Jump to content

loads of items found.. not sure if fully cleaned need checked


dawg3

Recommended Posts

I am new to posting but have browsed here quite a bit

I think I got it all but it is still running slow. had a bunch of ugly stuff.

nothing else is showing up on scans but want to make sure.

plus i get a window that pops up on start up thats named common. nothing is in it though.

here is a list of items that MBM found.

trojan.vundo, spambot, agent

rogue.installer

pum.disabled.securitycenter

pup.funwebproducts

adware. mywebsearch, askbar, 180solutions, shopperreports, mediaacess, myweb.funweb, seekmo, zongo, relevantknowledge, starware, hotbar

none of the above have returned. i tried to find info on all the above and their removal procedure before posting here. just want to double check. part of the problem for being slow is only 256 ram but that will be upgraded soon.

here is my scan

OTL logfile created on: 1/30/2011 6:29:50 PM - Run 1

OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Robert Thompson\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.00 Mb Total Physical Memory | 84.00 Mb Available Physical Memory | 44.00% Memory free

634.00 Mb Paging File | 375.00 Mb Available in Paging File | 59.00% Paging File free

Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 51.41 Gb Free Space | 68.99% Space Free | Partition Type: NTFS

Drive E: | 6.03 Gb Total Space | 2.14 Gb Free Space | 35.46% Space Free | Partition Type: NTFS

Computer Name: ROBERT-DD5C9704 | User Name: Robert Thompson | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/30 18:22:57 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert Thompson\Desktop\OTL.exe

PRC - [2010/12/14 15:02:18 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

PRC - [2010/09/07 10:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe

PRC - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

PRC - [2009/04/06 20:35:28 | 003,025,408 | ---- | M] (Ares Vista) -- C:\Program Files\Ares Vista\AresVista.exe

PRC - [2009/02/23 08:05:34 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2005/06/20 05:53:24 | 001,056,768 | R--- | M] (VIA Technologies) -- C:\Program Files\VIA\RAID\raid_tool.exe

PRC - [2005/04/15 13:32:16 | 000,110,592 | ---- | M] (Arcsoft, Inc.) -- C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

PRC - [2005/03/07 14:33:28 | 000,053,248 | R--- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe

========== Modules (SafeList) ==========

MOD - [2011/01/30 18:22:57 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert Thompson\Desktop\OTL.exe

MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)

SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)

SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)

SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)

SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)

SRV - [2008/09/08 10:19:23 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Disabled | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

========== Driver Services (SafeList) ==========

DRV - [2010/09/07 09:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)

DRV - [2010/09/07 09:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)

DRV - [2010/09/07 09:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)

DRV - [2010/09/07 09:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)

DRV - [2010/09/07 09:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)

DRV - [2010/09/07 09:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)

DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)

DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)

DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)

DRV - [2003/08/04 05:27:58 | 000,324,590 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptserial.sys -- (Ptserial)

DRV - [2003/08/03 20:49:32 | 000,942,675 | ---- | M] (PCtel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vpctcom.sys -- (Vpctcom)

DRV - [2003/08/01 05:21:12 | 000,936,833 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmodem.sys -- (Vmodem)

DRV - [2003/08/01 05:18:38 | 000,090,900 | ---- | M] (PCtel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vvoice.sys -- (Vvoice)

DRV - [2001/08/17 08:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html

IE - HKLM\..\URLSearchHook: {2731C719-B8C5-4282-993D-B5AD0E77531D} - C:\Program Files\MapQuest Toolbar\mqtb.dll (MapQuest)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....=utf-8&fr=b1ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found

IE - HKCU\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)

IE - HKCU\..\URLSearchHook: {2731C719-B8C5-4282-993D-B5AD0E77531D} - C:\Program Files\MapQuest Toolbar\mqtb.dll (MapQuest)

IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"

FF - prefs.js..browser.search.defaultthis.engineName: "TranslatorBar 1 Customized Web Search"

FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2392836&SearchSource=3&q={searchTerms}"

FF - prefs.js..browser.search.selectedEngine: "TranslatorBar 1 Customized Web Search"

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/11 17:22:17 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/06 14:17:19 | 000,000,000 | ---D | M]

[2009/03/23 19:51:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Robert Thompson\Application Data\Mozilla\Extensions

