Jump to content

Can't Get Rid Of Persistant Rootkit.


Recommended Posts

Hi, my name is Landon, and a couple days ago, my system became super slow, as well as started redirecting me to a different google page. After several scans and removing some infected files with a normal full system scan, AVG started detecting rootkits, and prompted me for bootscans. I've also been running Malware scans religiously for the past 24 hours. It would find a couple of infected files, and is up to date, but I'm still getting notifications of rootkits. I didn't know what else to do so I googled and came here seeking help.

Link to post
Share on other sites

Hi Lando and Welcome to Malwarebytes!

We need to look at some information about what is going on in your computer:

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your Thread

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Next

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

In your next reply, please include these log(s):

1.DDS.txt

2.Attach.txt

3.RKU log

Link to post
Share on other sites

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Landon Bryan at 19:23:23.60 on 21/03/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.497 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Logitech\SetPoint\LBTWiz.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Landon Bryan\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Page =

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uSearch Bar =

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%s

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: ImageShack Toolbar: {6932d140-abc4-4073-a44c-d4a541665e35} - c:\windows\imageshacktoolbar\ImageShackToolbar.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [bluetooth Connection Assistant] LBTWIZ.EXE -silent

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\landon~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: amaena.com

Trusted Zone: avsystemcare.com

Trusted Zone: imageshack.us\toolbar

Trusted Zone: onerateld.com

Trusted Zone: safetydownload.com

Trusted Zone: trustedantivirus.com

Trusted Zone: virusschlacht.com

Trusted Zone: amaena.com

Trusted Zone: avsystemcare.com

Trusted Zone: onerateld.com

Trusted Zone: safetydownload.com

Trusted Zone: trustedantivirus.com

Trusted Zone: virusschlacht.com

DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/stg_drm.ocx

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} - hxxp://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} - hxxp://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/armhelper.ocx

DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\landon~1\applic~1\mozilla\firefox\profiles\gcq3rxzn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - plugin: c:\documents and settings\landon bryan\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\landon bryan\application data\mozilla\firefox\profiles\gcq3rxzn.default\extensions\activegs@freetoolsassociation.com\platform\winnt_x86-msvc\plugins\npActiveGS.dll

FF - plugin: c:\documents and settings\landon bryan\application data\mozilla\firefox\profiles\gcq3rxzn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: AIM Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: ActiveGS: activegs@freetoolsassociation.com - %profile%\extensions\activegs@freetoolsassociation.com

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files\veoh networks\veoh\plugins\noreg\VideoFinder4

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3250824AS rev.3.ADH -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D65439]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d6b7d0]; MOV EAX, [0x86d6b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D91AB8]

3 CLASSPNP[0xF767EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86D5A7F8]

\Driver\atapi[0x86DA4D58] -> IRP_MJ_CREATE -> 0x86D65439

kernel: MBR read successfully

_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }

detected disk devices:

\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3250824AS_____________________________3.ADH___#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x86D6527F

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 19:26:42.81 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 09/05/2006 1:12:12 PM

System Uptime: 21/03/2011 3:41:22 PM (4 hours ago)

.

Motherboard: Dell Inc. | | 0WG261

Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 230 GiB total, 108.578 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Hamachi Network Interface

Device ID: ROOT\NET\0001

Manufacturer: LogMeIn, Inc.

Name: Hamachi Network Interface

PNP Device ID: ROOT\NET\0001

Service: hamachi

.

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}

Description: Nokia 6133

Device ID: ROOT\WPD\0000

Manufacturer: Nokia

Name: Nokia 6133

PNP Device ID: ROOT\WPD\0000

Service: WUDFRd

.

==== System Restore Points ===================

.

