Jump to content

Recommended Posts

Greetings and thanks a lot in advance for your time,

A friend highly recommended I try and save my PC rather than give up on it by trying YOUR forum. Have tried many different programs (Mbam, superantispyware, norton, spybot - you name it) to no avail over the past couple months (to the point that I can't really use the computer unless it's in SafeMode, and minimally).

The first symptom, a couple months ago now, was a very slow running computer and something trying to access my email, then my browsers (IE and Firefox) both started redirecting me when I'd click on a link. Thought it might be Vundo, but whatever it/they are, wouldn't even let me launch Mbam, so I renamed the mbam .exe and fooled it, and cleaned everything it found, numerous times. But no matter the removal program, it finds a few things (like trojan agents...removes/cleans them, but it NEVER goes away for long. I am not a computer novice and have tried solving it myself, to no avail.

I'm running Win XP SP2 on this Emachine and currently only able to run in SafeMode w/networking (trying to run normally takes FOREVER to launch the OS and is way too slow to be of any real use (and it appears much more successful in replicating itself in the PC and occationally trying to send out emails).

Your help is greatly appreciated - by my children especially!

Thanks

Link to post
Share on other sites

Running DDS now...but here is the result of MalwareBytes scan:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5575

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18702

1/22/2011 9:03:34 PM

mbam-log-2011-01-22 (21-03-27).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 316924

Time elapsed: 51 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\my backup -- 06-09-07 1945\program files\Ahead\Nero\keygen.exe (RiskWare.Tool.CK) -> No action taken.

Link to post
Share on other sites

...And here is the DDS.txt result

Thanks again

DDS (Ver_09-06-26.01) - NTFSx86 NETWORK

Run by Owner at 21:12:25.20 on Sat 01/22/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.15 [GMT

-7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:e

n-US&ie=utf8&oe=utf8

mSearchAssistant = hxxp://www.google.com/ie

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -

c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} -

c:\windows\system32\PxSecure.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program

files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} -

c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} -

c:\program files\google\googletoolbar2.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} -

c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} -

c:\program files\windows live\toolbar\wltcore.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program

files\google\googletoolbar2.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -

c:\program files\windows live\toolbar\wltcore.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} -

c:\windows\system32\Shdocvw.dll

uRun: [swg] "c:\program

files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe"

/background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search &

destroy\TeaTimer.exe

uRun: [sUPERAntiSpyware] c:\program

files\superantispyware\ad81e9db-2d18-4727-a2e9-f48a8e48a563.com

uRunOnce: [FlashPlayerUpdate]

c:\windows\system32\macromed\flash\FlashUtil10a.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [CHotkey] zHotkey.exe

mRun: [showWnd] ShowWnd.exe

mRun: [sunKistEM] c:\program files\digital media reader\shwiconem.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [ATIPTA] c:\program files\ati technologies\ati control

panel\atiptaxx.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software

update\HPWuSchd2.exe

mRun: [LogitechCommunicationsManager] "c:\program files\common

files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program

files\logitech\quickcam10\QuickCam10.exe" /hide

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [sNM] c:\program files\spynomore\SNM.exe /startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRun: [slurhlkb] c:\documents and settings\networkservice\local

settings\application data\xetbrlrsq\lpovnudtssd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk -

c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk -

c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk -

c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\documents and settings\all users\start

menu\programs\startup\run_startmenu.cmd

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk -

c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -

{5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows

live\writer\WriterBrowserExtension.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: CabBuilder -

hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} -

hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -

hxxp://photos.walmart.com/WalmartActivia.cab

DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} -

hxxp://messenger.zone.msn.com/binary/MJSS.cab69309.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} -

hxxp://coolsavings.coupons.smartsource.com/download/cscmv5X.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.

cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

hxxp://www.adobe.com/products/acrobat/nos/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program

files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: cryptnet32 - cryptnet32.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SEH: Windows Desktop Search Namespace Manager:

{56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} -

c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 qomkkh.dll

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\owner\applic~1\mozilla\firefox\profiles\vq13gnne.default\

FF - prefs.js: browser.search.defaulturl -

hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/pacman/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - component: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\vq13gnne.default\extensions\{e001c731-5e37-4538

-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\vq13gnne.default\extensions\{e001c731-5e37-4538

-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\vq13gnne.default\extensions\{e2883e8f-472f-4fb0

-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience

technology\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant:

{20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js -

pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size",

51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled",

true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled",

true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js -

pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js -

pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js -

pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgba3a4f16a", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgba3a4fra", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type",

5);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi",

-1);

c:\program files\mozilla firefox\greprefs\all.js -

pref("layout.css.devPixelsPerPx", "-1");

c:\program files\mozilla firefox\greprefs\all.js -

pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled",

false);

c:\program files\mozilla firefox\greprefs\all.js -

pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availabl

e_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("browser.search.param.yahoo-fr-cjkt", "moz35"); // now unused

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.urlbar.delay", 50);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("geo.wifi.uri", "https://www.google.com/loc/json");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-8-2 30320]

R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-8-2 24400]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys

[2010-2-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS

[2010-5-10 67656]

S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9

301200]

S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec

shared\ccEvtMgr.exe [2004-2-29 255096]

S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec

shared\ccSetMgr.exe [2004-2-29 242808]

S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-8-2 6384592]

S2 gupdate;Google Update Service (gupdate);c:\program

files\google\update\GoogleUpdate.exe [2009-12-24 135664]

S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-8-2 61752]

S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys

[2004-2-9 37008]