[2011/01/09 19:19:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Robert Thompson\Application Data\Mozilla\Firefox\Profiles\y3vx7pzv.default\extensions

[2009/09/05 08:29:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Robert Thompson\Application Data\Mozilla\Firefox\Profiles\y3vx7pzv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/06/06 17:49:27 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Robert Thompson\Application Data\Mozilla\Firefox\Profiles\y3vx7pzv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2009/09/18 21:18:32 | 000,000,000 | ---D | M] (Personas for Firefox) -- C:\Documents and Settings\Robert Thompson\Application Data\Mozilla\Firefox\Profiles\y3vx7pzv.default\extensions\personas@christopher.beard

[2010/02/05 18:34:59 | 000,002,104 | ---- | M] () -- C:\Documents and Settings\Robert Thompson\Application Data\Mozilla\Firefox\Profiles\y3vx7pzv.default\searchplugins\alot-search.xml

[2010/04/21 11:08:16 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Robert Thompson\Application Data\Mozilla\Firefox\Profiles\y3vx7pzv.default\searchplugins\conduit.xml

[2011/01/09 19:19:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010/04/20 12:25:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/10/28 16:03:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O2 - BHO: (Ask Search Assistant BHO) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)

O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (MapQuest Toolbar Loader) - {E34F0E11-AB79-487c-9773-36C594DFF5AA} - C:\Program Files\MapQuest Toolbar\mqtb.dll (MapQuest)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (MapQuest Toolbar) - {57ABF0DD-577C-4ec6-855C-8DC29768C2B0} - C:\Program Files\MapQuest Toolbar\mqtb.dll (MapQuest)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O3 - HKLM\..\Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (MapQuest Toolbar) - {57ABF0DD-577C-4EC6-855C-8DC29768C2B0} - C:\Program Files\MapQuest Toolbar\mqtb.dll (MapQuest)

O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)

O4 - HKLM..\Run: [Cmaudio] File not found

O4 - HKLM..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE (SEIKO EPSON CORPORATION)

O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe (Microsoft

Link to post
Share on other sites

:wacko:

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

performed the above tasks as per instructed. TDSSKiller did not report a fault.

seems to be running about the same.. maybe a tad bit faster.

Gooredfix report

GooredFix by jpshortstuff (03.07.10.1)

Log created at 18:28 on 01/02/2011 (Robert Thompson)

Firefox version 3.6.12 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:50 24/03/2009]

{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [17:25 20/04/2010]

{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [21:02 28/10/2010]

C:\Documents and Settings\Robert Thompson\Application Data\Mozilla\Firefox\Profiles\y3vx7pzv.default\extensions\

personas@christopher.beard [02:18 19/09/2009]

{20a82645-c095-46ed-80e3-08825760534b} [13:29 05/09/2009]

{635abd67-4fe9-1b23-4f01-e679fa7484c1} [21:48 06/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:14 22/08/2009]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:42 24/03/2009]

-=E.O.F=-

TDSSKiller report

2011/02/01 18:30:04.0046 2644 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03

2011/02/01 18:30:04.0421 2644 ================================================================================

2011/02/01 18:30:04.0421 2644 SystemInfo:

2011/02/01 18:30:04.0421 2644

2011/02/01 18:30:04.0421 2644 OS Version: 5.1.2600 ServicePack: 3.0

2011/02/01 18:30:04.0421 2644 Product type: Workstation

2011/02/01 18:30:04.0421 2644 ComputerName: ROBERT-DD5C9704

2011/02/01 18:30:04.0421 2644 UserName: Robert Thompson

2011/02/01 18:30:04.0421 2644 Windows directory: C:\WINDOWS

2011/02/01 18:30:04.0421 2644 System windows directory: C:\WINDOWS

2011/02/01 18:30:04.0421 2644 Processor architecture: Intel x86

2011/02/01 18:30:04.0421 2644 Number of processors: 1

2011/02/01 18:30:04.0421 2644 Page size: 0x1000

2011/02/01 18:30:04.0421 2644 Boot type: Normal boot

2011/02/01 18:30:04.0421 2644 ================================================================================

2011/02/01 18:30:05.0437 2644 Initialize success

2011/02/01 18:30:11.0031 0712 ================================================================================

2011/02/01 18:30:11.0031 0712 Scan started

2011/02/01 18:30:11.0031 0712 Mode: Manual;