RP1730: 20/12/2010 2:49:32 AM - System Checkpoint

RP1731: 21/12/2010 9:59:26 AM - Software Distribution Service 3.0

RP1732: 22/12/2010 12:42:41 AM - Installed Steam

RP1733: 22/12/2010 1:34:18 AM - Installed DirectX

RP1734: 23/12/2010 2:36:13 AM - System Checkpoint

RP1735: 24/12/2010 2:37:49 PM - Software Distribution Service 3.0

RP1736: 25/12/2010 6:47:25 PM - System Checkpoint

RP1737: 25/12/2010 9:50:32 PM - Installed DirectX

RP1738: 26/12/2010 4:15:36 AM - Software Distribution Service 3.0

RP1739: 27/12/2010 12:39:31 AM - Installed DirectX

RP1740: 28/12/2010 11:51:41 AM - Software Distribution Service 3.0

RP1741: 29/12/2010 2:55:47 AM - Installed LogMeIn Hamachi

RP1742: 30/12/2010 3:39:30 AM - System Checkpoint

RP1743: 30/12/2010 12:27:42 PM - Software Distribution Service 3.0

RP1744: 31/12/2010 12:45:54 PM - Software Distribution Service 3.0

RP1745: 01/01/2011 2:24:00 PM - System Checkpoint

RP1746: 02/01/2011 3:20:07 PM - System Checkpoint

RP1747: 03/01/2011 10:26:58 PM - System Checkpoint

RP1748: 04/01/2011 1:38:09 PM - Software Distribution Service 3.0

RP1749: 06/01/2011 1:13:34 AM - System Checkpoint

RP1750: 07/01/2011 3:40:32 AM - System Checkpoint

RP1751: 07/01/2011 11:46:57 AM - Software Distribution Service 3.0

RP1752: 08/01/2011 12:49:42 PM - System Checkpoint

RP1753: 09/01/2011 10:16:47 PM - System Checkpoint

RP1754: 11/01/2011 4:10:46 AM - System Checkpoint

RP1755: 11/01/2011 8:04:26 AM - Software Distribution Service 3.0

RP1756: 12/01/2011 4:16:38 AM - Software Distribution Service 3.0

RP1757: 13/01/2011 10:14:14 PM - System Checkpoint

RP1758: 14/01/2011 4:23:01 PM - Software Distribution Service 3.0

RP1759: 15/01/2011 8:10:05 PM - System Checkpoint

RP1760: 16/01/2011 9:37:37 PM - System Checkpoint

RP1761: 18/01/2011 12:32:30 PM - System Checkpoint

RP1762: 19/01/2011 3:03:59 PM - Software Distribution Service 3.0

RP1763: 20/01/2011 5:18:12 PM - System Checkpoint

RP1764: 20/01/2011 9:24:44 PM - Installed DirectX

RP1765: 21/01/2011 4:07:09 PM - Software Distribution Service 3.0

RP1766: 22/01/2011 11:35:31 PM - System Checkpoint

RP1767: 24/01/2011 4:26:11 PM - System Checkpoint

RP1768: 25/01/2011 2:33:40 PM - Software Distribution Service 3.0

RP1769: 25/01/2011 11:55:32 PM - Installed Microsoft XNA Framework Redistributable 3.1

RP1770: 25/01/2011 11:56:39 PM - Installed DirectX

RP1771: 26/01/2011 12:03:15 AM - Installed DirectX

RP1772: 26/01/2011 12:09:11 AM - Installed DirectX

RP1773: 26/01/2011 12:14:41 AM - Removed Microsoft XNA Framework Redistributable 3.1

RP1774: 26/01/2011 12:16:17 AM - Installed Microsoft XNA Framework Redistributable 3.1

