exe,c:\program files\microsoft\desktoplayer.exe,

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll

BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll

TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll

TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [statusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto

mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0417.0\mswinext.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1295022336328

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-14 11608]

R2 AMPingService;AMPingService;c:\program files\wot services\msn toolbar\AMPing.exe [2011-1-14 26112]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-14 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-14 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-14 61960]

S0 opwqv;opwqv;c:\windows\system32\drivers\ndxkb.sys --> c:\windows\system32\drivers\ndxkb.sys [?]

=============== Created Last 30 ================

2011-01-14 18:18:34 0 ----a-w- c:\documents and settings\compaq_owner\defogger_reenable

2011-01-14 18:02:39 0 d-----w- c:\docume~1\compaq~1\applic~1\Avira

2011-01-14 17:26:33 0 d-----w- c:\windows\system32\NtmsData

2011-01-14 17:02:03 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-14 17:02:02 0 d-----w- c:\program files\Avira

2011-01-14 17:02:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-01-14 16:20:06 0 d-----w- c:\program files\WOT

2011-01-14 16:19:39 0 d-----w- c:\program files\MSN Toolbar

2011-01-14 16:18:14 0 d-----w- c:\program files\MSN Toolbar Installer

2011-01-14 16:18:12 0 d-----w- c:\program files\WOT Services

2011-01-14 16:17:37 251 ----a-w- c:\windows\setup.iss

2011-01-14 15:21:52 54156 ---ha-w- c:\windows\QTFont.qfn

2011-01-14 15:21:52 1409 ----a-w- c:\windows\QTFont.for

2011-01-14 14:13:53 0 d-sha-r- C:\cmdcons

2011-01-13 17:49:09 120 ----a-w- c:\windows\Stoxalog.dat

2011-01-13 17:47:58 0 d-----w- c:\program files\Yontoo Layers Client

2011-01-13 17:47:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer

2011-01-13 16:46:08 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes

2011-01-13 16:46:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-13 16:45:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-01-13 16:45:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-13 16:45:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-13 16:11:58 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-12-17 14:06:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-12-17 14:06:17 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys

2010-12-17 14:06:10 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-12-17 14:06:10 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

==================== Find3M ====================

2011-01-14 17:52:19 218112 ----a-w- c:\windows\system32\dllcache\wordpad.exe

2011-01-14 17:52:18 819200 ----a-w- c:\windows\system32\dllcache\setup_wm.exe

2011-01-14 17:52:18 73728 ----a-w- c:\windows\system32\dllcache\wmplayer.exe

2011-01-14 17:52:17 991232 ----a-w- c:\windows\system32\dllcache\migrate.exe

2011-01-14 17:52:17 344064 ----a-w- c:\windows\system32\dllcache\mpvis.dll

2011-01-14 17:48:32 45568 ----a-w- c:\windows\system32\dllcache\wab.exe

2011-01-14 17:48:32 1315328 ----a-w- c:\windows\system32\dllcache\msoe.dll

2011-01-14 17:46:42 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe

2011-01-14 17:44:01 4194304 ----a-w- c:\windows\system32\cdintf400.dll

2011-01-14 17:42:21 200704 ----a-w- c:\windows\system32\dllcache\msadox.dll

2011-01-14 17:42:21 180224 ----a-w- c:\windows\system32\dllcache\msadomd.dll

2011-01-14 17:42:21 102400 ----a-w- c:\windows\system32\dllcache\msjro.dll

2011-01-14 17:42:20 536576 ----a-w- c:\windows\system32\dllcache\msado15.dll

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-18 18:12:44 81920 ------w- c:\windows\system32\dllcache\isign32.dll

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-09 14:52:35 249856 ------w- c:\windows\system32\dllcache\odbc32.dll

2010-11-09 14:52:35 143360 ------w- c:\windows\system32\dllcache\msadco.dll

2010-11-03 12:26:18 173568 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-11-02 15:17:02 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2010-10-28 15:58:49 281088 ----a-w- c:\windows\system32\dllcache\webcheck.dll