S2 SeaPort;SeaPort;"c:\program files\microsoft\search enhancement

pack\seaport\seaport.exe" --> c:\program files\microsoft\search enhancement

pack\seaport\SeaPort.exe [?]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec

antivirus\Rtvscan.exe [2004-3-12 1221864]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common

files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3

NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101204.002\naveng.sys

[2010-12-4 86064]

S3

NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101204.002\navex15.s

ys [2010-12-4 1371184]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k

nosGetPlusHelper [2004-8-26 14336]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12

169192]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2011-01-02 16:14 54,156 a---h--- c:\windows\QTFont.qfn

2011-01-02 16:14 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2010-12-31 09:57 68,120 a-------

c:\windows\system32\PxSecure.dll

2010-12-31 09:57 61,752 a-------

c:\windows\system32\drivers\pxrts.sys

2010-12-31 09:57 30,320 a-------

c:\windows\system32\drivers\pxscan.sys

2010-12-31 09:57 24,400 a-------

c:\windows\system32\drivers\pxkbf.sys

2010-12-23 18:49 9,953,832 a-------

C:\SUPERAntiSpyware.exe

2010-12-20 18:09 38,224 a-------

c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 18:08 20,952 a-------

c:\windows\system32\drivers\mbam.sys

2009-11-18 11:15 66,368 a-------

c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 21:13:44.23 ===============

Link to post
Share on other sites

  • Staff

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This applies to your Nero software and anything else you have installed that falls under that criteria.

Link to post
Share on other sites

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This applies to your Nero software and anything else you have installed that falls under that criteria.

Wow - this is a surprise...I can assure you that I don't know the first thing about keygens, cracks, wares. I do not copy/sell software, etc! I used this Nero program to backup my computer files, mostly pictures/home videos...more than a year ago to DVDs. I do not use it for anything else. I tried uninstalling it (in SafeMode) and it is not allowing me to do so. I can try to reboot the machine normally and try to remove it again. I have other programs that I could use to backup files to DVD.

Help/advice is appreciated. thanks

Link to post
Share on other sites

  • Staff

Hi,

Don't worry about it for now. Update MBAM, run a Quick Scan, and post its log. Remove anything if found.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Ensure that Word Wrap is off in Notepad before submitting the logs.

-screen317

Link to post
Share on other sites

  • 2 weeks later...

Here is the MalwareBytes log (no items detected):

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5652

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18702

2/2/2011 10:41:48 PM

mbam-log-2011-02-02 (22-41-48).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 314680

Time elapsed: 48 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ComboFix 11-02-07.01 - Owner 02/07/2011 19:01:46.1.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.203 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Application Data\Desktop Cleanup Wizard

C:\setup.exe

c:\windows\Downloaded Program Files\CpnMgr.dll

c:\windows\Readme.txt

.

((((((((((((((((((((((((( Files Created from 2011-01-08 to 2011-02-08 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-02 23:14 . 2011-01-02 23:14 1409 ----a-w- c:\windows\QTFont.for

2010-12-31 16:57 . 2010-08-03 03:59 68120 ----a-w- c:\windows\system32\PxSecure.dll

2010-12-31 16:57 . 2010-08-03 03:59 61752 ----a-w- c:\windows\system32\drivers\pxrts.sys

2010-12-31 16:57 . 2010-08-03 03:59 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys

2010-12-31 16:57 . 2010-08-03 03:59 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2010-12-24 01:49 . 2010-12-24 01:49 9953832 ----a-w- C:\SUPERAntiSpyware.exe

2010-12-21 01:09 . 2010-08-03 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 01:08 . 2010-08-03 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

------- Sigcheck -------

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-08 68856]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\ad81e9db-2d18-4727-a2e9-f48a8e48a563.com" [2011-01-19 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"CHotkey"="zHotkey.exe" [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"SoundMan"="SOUNDMAN.EXE" [2004-11-16 77824]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-10 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

run_startmenu.cmd [2004-10-11 45]

VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2007-9-8 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 12:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]

2005-05-23 16:57 90112 ------w- c:\program files\Common Files\Ulead Systems\Autodetector\Monitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-08-03 6384592]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-25 135664]

R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2004-08-04 14336]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]

R3 vaxscsi;vaxscsi;c:\windows\System32\Drivers\vaxscsi.sys [2007-11-02 223128]

S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-12-31 30320]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2007-11-02 642560]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-12-31 61752]

S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-12-31 24400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb73bb30939cd0.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-25 02:37]

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-25 02:37]

2007-09-07 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-09-07 00:26]

2010-12-26 c:\windows\Tasks\User_Feed_Synchronization-{7B2C85CF-6B05-4E00-A1A9-100921A2D66D}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vq13gnne.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/pacman/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Microsoft Choice Guard: ChoiceGuard@Microsoft - %profile%\extensions\ChoiceGuard@Microsoft

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe

MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-07 19:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1600BB-22GUA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-1f

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe >>UNKNOWN [0x835D6C78]<<

_asm { MOV EAX, 0x835d6b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0x835dca74; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }

1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x835669C0]

\Driver\Disk[0x8351E138] -> IRP_MJ_CREATE -> 0x835D6C78

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }

detected disk devices:

\Device\Ide\IdeDeviceP4T0L0-1f -> \??\IDE#DiskWDC_WD1600BB-22GUA0_____________________08.02D08#5&df90ce5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\Disk -> 0x835d6c78

\Driver\atapi DriverStartIo -> 0x83474AEA

user & kernel MBR OK

sectors 312581806 (+255): user != kernel

Warning: possible TDL3 rootkit infection !