RP1775: 26/01/2011 12:17:11 AM - Installed DirectX

RP1776: 27/01/2011 5:15:05 PM - System Checkpoint

RP1777: 28/01/2011 2:01:08 PM - Software Distribution Service 3.0

RP1778: 29/01/2011 2:06:05 PM - System Checkpoint

RP1779: 30/01/2011 6:54:07 PM - System Checkpoint

RP1780: 01/02/2011 5:04:06 AM - System Checkpoint

RP1781: 01/02/2011 5:59:39 AM - Software Distribution Service 3.0

RP1782: 02/02/2011 8:13:57 PM - System Checkpoint

RP1783: 04/02/2011 2:17:03 AM - Software Distribution Service 3.0

RP1784: 05/02/2011 3:23:06 AM - System Checkpoint

RP1785: 06/02/2011 5:22:50 PM - System Checkpoint

RP1786: 07/02/2011 8:23:11 PM - System Checkpoint

RP1787: 08/02/2011 12:00:51 PM - Software Distribution Service 3.0

RP1788: 09/02/2011 2:51:13 PM - System Checkpoint

RP1789: 10/02/2011 12:32:04 AM - Software Distribution Service 3.0

RP1790: 11/02/2011 1:56:23 AM - System Checkpoint

RP1791: 11/02/2011 11:06:24 AM - Software Distribution Service 3.0

RP1792: 12/02/2011 2:23:36 PM - System Checkpoint

RP1793: 13/02/2011 4:24:20 PM - System Checkpoint

RP1794: 14/02/2011 9:24:00 PM - System Checkpoint

RP1795: 15/02/2011 6:51:32 AM - Software Distribution Service 3.0

RP1796: 16/02/2011 3:20:40 AM - Software Distribution Service 3.0

RP1797: 17/02/2011 7:41:31 PM - System Checkpoint

RP1798: 18/02/2011 12:05:44 PM - Software Distribution Service 3.0

RP1799: 18/02/2011 6:09:50 PM - SetPoint 4.80

RP1800: 19/02/2011 6:21:54 PM - System Checkpoint

RP1801: 20/02/2011 9:31:28 PM - System Checkpoint

RP1802: 21/02/2011 11:11:55 PM - System Checkpoint

RP1803: 22/02/2011 10:40:36 AM - Software Distribution Service 3.0

RP1804: 23/02/2011 11:32:00 AM - System Checkpoint

RP1805: 24/02/2011 1:08:08 PM - System Checkpoint

RP1806: 25/02/2011 9:08:01 AM - Software Distribution Service 3.0

RP1807: 26/02/2011 7:26:21 PM - System Checkpoint

RP1808: 28/02/2011 3:02:47 AM - System Checkpoint

RP1809: 01/03/2011 4:24:45 AM - System Checkpoint

RP1810: 01/03/2011 2:51:52 PM - Software Distribution Service 3.0

RP1811: 02/03/2011 8:40:08 PM - System Checkpoint

RP1812: 04/03/2011 1:12:01 AM - System Checkpoint

RP1813: 04/03/2011 12:29:00 PM - Software Distribution Service 3.0

RP1814: 05/03/2011 12:30:57 PM - System Checkpoint

RP1815: 06/03/2011 2:53:09 PM - System Checkpoint

RP1816: 07/03/2011 6:42:46 PM - System Checkpoint

RP1817: 08/03/2011 1:55:41 PM - Software Distribution Service 3.0

RP1818: 09/03/2011 4:11:55 AM - Software Distribution Service 3.0

RP1819: 10/03/2011 1:56:36 PM - System Checkpoint

RP1820: 11/03/2011 5:07:17 PM - System Checkpoint

RP1821: 11/03/2011 5:17:38 PM - Software Distribution Service 3.0

RP1822: 13/03/2011 10:03:57 PM - System Checkpoint

RP1823: 14/03/2011 10:23:51 PM - System Checkpoint

RP1824: 15/03/2011 12:35:09 PM - Software Distribution Service 3.0

RP1825: 16/03/2011 1:31:50 PM - System Checkpoint

RP1826: 17/03/2011 1:39:44 PM - System Checkpoint

RP1827: 18/03/2011 12:46:09 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe Acrobat - Reader 6.0.2 Update

Adobe After Effects CS3

Adobe After Effects CS3 Presets

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge 1.0

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color - Photoshop Specific

Adobe Color Common Settings

Adobe Common File Installer

Adobe Default Language CS3

Adobe Device Central CS3

Adobe ExtendScript Toolkit 2

Adobe Flash Player 10 Plugin

Adobe Fonts All

Adobe Help Center 2.0

Adobe Help Viewer CS3

Adobe Linguistics CS3

Adobe MotionPicture Color Files

Adobe PDF Library Files

Adobe Photoshop CS2

Adobe Premiere Pro CS3

Adobe Premiere Pro CS3 Functional Content

Adobe Reader 6.0.1

Adobe Setup

Adobe Shockwave Player

Adobe Stock Photos 1.0

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe Video Profiles

Adobe XMP DVA Panels CS3

Adobe XMP Panels CS3

Adobe

Link to post
Share on other sites

We have some work to do on this PC. Let's deal with this rootkit first.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Next

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 24 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u124 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_24 from Sun Microsystems Inc.