2010-10-28 15:58:48 90112 ----a-w- c:\windows\system32\mshta.exe

2010-10-28 15:58:48 90112 ----a-w- c:\windows\system32\dllcache\mshta.exe

2010-10-28 15:58:48 238080 ----a-w- c:\windows\system32\dllcache\msrating.dll

2010-10-28 15:58:48 139264 ----a-w- c:\windows\system32\dllcache\inseng.dll

2010-10-28 15:58:47 63488 ----a-w- c:\windows\system32\dllcache\corpol.dll

2010-10-28 15:58:47 63488 ----a-w- c:\windows\system32\corpol.dll

2010-10-28 14:14:23 208 ----a-w- c:\docume~1\compaq~1\applic~1\wklnhst.dat

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\dllcache\atmfd.dll

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-26 13:25:00 1853312 ------w- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 14:59:38.76 ===============

Attach.txt

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

We had these before but I don't see them now. I'll look over the DDS log

2011-01-13 18:28:46 43008 ----a-w- c:\windows\system32\regsvr32Srv.exe

2011-01-13 18:21:00 182784 --sh--r- C:\yveqsh93.exe

2011-01-13 18:20:34 182784 --sh--r- c:\windows\system32\mgking.exe

2011-01-13 18:20:34 117248 --sh--r- c:\windows\system32\mgking0.dll

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Please go to , http://www.virustotal.com/en/indexf.html click on Browse, and upload the following file for analysis:

c:\windows\system32\drivers\ndxkb.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virscan.org is too busy you can try these.

http://virscan.org/

http://www.kaspersky.com/scanforvirus.html

Link to post
Share on other sites
KennyC

KennyC

Posted
  • Author
Posted

Here you go. I'll be gone till monday after this post.

ComboFix 11-01-14.01 - Compaq_Owner 01/14/2011 16:26:34.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.610 [GMT -5:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe

c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

c:\program files\HP\HP Software Update\HPwuSchd2.exe

c:\program files\Internet Explorer\dmlconf.dat

c:\program files\Microsoft\DesktopLayer.exe

c:\program files\QuickTime\qttask.exe

Infected copy of c:\windows\system32\corpol.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\corpol.dll

.

((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))

.

2011-01-14 21:37 . 2011-01-14 21:37 43008 ----a-w- c:\windows\ExplorerSrv.exe

2011-01-14 21:16 . 2011-01-14 21:17 -------- d-----w- C:\32788R22FWJFW

2011-01-14 18:02 . 2011-01-14 18:02 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Avira

2011-01-14 17:26 . 2011-01-14 18:28 -------- d-----w- c:\windows\system32\NtmsData

2011-01-14 17:02 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-14 17:02 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-01-14 17:02 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-01-14 17:02 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-01-14 17:02 . 2011-01-14 17:02 -------- d-----w- c:\program files\Avira

2011-01-14 17:02 . 2011-01-14 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-01-14 16:20 . 2011-01-14 16:20 -------- d-----w- c:\program files\WOT

2011-01-14 16:19 . 2011-01-14 16:19 -------- d-----w- c:\program files\MSN Toolbar

2011-01-14 16:19 . 2011-01-14 16:19 -------- d-----w- c:\program files\Microsoft Silverlight

2011-01-14 16:18 . 2011-01-14 16:19 -------- d-----w- c:\program files\MSN Toolbar Installer

2011-01-14 16:18 . 2011-01-14 16:18 -------- d-----w- c:\program files\WOT Services

2011-01-14 16:17 . 2011-01-14 20:13 798720 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll

2011-01-14 16:17 . 2011-01-14 20:13 319488 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll

2011-01-14 16:17 . 2011-01-14 20:13 229376 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll

2011-01-14 16:17 . 2005-04-04 04:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll

2011-01-14 16:17 . 2005-04-04 03:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe

2011-01-14 16:17 . 2005-04-04 03:57 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll

2011-01-14 16:17 . 2011-01-14 16:17 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll

2011-01-14 16:17 . 2011-01-14 16:17 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll

2011-01-14 15:21 . 2011-01-14 15:21 1409 ----a-w- c:\windows\QTFont.for

2011-01-13 18:02 . 2011-01-13 18:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2011-01-13 17:47 . 2011-01-13 17:47 -------- d-----w- c:\program files\Yontoo Layers Client

2011-01-13 17:47 . 2011-01-13 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer

2011-01-13 16:46 . 2011-01-13 16:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2011-01-13 16:46 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-13 16:45 . 2011-01-13 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-01-13 16:45 . 2011-01-13 16:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-13 16:45 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-13 15:13 . 2011-01-13 15:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-12-17 14:06 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-12-17 14:06 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys

2010-12-17 14:06 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-12-17 14:06 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-14 17:44 . 2010-10-28 14:00 4194304 ----a-w- c:\windows\system32\cdintf400.dll

2010-11-18 18:12 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-11-02 13:25 . 2010-11-02 13:25 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll

2010-11-02 13:25 . 2010-11-02 13:25 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe

2010-11-02 13:25 . 2010-11-02 13:25 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe

2010-11-02 13:25 . 2010-11-02 13:25 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll

2010-11-02 13:25 . 2010-11-02 13:25 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll

2010-11-02 13:25 . 2010-11-02 13:25 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll

2010-11-02 13:25 . 2010-11-02 13:25 287310 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll

2010-11-02 13:25 . 2010-11-02 13:25 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll

2010-10-28 15:58 . 2004-08-04 12:00 90112 ----a-w- c:\windows\system32\mshta.exe

2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-03 180269]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe" [2010-07-06 240480]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-9-3 36903]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-11-9 1154848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AMPingService;AMPingService;c:\program files\WOT Services\MSN Toolbar\AMPing.exe [1/14/2011 11:18 AM 26112]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/14/2011 12:02 PM 135336]

S0 opwqv;opwqv;c:\windows\system32\drivers\ndxkb.sys --> c:\windows\system32\drivers\ndxkb.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPBootOp - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPwuSchd2.exe

HKLM-Run-StatusClient 2.6 - c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

HKLM-Run-TomcatStartup 2.5 - c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe

HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-14 16:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(616)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4044)

c:\windows\system32\WININET.dll

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-01-14 16:44:57 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-14 21:44

ComboFix2.txt 2011-01-14 14:37

Pre-Run: 137,117,323,264 bytes free

Post-Run: 137,311,088,640 bytes free

- - End Of File - - 97FA642A007E423A05F92EB215361893

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

This could turn out to be a Ramnit infection that can't be cleaned.

We will know if it keeps regenerating infected files.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

KillAll::

File::
c:\windows\system32\drivers\ndxkb.sys
c:\program files\microsoft\desktoplayer.exe

Driver::
opwqv

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites
KennyC

KennyC

Posted
  • Author
Posted

It appears that a .dll for quickbooks is missing and won't load the program, and still be redirected to bogus sites when loading IE.

ComboFix 11-01-16.04 - Compaq_Owner 01/17/2011 9:27.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.613 [GMT -5:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\cfscript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\program files\microsoft\desktoplayer.exe"

"c:\windows\system32\drivers\ndxkb.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll

c:\program files\Internet Explorer\dmlconf.dat

c:\program files\microsoft\desktoplayer.exe

c:\windows\ExplorerSrv.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_opwqv

((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))

.