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

.

**************************************************************************

.

Completion time: 2011-02-07 19:25:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-08 02:25

Pre-Run: 28,490,903,552 bytes free

Post-Run: 28,959,723,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D6ADC5E05AD60F6C4A0567995D04F271

Link to post
Share on other sites

  • Staff

Hi,

You will need to respond in a more timely fashion, otherwise your thread may be closed..

Because of the large gap, please update MBAM, run a Quick Scan, and post its log.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

Thanks again. Here is the new Mbam quick scan log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5718

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18702

2/9/2011 12:33:53 AM

mbam-log-2011-02-09 (00-33-53).txt

Scan type: Quick scan

Objects scanned: 151643

Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Here is the TDSSKiller log you requested. The browser redirect is still occurring, though I am about to attempt a reboot of this machine at the TDSSkiller prompt....thanks again

2011/02/09 00:36:08.0890 1612 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03

2011/02/09 00:36:09.0265 1612 ================================================================================

2011/02/09 00:36:09.0265 1612 SystemInfo:

2011/02/09 00:36:09.0265 1612

2011/02/09 00:36:09.0265 1612 OS Version: 5.1.2600 ServicePack: 2.0

2011/02/09 00:36:09.0265 1612 Product type: Workstation

2011/02/09 00:36:09.0265 1612 ComputerName: EMACHINE

2011/02/09 00:36:09.0265 1612 UserName: Owner

2011/02/09 00:36:09.0265 1612 Windows directory: C:\WINDOWS

2011/02/09 00:36:09.0265 1612 System windows directory: C:\WINDOWS

2011/02/09 00:36:09.0265 1612 Processor architecture: Intel x86

2011/02/09 00:36:09.0265 1612 Number of processors: 1

2011/02/09 00:36:09.0265 1612 Page size: 0x1000

2011/02/09 00:36:09.0265 1612 Boot type: Safe boot with network

2011/02/09 00:36:09.0265 1612 ================================================================================

2011/02/09 00:36:09.0828 1612 Initialize success

2011/02/09 00:36:14.0375 1008 ================================================================================

2011/02/09 00:36:14.0375 1008 Scan started

2011/02/09 00:36:14.0375 1008 Mode: Manual;

2011/02/09 00:36:14.0375 1008 ================================================================================

2011/02/09 00:36:16.0359 1008 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2011/02/09 00:36:16.0437 1008 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/02/09 00:36:16.0640 1008 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/02/09 00:36:16.0703 1008 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2011/02/09 00:36:16.0781 1008 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2011/02/09 00:36:17.0015 1008 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2011/02/09 00:36:17.0250 1008 agp440 (6e56cff4fb2bdba31a332841d15c008c) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/02/09 00:36:17.0265 1008 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: 6e56cff4fb2bdba31a332841d15c008c, Fake md5: 2c428fa0c3e3a01ed93c9b2a27d8d4bb

2011/02/09 00:36:17.0281 1008 agp440 - detected Rootkit.Win32.TDSS.tdl3 (0)

2011/02/09 00:36:17.0500 1008 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2011/02/09 00:36:17.0531 1008 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2011/02/09 00:36:17.0562 1008 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2011/02/09 00:36:17.0609 1008 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2011/02/09 00:36:17.0750 1008 ALCXWDM (933933288df5ed26d1928215c97d05c7) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/02/09 00:36:18.0062 1008 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2011/02/09 00:36:18.0109 1008 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2011/02/09 00:36:18.0140 1008 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/02/09 00:36:18.0171 1008 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2011/02/09 00:36:18.0234 1008 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/02/09 00:36:18.0296 1008 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2011/02/09 00:36:18.0328 1008 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2011/02/09 00:36:18.0359 1008 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2011/02/09 00:36:18.0406 1008 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

2011/02/09 00:36:18.0500 1008 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/02/09 00:36:18.0562 1008 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/02/09 00:36:18.0718 1008 ati2mtag (dcd26b36ce305b718e2f1c56c19df668) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/02/09 00:36:18.0953 1008 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/02/09 00:36:19.0093 1008 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/02/09 00:36:19.0156 1008 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/02/09 00:36:19.0218 1008 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2011/02/09 00:36:19.0250 1008 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/02/09 00:36:19.0312 1008 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/02/09 00:36:19.0390 1008 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2011/02/09 00:36:19.0421 1008 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/02/09 00:36:19.0468 1008 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/02/09 00:36:19.0625 1008 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/02/09 00:36:19.0890 1008 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2011/02/09 00:36:20.0109 1008 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2011/02/09 00:36:20.0203 1008 CVirtA (cb7d7c0e74adcb7da96d08ec8db86062) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2011/02/09 00:36:20.0281 1008 CVPNDRVA (9aa4fda3bfc69e8332276a0a62af86d2) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2011/02/09 00:36:20.0500 1008 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2011/02/09 00:36:20.0718 1008 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2011/02/09 00:36:20.0781 1008 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/02/09 00:36:20.0906 1008 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/02/09 00:36:21.0140 1008 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/02/09 00:36:21.0328 1008 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/02/09 00:36:21.0390 1008 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/02/09 00:36:21.0453 1008 DNE (c86fbf607445bf693450d84b775f168c) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2011/02/09 00:36:21.0671 1008 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2011/02/09 00:36:21.0734 1008 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/02/09 00:36:21.0890 1008 eeCtrl (47ce4e650d91dc095a2fddb15631a78a) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/02/09 00:36:22.0156 1008 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/02/09 00:36:22.0375 1008 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/02/09 00:36:22.0437 1008 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/02/09 00:36:22.0468 1008 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/02/09 00:36:22.0546 1008 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/02/09 00:36:22.0765 1008 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/02/09 00:36:22.0812 1008 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/02/09 00:36:22.0875 1008 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2011/02/09 00:36:23.0015 1008 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/02/09 00:36:23.0218 1008 grmnusb (cd007d03a9284bfe67d49c01213132bf) C:\WINDOWS\system32\drivers\grmnusb.sys