-------------------------------------------------------------------

To clear your Java Cache.

Click Start > Control Panel.

In the Control Panel, double-click the "Java" icon in the control panel. The Java Control Panel then appears.

Under the header "Temporary Internet Files", select the "Settings" button.

81f6db55.png

Don't change any of the settings, then click "Delete Files".

9e91904d.png

Next, the Delete Temporary Files dialog box appears.

a7252171.png

Make sure both boxes are ticked, and hit the OK button.

.

In your next reply, please include these log(s):

TDSSKiller report

Link to post
Share on other sites

2011/03/21 20:57:04.0500 3588 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/03/21 20:57:04.0796 3588 ================================================================================

2011/03/21 20:57:04.0796 3588 SystemInfo:

2011/03/21 20:57:04.0796 3588

2011/03/21 20:57:04.0796 3588 OS Version: 5.1.2600 ServicePack: 3.0

2011/03/21 20:57:04.0796 3588 Product type: Workstation

2011/03/21 20:57:04.0796 3588 ComputerName: LANDON

2011/03/21 20:57:04.0796 3588 UserName: Landon Bryan

2011/03/21 20:57:04.0796 3588 Windows directory: C:\WINDOWS

2011/03/21 20:57:04.0796 3588 System windows directory: C:\WINDOWS

2011/03/21 20:57:04.0796 3588 Processor architecture: Intel x86

2011/03/21 20:57:04.0796 3588 Number of processors: 2

2011/03/21 20:57:04.0796 3588 Page size: 0x1000

2011/03/21 20:57:04.0796 3588 Boot type: Normal boot

2011/03/21 20:57:04.0796 3588 ================================================================================

2011/03/21 20:57:05.0062 3588 Initialize success

I have followed your instructions, the latest version of Java is installed, as well, all older versions have been removed.

Thank you very much for your help so far. I'm very happy there are wonderful people like yourself who are willing to provide such help.

Link to post
Share on other sites

Your PC had a rootkit that has replaced your ide driver atapi.sys file with malware. If we had remove driver atapi.sys. Your computer wouldn't boot anymore. Okay the next fix:

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

ComboFix 11-03-21.01 - Landon Bryan 21/03/2011 21:48:12.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.405 [GMT -4:00]

Running from: c:\documents and settings\Landon Bryan\Desktop\ComboFix.exe

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

c:\program files\filesubmit

c:\program files\filesubmit\unff7thm.zip\atoolbar400134.exe

C:\Redemption.ECF

C:\xcrashdump.dat

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_FCI

.

.

((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))

.

.

2011-03-22 00:44 . 2011-03-22 00:43 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-22 00:44 . 2011-03-22 00:43 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-03-22 00:44 . 2011-03-22 00:43 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-21 03:05 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-03-21 03:05 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr

2011-03-21 03:04 . 2011-03-21 03:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-18 16:46 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{7E583B0E-7D71-470C-B17D-29397A612F23}\mpengine.dll

2011-03-13 21:48 . 2011-03-13 21:48 -------- d-----w- c:\documents and settings\Landon Bryan\Local Settings\Application Data\Namco

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-23 14:04 . 2010-06-14 14:39 190016 ----a-w- c:\windows\system32\aswBoot.exe

2011-02-23 13:56 . 2010-06-14 14:40 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-02-23 13:55 . 2010-06-14 14:40 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-02-23 13:55 . 2010-06-14 14:40 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-02-23 13:55 . 2010-06-14 14:40 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-02-23 13:55 . 2010-06-14 14:40 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-02-23 13:54 . 2010-06-14 14:40 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-02-23 13:54 . 2010-06-14 14:40 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-02-11 06:54 . 2007-05-13 19:26 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-02-09 13:53 . 2004-08-10 17:51 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 22:11 . 2009-10-03 06:36 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-02-02 07:58 . 2004-08-10 18:01 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2004-08-10 18:01 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-10 17:51 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-08 185896]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\Landon Bryan\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Landon Bryan^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Landon Bryan\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Landon Bryan^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]

path=c:\documents and settings\Landon Bryan\Start Menu\Programs\Startup\Logitech . Product Registration.lnk

backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

2006-02-09 22:34 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]