2011-01-17 14:03 . 2011-01-17 14:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-01-14 18:02 . 2011-01-14 18:02 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Avira

2011-01-14 17:26 . 2011-01-17 13:56 -------- d-----w- c:\windows\system32\NtmsData

2011-01-14 17:02 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-14 17:02 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-01-14 17:02 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-01-14 17:02 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-01-14 17:02 . 2011-01-14 17:02 -------- d-----w- c:\program files\Avira

2011-01-14 17:02 . 2011-01-14 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-01-14 16:20 . 2011-01-14 16:20 -------- d-----w- c:\program files\WOT

2011-01-14 16:19 . 2011-01-14 16:19 -------- d-----w- c:\program files\MSN Toolbar

2011-01-14 16:19 . 2011-01-14 16:19 -------- d-----w- c:\program files\Microsoft Silverlight

2011-01-14 16:18 . 2011-01-14 16:19 -------- d-----w- c:\program files\MSN Toolbar Installer

2011-01-14 16:18 . 2011-01-14 16:18 -------- d-----w- c:\program files\WOT Services

2011-01-14 16:17 . 2005-04-04 04:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll

2011-01-14 16:17 . 2005-04-04 03:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe

2011-01-14 16:17 . 2005-04-04 03:57 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll

2011-01-14 16:17 . 2011-01-14 16:17 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll

2011-01-14 16:17 . 2011-01-14 16:17 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll

2011-01-14 15:21 . 2011-01-14 15:21 1409 ----a-w- c:\windows\QTFont.for

2011-01-13 18:02 . 2011-01-13 18:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2011-01-13 17:47 . 2011-01-13 17:47 -------- d-----w- c:\program files\Yontoo Layers Client

2011-01-13 17:47 . 2011-01-13 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer

2011-01-13 16:46 . 2011-01-13 16:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2011-01-13 16:46 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-13 16:45 . 2011-01-13 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-01-13 16:45 . 2011-01-13 16:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-13 16:45 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-13 15:13 . 2011-01-13 15:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-14 17:44 . 2010-10-28 14:00 4194304 ----a-w- c:\windows\system32\cdintf400.dll

2010-11-18 18:12 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-11-02 13:25 . 2010-11-02 13:25 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll

2010-11-02 13:25 . 2010-11-02 13:25 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe

2010-11-02 13:25 . 2010-11-02 13:25 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe

2010-11-02 13:25 . 2010-11-02 13:25 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll

2010-11-02 13:25 . 2010-11-02 13:25 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll

2010-11-02 13:25 . 2010-11-02 13:25 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll

2010-11-02 13:25 . 2010-11-02 13:25 287310 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll

2010-11-02 13:25 . 2010-11-02 13:25 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll

2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-03 180269]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe" [2010-07-06 240480]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-9-3 36903]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-11-9 1154848]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/14/2011 12:02 PM 135336]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-17 09:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: SAMSUNG_SP1604N rev.TM100-24 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x860C6735]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x860cc990]; MOV EAX, [0x860cca0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x861C9AB8]

3 CLASSPNP[0xF7563FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000005f[0x861CB9E8]

5 ACPI[0xF73DA620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8610BD98]

\Driver\atapi[0x861CA160] -> IRP_MJ_CREATE -> 0x860C6735

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }

detected disk devices:

\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskSAMSUNG_SP1604N_________________________TM100-24#30533331314a5930323939393932202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x860C657B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(620)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3904)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

.

**************************************************************************

.

Completion time: 2011-01-17 09:45:03 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-17 14:44

ComboFix2.txt 2011-01-14 21:45

ComboFix3.txt 2011-01-14 14:37

Pre-Run: 137,224,974,336 bytes free

Post-Run: 137,255,587,840 bytes free

- - End Of File - - 08AED2066C23BF0E975C6E9804B4D9FF

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Now CF is showing a possible RootKit: Warning: possible TDL3 rootkit infection !