2011/02/09 00:36:23.0296 1008 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/02/09 00:36:23.0546 1008 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2011/02/09 00:36:23.0609 1008 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/02/09 00:36:23.0687 1008 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/02/09 00:36:23.0734 1008 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/02/09 00:36:23.0796 1008 HSFHWBS2 (33dfc0afa95f9a2c753ff2adb7d4a21f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2011/02/09 00:36:24.0031 1008 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2011/02/09 00:36:24.0265 1008 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/02/09 00:36:24.0500 1008 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/02/09 00:36:24.0703 1008 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2011/02/09 00:36:24.0750 1008 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/02/09 00:36:24.0796 1008 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/02/09 00:36:24.0843 1008 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2011/02/09 00:36:24.0875 1008 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/02/09 00:36:24.0937 1008 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/02/09 00:36:25.0156 1008 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/02/09 00:36:25.0203 1008 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/02/09 00:36:25.0265 1008 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/02/09 00:36:25.0484 1008 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/02/09 00:36:25.0531 1008 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/02/09 00:36:25.0593 1008 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/02/09 00:36:25.0640 1008 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/02/09 00:36:25.0703 1008 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2011/02/09 00:36:25.0921 1008 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/02/09 00:36:26.0203 1008 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/02/09 00:36:26.0265 1008 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/02/09 00:36:26.0500 1008 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/02/09 00:36:26.0531 1008 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/02/09 00:36:26.0578 1008 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/02/09 00:36:26.0625 1008 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2011/02/09 00:36:26.0703 1008 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/02/09 00:36:26.0937 1008 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/02/09 00:36:27.0171 1008 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/02/09 00:36:27.0421 1008 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/02/09 00:36:27.0625 1008 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/02/09 00:36:27.0671 1008 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/02/09 00:36:27.0734 1008 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/02/09 00:36:27.0812 1008 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/02/09 00:36:27.0875 1008 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/02/09 00:36:28.0078 1008 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys

2011/02/09 00:36:28.0140 1008 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/02/09 00:36:28.0328 1008 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110119.003\naveng.sys

2011/02/09 00:36:28.0406 1008 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110119.003\navex15.sys

2011/02/09 00:36:28.0656 1008 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/02/09 00:36:28.0859 1008 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/02/09 00:36:28.0921 1008 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/02/09 00:36:28.0953 1008 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/02/09 00:36:29.0171 1008 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/09 00:36:29.0203 1008 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/02/09 00:36:29.0218 1008 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/02/09 00:36:29.0265 1008 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/02/09 00:36:29.0531 1008 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/02/09 00:36:29.0734 1008 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/02/09 00:36:29.0812 1008 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/02/09 00:36:30.0062 1008 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/02/09 00:36:30.0171 1008 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/02/09 00:36:30.0437 1008 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/02/09 00:36:30.0484 1008 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/02/09 00:36:30.0546 1008 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/02/09 00:36:30.0750 1008 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys

2011/02/09 00:36:30.0781 1008 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/02/09 00:36:31.0015 1008 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/02/09 00:36:31.0203 1008 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/02/09 00:36:31.0250 1008 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/02/09 00:36:31.0328 1008 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/02/09 00:36:31.0390 1008 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/02/09 00:36:31.0734 1008 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2011/02/09 00:36:31.0937 1008 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2011/02/09 00:36:32.0031 1008 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/02/09 00:36:32.0078 1008 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/02/09 00:36:32.0125 1008 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/02/09 00:36:32.0156 1008 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/02/09 00:36:32.0234 1008 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/02/09 00:36:32.0296 1008 pxkbf (02ef37613a26dde544a190fea2e5349f) C:\WINDOWS\system32\drivers\pxkbf.sys

2011/02/09 00:36:32.0359 1008 pxrts (3c666cd6cfa88f2495167bbcc5c01ccd) C:\WINDOWS\system32\drivers\pxrts.sys

2011/02/09 00:36:32.0406 1008 pxscan (307463334ece09e07136f8f6c9b9819e) C:\WINDOWS\system32\drivers\pxscan.sys

2011/02/09 00:36:32.0468 1008 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2011/02/09 00:36:32.0500 1008 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2011/02/09 00:36:32.0531 1008 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2011/02/09 00:36:32.0562 1008 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2011/02/09 00:36:32.0593 1008 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2011/02/09 00:36:32.0640 1008 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/02/09 00:36:32.0687 1008 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/02/09 00:36:32.0734 1008 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/02/09 00:36:32.0781 1008 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/02/09 00:36:32.0843 1008 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/02/09 00:36:33.0062 1008 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/02/09 00:36:33.0125 1008 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/02/09 00:36:33.0328 1008 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/02/09 00:36:33.0390 1008 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/02/09 00:36:33.0500 1008 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/02/09 00:36:33.0625 1008 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2011/02/09 00:36:33.0687 1008 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2011/02/09 00:36:33.0781 1008 SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys

2011/02/09 00:36:33.0828 1008 SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

2011/02/09 00:36:34.0046 1008 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/02/09 00:36:34.0125 1008 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/02/09 00:36:34.0156 1008 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/02/09 00:36:34.0203 1008 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/02/09 00:36:34.0328 1008 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2011/02/09 00:36:34.0390 1008 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/02/09 00:36:34.0468 1008 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2011/02/09 00:36:34.0531 1008 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2011/02/09 00:36:34.0625 1008 sptd (d2f8c44f77504bd2a469638e6426d86e) C:\WINDOWS\system32\Drivers\sptd.sys

2011/02/09 00:36:34.0625 1008 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d2f8c44f77504bd2a469638e6426d86e

2011/02/09 00:36:34.0640 1008 sptd - detected Locked file (1)

2011/02/09 00:36:34.0843 1008 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/02/09 00:36:34.0937 1008 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/02/09 00:36:35.0156 1008 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/02/09 00:36:35.0218 1008 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys

2011/02/09 00:36:35.0296 1008 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/02/09 00:36:35.0359 1008 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/02/09 00:36:35.0437 1008 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2011/02/09 00:36:35.0468 1008 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2011/02/09 00:36:35.0609 1008 SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS

2011/02/09 00:36:35.0828 1008 SYMREDRV (145eaae477f5b56f2621956150a143b0) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2011/02/09 00:36:35.0906 1008 SYMTDI (926efafc087d356bba50bdf6e640bc13) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2011/02/09 00:36:36.0125 1008 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2011/02/09 00:36:36.0156 1008 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2011/02/09 00:36:36.0218 1008 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/02/09 00:36:36.0328 1008 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/02/09 00:36:36.0531 1008 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/02/09 00:36:36.0593 1008 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/02/09 00:36:36.0640 1008 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/02/09 00:36:36.0703 1008 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2011/02/09 00:36:36.0765 1008 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/02/09 00:36:36.0828 1008 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2011/02/09 00:36:36.0875 1008 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/09 00:36:37.0109 1008 USBAAPL (7c9f1503245402b01c79bdfa8731cb2a) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/02/09 00:36:37.0187 1008 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/02/09 00:36:37.0390 1008 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/02/09 00:36:37.0437 1008 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/02/09 00:36:37.0500 1008 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/02/09 00:36:37.0562 1008 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/02/09 00:36:37.0640 1008 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/02/09 00:36:37.0703 1008 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/02/09 00:36:37.0765 1008 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/02/09 00:36:37.0828 1008 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/02/09 00:36:37.0890 1008 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys

2011/02/09 00:36:37.0953 1008 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys

2011/02/09 00:36:38.0171 1008 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/02/09 00:36:38.0375 1008 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2011/02/09 00:36:38.0421 1008 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/02/09 00:36:38.0468 1008 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/02/09 00:36:38.0562 1008 vsdatant (d658e49302c382b88c8e9a08e20b2e82) C:\WINDOWS\system32\vsdatant.sys

2011/02/09 00:36:38.0781 1008 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/02/09 00:36:38.0937 1008 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/02/09 00:36:39.0031 1008 winachsf (2dc7c0b6175a0a8ed84a4f70199c93b5) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/02/09 00:36:39.0343 1008 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/02/09 00:36:39.0437 1008 ================================================================================

2011/02/09 00:36:39.0437 1008 Scan finished

2011/02/09 00:36:39.0437 1008 ================================================================================

2011/02/09 00:36:39.0468 1868 Detected object count: 2

2011/02/09 00:37:34.0093 1868 agp440 (6e56cff4fb2bdba31a332841d15c008c) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/02/09 00:37:34.0093 1868 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: 6e56cff4fb2bdba31a332841d15c008c, Fake md5: 2c428fa0c3e3a01ed93c9b2a27d8d4bb

Link to post
Share on other sites

Hi,

Before we continue, please go to VirusTotal, and upload the following file for analysis:

C:\WINDOWS\system32\DRIVERS\agp440.sys

Post the results in your reply.

Do you have your Windows CD?

Hello and thanks again. The results of the virustotal.com scan were:

File name: AGP440.SYS

Submission date: 2011-02-10 04:04:03 (UTC)

Current status: queued queued analysing finished

Result: 0/ 43 (0.0%)

(there were no virustotal community users who rated this file.)

I do not have a Windows CD that I'm aware of that came w/my Emachine - What I thought were my Emachine system/reinstallation discs, upon opening the package for the first time ever tonight, turns out they are actually just blank CD-R's for which i was intended to create a system restoration set. i obviously did not...sigh. The "D:" partiction is supposed to be a backup partition, though i've never tried accessing it.

Incidentally, i booted the PC in Normal mode today for the first time and Prevx AV ran an autoscan upon boot and did not report finding malicious items.

I then ran another Malwarebytes quick scan tonight which also detected no malicious items.

Strangely, when i try to enable my Norton AV (ver 9.0), I get the following error: "Symantec antivirus Auto-protect failed to load."

The malware is also still redirecting my browsers. FWIW, the first sign of malware I noticed was about 6 months ago. Prevx, MBAM and other program scans removed some infected .dll files called "wirepots.dll" "syspol32.dll" and others. Not sure if this helps.

Thanks again very much for all of your help.