2011/02/01 18:30:11.0031 0712 ================================================================================

2011/02/01 18:30:12.0000 0712 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/02/01 18:30:12.0203 0712 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/02/01 18:30:12.0250 0712 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/02/01 18:30:12.0343 0712 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/02/01 18:30:12.0421 0712 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys

2011/02/01 18:30:12.0484 0712 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/02/01 18:30:12.0937 0712 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2011/02/01 18:30:13.0015 0712 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/02/01 18:30:13.0062 0712 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/02/01 18:30:13.0140 0712 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2011/02/01 18:30:13.0187 0712 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/02/01 18:30:13.0250 0712 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/02/01 18:30:13.0328 0712 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/02/01 18:30:13.0406 0712 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/02/01 18:30:13.0484 0712 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/02/01 18:30:13.0578 0712 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/02/01 18:30:13.0671 0712 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/02/01 18:30:13.0765 0712 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/02/01 18:30:13.0843 0712 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/02/01 18:30:13.0890 0712 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/02/01 18:30:14.0140 0712 cmuda (e5adeef2c0db43964223f408f1fcc97e) C:\WINDOWS\system32\drivers\cmuda.sys

2011/02/01 18:30:14.0437 0712 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/02/01 18:30:14.0515 0712 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/02/01 18:30:14.0609 0712 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/02/01 18:30:14.0671 0712 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/02/01 18:30:14.0734 0712 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/02/01 18:30:14.0859 0712 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/02/01 18:30:14.0984 0712 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/02/01 18:30:15.0046 0712 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/02/01 18:30:15.0125 0712 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys

2011/02/01 18:30:15.0187 0712 FETNDISB (b7186b33b6cf3a23841015531e6e7d68) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys

2011/02/01 18:30:15.0265 0712 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/02/01 18:30:15.0343 0712 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/02/01 18:30:15.0406 0712 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/02/01 18:30:15.0453 0712 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/02/01 18:30:15.0515 0712 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/02/01 18:30:15.0562 0712 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/02/01 18:30:15.0609 0712 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/02/01 18:30:15.0734 0712 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/02/01 18:30:15.0921 0712 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/02/01 18:30:16.0000 0712 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/02/01 18:30:16.0187 0712 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/02/01 18:30:16.0250 0712 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/02/01 18:30:16.0312 0712 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/02/01 18:30:16.0390 0712 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/02/01 18:30:16.0437 0712 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/02/01 18:30:16.0484 0712 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/02/01 18:30:16.0546 0712 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys

2011/02/01 18:30:16.0593 0712 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/02/01 18:30:16.0656 0712 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys

2011/02/01 18:30:16.0734 0712 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/02/01 18:30:16.0796 0712 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/02/01 18:30:16.0859 0712 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/02/01 18:30:16.0921 0712 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/02/01 18:30:17.0000 0712 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/02/01 18:30:17.0203 0712 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/02/01 18:30:17.0265 0712 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/02/01 18:30:17.0343 0712 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2011/02/01 18:30:17.0390 0712 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/02/01 18:30:17.0453 0712 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/02/01 18:30:17.0531 0712 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/02/01 18:30:17.0640 0712 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/02/01 18:30:17.0734 0712 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/02/01 18:30:17.0812 0712 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/02/01 18:30:17.0875 0712 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/02/01 18:30:17.0921 0712 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/02/01 18:30:17.0984 0712 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/02/01 18:30:18.0062 0712 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/02/01 18:30:18.0109 0712 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/02/01 18:30:18.0171 0712 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/02/01 18:30:18.0218 0712 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/02/01 18:30:18.0250 0712 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/02/01 18:30:18.0312 0712 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/01 18:30:18.0375 0712 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/02/01 18:30:18.0406 0712 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/02/01 18:30:18.0484 0712 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/02/01 18:30:18.0578 0712 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/02/01 18:30:18.0625 0712 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/02/01 18:30:18.0734 0712 NTSIM (a568b9a9ffe2d9387222a5c90f86d731) C:\WINDOWS\system32\ntsim.sys