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites
KennyC

KennyC

Posted
  • Author
Posted

It says it did not find anything, and no change. My avira did happen to popup before disabling it to run the scan saying there was a ramnit.a virus

2011/01/17 15:54:37.0484 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2011/01/17 15:54:37.0484 ================================================================================

2011/01/17 15:54:37.0484 SystemInfo:

2011/01/17 15:54:37.0484

2011/01/17 15:54:37.0484 OS Version: 5.1.2600 ServicePack: 3.0

2011/01/17 15:54:37.0484 Product type: Workstation

2011/01/17 15:54:37.0484 ComputerName: DAYDREAMERS

2011/01/17 15:54:37.0484 UserName: Compaq_Owner

2011/01/17 15:54:37.0484 Windows directory: C:\WINDOWS

2011/01/17 15:54:37.0484 System windows directory: C:\WINDOWS

2011/01/17 15:54:37.0484 Processor architecture: Intel x86

2011/01/17 15:54:37.0484 Number of processors: 1

2011/01/17 15:54:37.0484 Page size: 0x1000

2011/01/17 15:54:37.0484 Boot type: Normal boot

2011/01/17 15:54:37.0484 ================================================================================

2011/01/17 15:54:38.0031 Initialize success

2011/01/17 15:54:39.0515 ================================================================================

2011/01/17 15:54:39.0515 Scan started

2011/01/17 15:54:39.0515 Mode: Manual;

2011/01/17 15:54:39.0515 ================================================================================

2011/01/17 15:54:41.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/01/17 15:54:42.0046 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/01/17 15:54:42.0593 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/01/17 15:54:42.0890 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/01/17 15:54:43.0140 AgereSoftModem (34f27c7d71f1c49c7d3857f28b42f544) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/01/17 15:54:44.0640 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/01/17 15:54:45.0515 Scan interrupted by user!

2011/01/17 15:54:45.0515 Scan interrupted by user!

2011/01/17 15:54:45.0515 ================================================================================

2011/01/17 15:54:45.0515 Scan finished

2011/01/17 15:54:45.0515 ================================================================================

2011/01/17 15:54:47.0625 ================================================================================

2011/01/17 15:54:47.0625 Scan started

2011/01/17 15:54:47.0625 Mode: Manual;

2011/01/17 15:54:47.0625 ================================================================================

2011/01/17 15:54:48.0593 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/01/17 15:54:48.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/01/17 15:54:49.0156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/01/17 15:54:49.0328 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/01/17 15:54:49.0515 AgereSoftModem (34f27c7d71f1c49c7d3857f28b42f544) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/01/17 15:54:50.0093 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/01/17 15:54:50.0453 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2011/01/17 15:54:50.0703 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/01/17 15:54:51.0156 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/01/17 15:54:51.0375 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/01/17 15:54:51.0718 ati2mtag (b33a281dcdf455b069816790275050a7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/01/17 15:54:51.0953 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/01/17 15:54:52.0125 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/01/17 15:54:52.0218 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2011/01/17 15:54:52.0406 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2011/01/17 15:54:52.0687 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2011/01/17 15:54:53.0312 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys

2011/01/17 15:54:53.0593 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/01/17 15:54:53.0781 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

2011/01/17 15:54:53.0984 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\WINDOWS\system32\Drivers\BrSerIf.sys

2011/01/17 15:54:54.0234 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\WINDOWS\system32\Drivers\BrUsbSer.sys

2011/01/17 15:54:54.0593 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/01/17 15:54:56.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/01/17 15:54:57.0140 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/01/17 15:54:58.0500 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/01/17 15:55:01.0218 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/01/17 15:55:01.0593 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/01/17 15:55:02.0156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/01/17 15:55:02.0500 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/01/17 15:55:02.0828 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/01/17 15:55:03.0203 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys

2011/01/17 15:55:03.0593 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys

2011/01/17 15:55:04.0125 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/01/17 15:55:04.0406 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/01/17 15:55:04.0750 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/01/17 15:55:05.0078 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/01/17 15:55:05.0531 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/01/17 15:55:06.0093 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/01/17 15:55:06.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/01/17 15:55:06.0625 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/01/17 15:55:07.0109 ftsata2 (92e8443c7bf5c0137671cde080655dfc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys

2011/01/17 15:55:07.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/01/17 15:55:07.0609 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/01/17 15:55:08.0078 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/01/17 15:55:08.0609 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/01/17 15:55:08.0890 iaStor (79ae2a97c120f282845d854d0f070ea9) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2011/01/17 15:55:09.0187 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/01/17 15:55:09.0468 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/01/17 15:55:09.0640 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/01/17 15:55:09.0890 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/01/17 15:55:10.0093 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/01/17 15:55:10.0281 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/01/17 15:55:10.0453 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/01/17 15:55:10.0671 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/01/17 15:55:10.0875 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/01/17 15:55:11.0062 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/01/17 15:55:11.0234 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/01/17 15:55:11.0453 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/01/17 15:55:11.0640 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/01/17 15:55:12.0062 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/01/17 15:55:12.0265 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/01/17 15:55:12.0453 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/01/17 15:55:12.0609 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/01/17 15:55:12.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/01/17 15:55:13.0140 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/01/17 15:55:13.0375 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/01/17 15:55:13.0609 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/01/17 15:55:13.0828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/01/17 15:55:14.0015 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/01/17 15:55:14.0250 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/01/17 15:55:14.0437 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/01/17 15:55:14.0609 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/01/17 15:55:14.0937 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/01/17 15:55:15.0125 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/01/17 15:55:15.0375 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/01/17 15:55:15.0546 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/01/17 15:55:15.0718 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/01/17 15:55:15.0968 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/01/17 15:55:16.0156 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/01/17 15:55:16.0515 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/01/17 15:55:16.0718 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/01/17 15:55:16.0921 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/01/17 15:55:17.0218 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/01/17 15:55:17.0406 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/01/17 15:55:17.0593 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/01/17 15:55:17.0796 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/01/17 15:55:18.0000 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/01/17 15:55:18.0203 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/01/17 15:55:18.0437 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/01/17 15:55:18.0718 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/01/17 15:55:18.0968 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/01/17 15:55:19.0187 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/01/17 15:55:19.0812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/01/17 15:55:20.0062 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/01/17 15:55:20.0250 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/01/17 15:55:20.0437 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/01/17 15:55:20.0625 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/01/17 15:55:21.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/01/17 15:55:21.0906 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/01/17 15:55:22.0140 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/01/17 15:55:22.0359 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/01/17 15:55:22.0546 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/01/17 15:55:22.0781 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/01/17 15:55:23.0000 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/01/17 15:55:23.0218 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/01/17 15:55:23.0390 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2011/01/17 15:55:23.0609 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/01/17 15:55:23.0875 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/01/17 15:55:24.0187 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/01/17 15:55:24.0359 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/01/17 15:55:24.0843 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/01/17 15:55:25.0031 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/01/17 15:55:25.0265 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/01/17 15:55:25.0500 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2011/01/17 15:55:25.0687 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/01/17 15:55:25.0906 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/01/17 15:55:26.0671 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/01/17 15:55:26.0906 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/01/17 15:55:27.0093 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/01/17 15:55:27.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/01/17 15:55:27.0468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/01/17 15:55:27.0750 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/01/17 15:55:28.0250 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/01/17 15:55:28.0468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/01/17 15:55:28.0750 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/01/17 15:55:28.0937 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/01/17 15:55:29.0109 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/01/17 15:55:29.0390 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/01/17 15:55:29.0562 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/01/17 15:55:29.0734 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/01/17 15:55:30.0031 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/01/17 15:55:30.0218 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/01/17 15:55:30.0406 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/01/17 15:55:30.0671 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/01/17 15:55:30.0921 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/01/17 15:55:31.0109 ================================================================================

2011/01/17 15:55:31.0109 Scan finished

2011/01/17 15:55:31.0109 ================================================================================

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

If you have a ramnit.a virus, there's no cure for it other than a reformat /install

Courtesy Broni

Win32/Ramnit is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A / B which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

Understanding virus names

Threat aliases for Win32/Ramnit.A / B

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a sm

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Glad we could help. :lol:

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.