Link to post
Share on other sites

Okay, well I rebooted in Normal mode and ran yet another Mbam scan...and this time, found 8 malicious items:

(I will wait to hear from you before I take actions and shut down the PC in the meantime)

------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5727

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

2/9/2011 11:17:02 PM

mbam-log-2011-02-09 (23-16-34).txt

Scan type: Quick scan

Objects scanned: 153238

Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\temp\DWH34D.tmp (Trojan.FakeAlert) -> No action taken.

c:\WINDOWS\temp\DWH7361.tmp (Trojan.Agent) -> No action taken.

c:\WINDOWS\temp\DWHB53D.tmp (Trojan.Agent) -> No action taken.

c:\WINDOWS\temp\DWHC2BA.tmp (Trojan.Vundo.Gen) -> No action taken.

c:\WINDOWS\temp\DWHC82D.tmp (Trojan.Agent) -> No action taken.

c:\WINDOWS\temp\DWHCB55.tmp (Trojan.Agent) -> No action taken.

c:\WINDOWS\temp\DWHE2F4.tmp (Trojan.Agent) -> No action taken.

c:\WINDOWS\temp\DWHF5B1.tmp (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Two more developments since you last posted:

1) I felt it best to go ahead and removed the 8 malicious items listed in my last post via MBAM as the computer is more bogged down than ever (as I can't boot in SafeMode), and it takes over an hour just to start the PC, get a webbrowser working and actually have time to respond to a post.

2) I have lost the ability to boot the PC in SafeMode. There are only 3 boot options now: some sort of microsoft recovery?, something that says "do not use" (combofix or TDSSkiller added it?) and Win XP Normal boot.

Thanks...look forward to hearing back.

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay. Things got mixed up in the forum upgrade. Thankfully everything is normal now.

Stay disconnected from the Internet for the time being. This will prevent the infection from getting worse.

This appears to be a new variant of this infection. Let's see if we can find where it's hiding.

Please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Next, download MBRCheck.exe by a_d_13 and save it to your Desktop.

Run it; when it completes, a log will be available on your Desktop (MBRCheck xxxxxx .txt) where xxxxxx is the time it ran.

Link to post
Share on other sites

Hi,

My apologies for the delay. Things got mixed up in the forum upgrade. Thankfully everything is normal now.

Stay disconnected from the Internet for the time being. This will prevent the infection from getting worse.

This appears to be a new variant of this infection. Let's see if we can find where it's hiding.

Please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Next, download MBRCheck.exe by a_d_13 and save it to your Desktop.

Run it; when it completes, a log will be available on your Desktop (MBRCheck xxxxxx .txt) where xxxxxx is the time it ran.

My apologies for not being able to reply/post the results - but the PC has not been able to successfully run GMER.exe. It has frozen 2x and also crashed the PC during the scan, after which tonight was has been the 1st successful reboot. I am trying yet again to run the apps you requested and will post as soon as (hopefully) i can be successful. Thanks again very much for your help/patience.

Link to post
Share on other sites

Hi,

My apologies for the delay. Things got mixed up in the forum upgrade. Thankfully everything is normal now.

Stay disconnected from the Internet for the time being. This will prevent the infection from getting worse.

This appears to be a new variant of this infection. Let's see if we can find where it's hiding.

Please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Next, download MBRCheck.exe by a_d_13 and save it to your Desktop.

Run it; when it completes, a log will be available on your Desktop (MBRCheck xxxxxx .txt) where xxxxxx is the time it ran.

I have attempted to run the GMER app 6 times over the past 3 nights, to no avail. The app freezes the machine every time - 2x it crashed the computer. The process does not appear to freeze scanning a same file everytime. I did not choose the "show all" checkbox during the scans.

After the first 4 failures, I uninstalled the Prevx and Superantispyware programs as I suspected they might be interfering, but it doesn't seem so. My symmantec application and other (Spybot) similar programs were disabled during all scans.

I'm not sure what to do/try...Would you like me to try running the MBRCheck app?

Thanks again

Link to post
Share on other sites

I also tried renaming the gmer.exe file in case whatever infection it is recognized that name...and again, it would not run more than a minute before freezing up the PC.

Seems the status/display line is always scanning a file in the "C:\windows\system32\drivers" directory when it freezes up though.

Thanks again

Link to post
Share on other sites

  • Staff

Hi,

Try this instead:

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1 Link 2 Link 3

  • Double click rr_DesktopIcon.png to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the rr_Scan.png button
  • In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT

[*]Click the OK button [*]In the next dialog, select all drives showing [*]Click OK to start the scan

Note: The scan can take some time.
DO NOT
run any other programs while the scan is running

[*]When the scan is complete, click the rr_SaveReport.png button and save the report to your Desktop as RootRepeal.txt [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Link to post
Share on other sites

Hi,

Next, download MBRCheck.exe by a_d_13 and save it to your Desktop.

Run it; when it completes, a log will be available on your Desktop (MBRCheck xxxxxx .txt) where xxxxxx is the time it ran.

Then grab a fresh copy of ComboFix, run it, and post its log.