2011/02/01 18:30:18.0812 0712 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/02/01 18:30:18.0875 0712 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/02/01 18:30:18.0937 0712 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/02/01 18:30:19.0015 0712 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/02/01 18:30:19.0046 0712 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/02/01 18:30:19.0078 0712 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/02/01 18:30:19.0140 0712 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/02/01 18:30:19.0281 0712 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/02/01 18:30:19.0609 0712 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/02/01 18:30:19.0687 0712 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/02/01 18:30:19.0734 0712 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/02/01 18:30:19.0812 0712 Ptserial (403727208b1156f8a2a6c65886f41c5a) C:\WINDOWS\system32\DRIVERS\ptserial.sys

2011/02/01 18:30:20.0109 0712 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/02/01 18:30:20.0187 0712 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

2011/02/01 18:30:20.0234 0712 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/02/01 18:30:20.0265 0712 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/02/01 18:30:20.0312 0712 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/02/01 18:30:20.0375 0712 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/02/01 18:30:20.0406 0712 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/02/01 18:30:20.0484 0712 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/02/01 18:30:20.0546 0712 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/02/01 18:30:20.0703 0712 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2011/02/01 18:30:20.0750 0712 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2011/02/01 18:30:20.0828 0712 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/02/01 18:30:20.0906 0712 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/02/01 18:30:20.0984 0712 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/02/01 18:30:21.0062 0712 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/02/01 18:30:21.0218 0712 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/02/01 18:30:21.0296 0712 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/02/01 18:30:21.0375 0712 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/02/01 18:30:21.0453 0712 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/02/01 18:30:21.0531 0712 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/02/01 18:30:21.0750 0712 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/02/01 18:30:21.0843 0712 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/02/01 18:30:21.0953 0712 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/02/01 18:30:22.0046 0712 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/02/01 18:30:22.0125 0712 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/02/01 18:30:22.0265 0712 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys

2011/02/01 18:30:22.0343 0712 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/02/01 18:30:22.0453 0712 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/01 18:30:22.0593 0712 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/02/01 18:30:22.0656 0712 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/02/01 18:30:22.0703 0712 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/02/01 18:30:22.0765 0712 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/02/01 18:30:22.0796 0712 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/02/01 18:30:22.0859 0712 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/02/01 18:30:22.0937 0712 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/02/01 18:30:23.0000 0712 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/02/01 18:30:23.0078 0712 viagfx (a4bdcd1d4f9f6b82cbc86133192845ee) C:\WINDOWS\system32\DRIVERS\vtmini.sys

2011/02/01 18:30:23.0140 0712 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/02/01 18:30:23.0203 0712 viamraid (0363e216e4eb5052969c96608934dbde) C:\WINDOWS\system32\DRIVERS\viamraid.sys

2011/02/01 18:30:23.0296 0712 Vmodem (a630c3b4b1f8ebe85a6c70128135b388) C:\WINDOWS\system32\DRIVERS\vmodem.sys

2011/02/01 18:30:23.0406 0712 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/02/01 18:30:23.0500 0712 Vpctcom (8dffba3f522ea796d2e015fc137b4ce0) C:\WINDOWS\system32\DRIVERS\vpctcom.sys

2011/02/01 18:30:23.0609 0712 Vvoice (f10cdd635fbc729372736a6ec0b0b30c) C:\WINDOWS\system32\DRIVERS\vvoice.sys

2011/02/01 18:30:23.0703 0712 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/02/01 18:30:23.0812 0712 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/02/01 18:30:24.0046 0712 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/02/01 18:30:24.0140 0712 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/02/01 18:30:24.0203 0712 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/02/01 18:30:24.0687 0712 ================================================================================

2011/02/01 18:30:24.0687 0712 Scan finished

2011/02/01 18:30:24.0687 0712 ================================================================================

Link to post
Share on other sites

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

not sure yet how it behaves will do a restart and see how it goes.. wanted to post combofix log first

ComboFix 11-01-31.02 - Robert Thompson 02/01/2011 19:40:18.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.191.114 [GMT -5:00]

Running from: c:\documents and settings\Robert Thompson\Desktop\ComboFix.exe

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Robert Thompson\Application Data\PriceGong

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Robert Thompson\Application Data\PriceGong\Data\z.xml

c:\program files\Common

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf

.

((((((((((((((((((((((((( Files Created from 2011-01-02 to 2011-02-02 )))))))))))))))))))))))))))))))

.

2011-01-12 23:01 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-01-12 23:01 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-01-10 00:25 . 2011-01-10 00:25 -------- d-----w- c:\documents and settings\Robert Thompson\Application Data\SUPERAntiSpyware.com

2011-01-10 00:25 . 2011-01-10 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-01-10 00:25 . 2011-01-30 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-01-09 22:56 . 2011-01-09 22:57 -------- d-----w- c:\program files\CCleaner

2011-01-09 19:07 . 2011-01-09 19:07 -------- d-----w- c:\documents and settings\Robert Thompson\Application Data\Malwarebytes

2011-01-09 19:06 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-09 19:06 . 2011-01-09 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-01-09 19:06 . 2011-01-09 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-09 19:06 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-18 18:12 . 2006-01-11 17:45 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{2731C719-B8C5-4282-993D-B5AD0E77531D}"= "c:\program files\MapQuest Toolbar\mqtb.dll" [2008-03-18 1267040]

"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-08-11 66912]

[HKEY_CLASSES_ROOT\clsid\{2731c719-b8c5-4282-993d-b5ad0e77531d}]

[HKEY_CLASSES_ROOT\MQTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{2374E959-A5FE-424f-9F20-47FB6195D175}]

[HKEY_CLASSES_ROOT\MQTB.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]

2008-08-11 16:14 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E34F0E11-AB79-487c-9773-36C594DFF5AA}]

2008-03-18 21:35 1267040 ----a-w- c:\program files\MapQuest Toolbar\mqtb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{57ABF0DD-577C-4ec6-855C-8DC29768C2B0}"= "c:\program files\MapQuest Toolbar\mqtb.dll" [2008-03-18 1267040]

[HKEY_CLASSES_ROOT\clsid\{57abf0dd-577c-4ec6-855c-8dc29768c2b0}]

[HKEY_CLASSES_ROOT\MQTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib\{2374E959-A5FE-424f-9F20-47FB6195D175}]

[HKEY_CLASSES_ROOT\MQTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{57ABF0DD-577C-4EC6-855C-8DC29768C2B0}"= "c:\program files\MapQuest Toolbar\mqtb.dll" [2008-03-18 1267040]

[HKEY_CLASSES_ROOT\clsid\{57abf0dd-577c-4ec6-855c-8dc29768c2b0}]

[HKEY_CLASSES_ROOT\MQTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib\{2374E959-A5FE-424f-9F20-47FB6195D175}]

[HKEY_CLASSES_ROOT\MQTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"ares vista"="c:\program files\Ares Vista\AresVista.exe" [2009-04-07 3025408]

"Google Update"="c:\documents and settings\Robert Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-09 136176]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]

"VTTimer"="VTTimer.exe" [2005-03-07 53248]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 98304]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-3-7 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

2003-07-17 19:01 180224 ----a-w- c:\windows\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-02-01 04:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2006-07-26 08:03 49263 ----a-w- c:\program files\Java\jre1.5.0_08\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"YahooAUService"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"Viewpoint Manager Service"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"iPod Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"=

"c:\\Program Files\\Ares Vista\\AresVista.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/1/2008 5:54 PM 165584]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/1/2008 5:54 PM 17744]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 7:09 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

.

Contents of the 'Scheduled Tasks' folder

2011-02-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1500820517-839522115-1004Core.job

- c:\documents and settings\Robert Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-09 22:41]

2011-02-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1500820517-839522115-1004UA.job

- c:\documents and settings\Robert Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-09 22:41]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &MapQuest Toolbar Search - c:\documents and settings\All Users\Application Data\MapQuest Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\documents and settings\Robert Thompson\Application Data\Mozilla\Firefox\Profiles\y3vx7pzv.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2392836&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - TranslatorBar 1 Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl

MSConfigStartUp-Aim6 - c:\program files\Common Files\AOL\Launch\AOLLaunch.exe

MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1143508189\ee\AOLSoftware.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-01 19:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2011-02-01 19:55:26

ComboFix-quarantined-files.txt 2011-02-02 00:55

Pre-Run: 55,276,994,560 bytes free

Post-Run: 55,306,133,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F8BC31215B0AE8A8C79F654A4F7228C4

Link to post
Share on other sites

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove if listed:

AskSBar

After the above:

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :wacko:

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    Green to go

    Yellow for caution

    Red to stop

    WOT has an addon available for both Firefox and IE.

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.