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 2 (build 2600)

Logical Drives Mask: 0x000003fc

Kernel Drivers (total 171):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806CE000 \WINDOWS\system32\hal.dll

0xF7ABC000 \WINDOWS\system32\KDCOM.DLL

0xF79CC000 \WINDOWS\system32\BOOTVID.dll

0xF73EB000 sptd.sys

0xF7ABE000 \WINDOWS\System32\Drivers\WMILIB.SYS

0xF73D3000 \WINDOWS\System32\Drivers\SPTD0893.SYS

0xF73A5000 ACPI.sys

0xF7394000 pci.sys

0xF75BC000 isapnp.sys

0xF7B84000 pciide.sys

0xF783C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7AC0000 aliide.sys

0xF7AC2000 cmdide.sys

0xF7AC4000 toside.sys

0xF7AC6000 viaide.sys

0xF7AC8000 intelide.sys

0xF75CC000 MountMgr.sys

0xF7375000 ftdisk.sys

0xF7844000 PartMgr.sys

0xF75DC000 VolSnap.sys

0xF79D0000 cpqarray.sys

0xF735D000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

0xF7345000 atapi.sys

0xF79D4000 aha154x.sys

0xF784C000 sparrow.sys

0xF79D8000 symc810.sys

0xF75EC000 aic78xx.sys

0xF79DC000 dac960nt.sys

0xF75FC000 ql10wnt.sys

0xF79E0000 amsint.sys

0xF7854000 asc.sys

0xF79E4000 asc3550.sys

0xF785C000 mraid35x.sys

0xF7864000 i2omp.sys

0xF79E8000 ini910u.sys

0xF760C000 ql1240.sys

0xF761C000 aic78u2.sys

0xF786C000 symc8xx.sys

0xF7874000 sym_hi.sys

0xF787C000 sym_u3.sys

0xF7884000 ABP480N5.SYS

0xF788C000 asc3350p.sys

0xF7ACA000 cd20xrnt.sys

0xF762C000 ultra.sys

0xF732C000 adpu160m.sys

0xF7894000 dpti2o.sys

0xF763C000 ql1080.sys

0xF764C000 ql1280.sys

0xF765C000 ql12160.sys

0xF789C000 perc2.sys

0xF7ACC000 perc2hib.sys

0xF78A4000 hpn.sys

0xF79EC000 cbidf2k.sys

0xF7300000 dac2w2k.sys

0xF766C000 disk.sys

0xF767C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF72E0000 fltMgr.sys

0xF72CE000 sr.sys

0xF78AC000 PxHelp20.sys

0xF72B7000 KSecDD.sys

0xF722A000 Ntfs.sys

0xF71FD000 NDIS.sys

0xF768C000 sisagp.sys

0xF769C000 viaagp.sys

0xF76AC000 ohci1394.sys

0xF76BC000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF71E2000 Mup.sys

0xF76CC000 agp440.sys

0xF76DC000 alim1541.sys

0xF76EC000 amdagp.sys

0xF76FC000 agpCPQ.sys

0xF772C000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xF778C000 \SystemRoot\system32\DRIVERS\processr.sys

0xF6FCC000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xF6FB8000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF794C000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xF6F95000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF797C000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF77AC000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF77BC000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF77CC000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF6F72000 \SystemRoot\system32\DRIVERS\ks.sys

0xF78E4000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xF6F3C000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys

0xF6E3D000 \SystemRoot\system32\DRIVERS\HSF_DP.sys

0xF6D95000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

0xF7934000 \SystemRoot\System32\Drivers\Modem.SYS

0xF6B64000 \SystemRoot\system32\drivers\ALCXWDM.SYS

0xF6B40000 \SystemRoot\system32\drivers\portcls.sys

0xF77DC000 \SystemRoot\system32\drivers\drmk.sys

0xF7984000 \SystemRoot\system32\DRIVERS\fdc.sys

0xF77EC000 \SystemRoot\system32\DRIVERS\serial.sys

0xF70BE000 \SystemRoot\system32\DRIVERS\serenum.sys

0xF6B2C000 \SystemRoot\system32\DRIVERS\parport.sys

0xF77FC000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF79C4000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF78F4000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF6A71000 \SystemRoot\system32\DRIVERS\dne2000.sys

0xF7BB5000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF780C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF70AA000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF6A5A000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF781C000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF782C000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF799C000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF69F9000 \SystemRoot\system32\DRIVERS\psched.sys

0xF71D2000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF78EC000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7904000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF71C2000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7ADA000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF69C5000 \SystemRoot\system32\DRIVERS\update.sys

0xF7AB4000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF71B2000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF7182000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7AE0000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7AE4000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xF78FC000 \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys

0xEE87B000 \??\C:\Program Files\Symantec\SYMEVENT.SYS

0xF795C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xF7152000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys

0xF7B36000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7C1F000 \SystemRoot\System32\Drivers\Null.SYS

0xF7B3A000 \SystemRoot\System32\Drivers\Beep.SYS

0xF79B4000 \SystemRoot\System32\drivers\vga.sys

0xF7B3E000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7B42000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF790C000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF791C000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF70C6000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xEE820000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xEE7C8000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xEE788000 \SystemRoot\System32\Drivers\SYMTDI.SYS

0xEE767000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF779C000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xEE73F000 \SystemRoot\system32\DRIVERS\netbt.sys

0xF6B1C000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xEE71D000 \SystemRoot\System32\drivers\afd.sys

0xF6B0C000 \SystemRoot\system32\DRIVERS\netbios.sys

0xEE6F2000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xEE683000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF6AEC000 \SystemRoot\System32\Drivers\Fips.SYS

0xEE625000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

0xEE5DA000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xEE5C2000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7B4E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xEE615000 \SystemRoot\System32\drivers\Dxapi.sys

0xF6A32000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7C43000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF04C000 \SystemRoot\System32\ati2cqag.dll

0xBF089000 \SystemRoot\System32\ati3duag.dll

0xBF2BD000 \SystemRoot\System32\ativvaxx.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xB03BA000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xB00DA000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xF7B2C000 \SystemRoot\System32\Drivers\ASCTRM.SYS

0xB000F000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

0xB00D2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys

0xAFC5F000 \SystemRoot\system32\DRIVERS\srv.sys

0xAF1DD000 \SystemRoot\system32\drivers\wdmaud.sys

0xAF7FB000 \SystemRoot\system32\drivers\sysaudio.sys

0xAF252000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xAF171000 \SystemRoot\System32\Drivers\HTTP.sys

0xAF476000 \SystemRoot\System32\Drivers\SYMREDRV.SYS

0xAEAC6000 \SystemRoot\system32\drivers\kmixer.sys

0xF79A4000 \SystemRoot\system32\DRIVERS\RTL8139.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):

0 System Idle Process

4 System

780 C:\WINDOWS\system32\smss.exe

864 csrss.exe

900 C:\WINDOWS\system32\winlogon.exe

956 C:\WINDOWS\system32\services.exe

968 C:\WINDOWS\system32\lsass.exe

1124 C:\WINDOWS\system32\ati2evxx.exe

1152 C:\WINDOWS\system32\svchost.exe

1276 svchost.exe

1372 C:\WINDOWS\system32\svchost.exe

1444 svchost.exe

1588 svchost.exe

248 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

312 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

448 C:\WINDOWS\system32\spoolsv.exe

564 svchost.exe

596 C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

648 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

672 C:\Program Files\Symantec AntiVirus\DefWatch.exe

868 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

1320 C:\WINDOWS\system32\svchost.exe

1488 wdfmgr.exe

1528 alg.exe

2668 C:\WINDOWS\system32\wscntfy.exe

2888 C:\WINDOWS\system32\ati2evxx.exe

692 C:\WINDOWS\explorer.exe

3216 C:\WINDOWS\system32\wuauclt.exe

3520 C:\WINDOWS\zHotkey.exe

3528 C:\Program Files\Digital Media Reader\shwiconEM.exe

2936 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

3564 C:\PROGRA~1\SYMANT~1\VPTray.exe

3460 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

3748 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

2696 C:\WINDOWS\system32\ctfmon.exe

3488 C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

2332 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

2400 C:\WINDOWS\system32\searchindexer.exe

820 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

2984 C:\Program Files\Internet Explorer\iexplore.exe

3288 C:\WINDOWS\system32\wuauclt.exe

292 C:\Program Files\Internet Explorer\iexplore.exe

3964 C:\Program Files\Windows Live\Toolbar\wltuser.exe

2664 C:\WINDOWS\system32\searchprotocolhost.exe

1840 searchfilterhost.exe

1356 C:\Documents and Settings\Owner\Desktop\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`f03ad400 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: WDCWD1600BB-22GUA0, Rev: 08.02D08

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Gateway MBR code detected

SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD

Done!

Link to post
Share on other sites

...and here is the Combofix log file:

(Thanks again!)

ComboFix 11-02-25.01 - Owner 02/26/2011 0:49.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.128 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2011-01-26 to 2011-02-26 )))))))))))))))))))))))))))))))

.

2011-02-26 07:04 . 2011-02-26 07:04 -------- d-----w- c:\windows\system32\LogFiles

2011-02-18 06:14 . 2011-02-18 06:14 1409 ----a-w- c:\windows\QTFont.for

2011-02-12 20:24 . 2011-02-12 20:24 9347072 ----a-w- c:\documents and settings\Owner\ntuser.tmp

2011-02-09 10:11 . 2011-02-09 10:11 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

2011-02-09 10:03 . 2011-02-09 10:16 -------- d-----w- c:\windows\ie8updates

2011-02-09 08:01 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-02-09 08:01 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-02-09 08:01 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 09:36 . 2010-08-03 03:59 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys

2011-02-09 07:43 . 2004-08-26 10:56 42368 ----a-w- c:\windows\system32\drivers\AGP440.SYS

2010-12-24 01:49 . 2010-12-24 01:49 9953832 ----a-w- C:\SUPERAntiSpyware.exe

2010-12-21 01:09 . 2010-08-03 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 01:08 . 2010-08-03 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-08 68856]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"CHotkey"="zHotkey.exe" [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"SoundMan"="SOUNDMAN.EXE" [2004-11-16 77824]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-10 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

run_startmenu.cmd [2004-10-11 45]

VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2007-9-8 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 12:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]

2005-05-23 16:57 90112 ------w- c:\program files\Common Files\Ulead Systems\Autodetector\Monitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/1/2007 7:34 PM 642560]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 7:37 PM 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/2/2010 9:42 PM 38224]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/26/2004 9:12 AM 14336]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 2:18 PM 169192]

S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [11/1/2007 7:48 PM 223128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb73bb30939cd0.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-25 02:37]

2011-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-25 02:37]

2007-09-07 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-09-07 00:26]

2011-02-26 c:\windows\Tasks\User_Feed_Synchronization-{7B2C85CF-6B05-4E00-A1A9-100921A2D66D}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vq13gnne.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/pacman/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Microsoft Choice Guard: ChoiceGuard@Microsoft - %profile%\extensions\ChoiceGuard@Microsoft

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - ORPHANS REMOVED - - - -

Notify-!SASWinLogon - (no file)

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-26 01:14

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1500)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

.

Completion time: 2011-02-26 01:29:15

ComboFix-quarantined-files.txt 2011-02-26 08:29

ComboFix2.txt 2011-02-08 02:34

Pre-Run: 27,711,164,416 bytes free

Post-Run: 27,790,680,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 3D900E9246FCB82CDF35B8F8B4AC459C

Thanks again very much!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.