2005-03-29 15:41 1245184 ----a-w- c:\program files\D-Link\AirPlus G\AirGCFG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]

2007-11-13 21:46 135168 ----a-w- c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]

2006-10-28 02:34 65536 ----a-w- c:\program files\Photo Toolkit\IvBar\phototoolkitmem.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-10-15 01:46 77824 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-10-15 01:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2005-10-15 01:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]

2006-10-13 21:01 277296 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]

2010-12-06 13:31 1910152 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

2007-03-23 17:20 227328 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2008-06-08 00:32 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-05-13 20:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-22 05:43 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2008-06-08 00:32 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

2008-11-08 22:34 1233800 ----a-w- c:\program files\Trojan Remover\Trjscan.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]

2008-08-13 22:06 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]

2006-10-13 21:04 707376 ----a-w- c:\windows\vVX3000.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]

2010-09-29 18:43 4861720 ----a-w- c:\program files\XoftSpySE6\XoftSpySE.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"CCALib8"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"AOL ACS"=2 (0x2)

"MSCamSvc"=2 (0x2)

"Hamachi2Svc"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\puzzle quest\\Puzzle Quest.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\puzzlequest2\\PuzzleQuest2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15047:TCP"= 15047:TCP:*:Disabled:BitComet 15047 TCP

"15047:UDP"= 15047:UDP:*:Disabled:BitComet 15047 UDP

"3724:TCP"= 3724:TCP:blizzard

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [20/03/2011 11:05 PM 371544]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [14/06/2010 10:40 AM 301528]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14/06/2010 10:40 AM 19544]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [18/02/2011 7:12 PM 10384]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [01/05/2009 1:34 AM 24652]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 6:19 PM 13592]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]

S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [29/09/2010 2:43 PM 582424]

S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [06/12/2010 9:31 AM 1238408]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-22 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

.

2010-10-14 c:\windows\Tasks\ParetoLogic Update Version3.job

- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2010-09-29 18:43]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%s

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: amaena.com

Trusted Zone: avsystemcare.com

Trusted Zone: imageshack.us\toolbar

Trusted Zone: onerateld.com

Trusted Zone: safetydownload.com

Trusted Zone: trustedantivirus.com

Trusted Zone: virusschlacht.com

Trusted Zone: amaena.com

Trusted Zone: avsystemcare.com

Trusted Zone: onerateld.com

Trusted Zone: safetydownload.com

Trusted Zone: trustedantivirus.com

Trusted Zone: virusschlacht.com

FF - ProfilePath - c:\documents and settings\Landon Bryan\Application Data\Mozilla\Firefox\Profiles\gcq3rxzn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: AIM Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: ActiveGS: activegs@freetoolsassociation.com - %profile%\extensions\activegs@freetoolsassociation.com

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files\Veoh Networks\Veoh\Plugins\noreg\VideoFinder4

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-cttffdpm - c:\docume~1\LANDON~1\LOCALS~1\Temp\rguuwrfon\okkwoltyhsn.exe

MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe

MSConfigStartUp-Livestation - c:\program files\Livestation\Livestation.exe

MSConfigStartUp-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe

MSConfigStartUp-XboxStat - c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

AddRemove-{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1 - c:\documents and settings\Landon Bryan\Desktop\MustBeRandomlyNamed\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-21 22:03

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4004002206-3661569763-1099999999-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(668)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

- - - - - - - > 'explorer.exe'(3432)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Logishrd\Bluetooth\LBTServ.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

c:\program files\Logitech\SetPoint\LBTWiz.exe

.

**************************************************************************

.

Completion time: 2011-03-21 22:10:30 - machine was rebooted

ComboFix-quarantined-files.txt 2011-03-22 02:10

.

Pre-Run: 116,497,444,864 bytes free

Post-Run: 116,824,174,592 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 89F05925EF4CD3493EDCB00DA7D1D355

Link to post
Share on other sites

Smile we are getting closer. Good job you done there!

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::
DDS::
uInternet Settings,ProxyOverride = <local>
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: imageshack.us\toolbar
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 11-03-21.01 - Landon Bryan 21/03/2011 23:15:00.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.545 [GMT -4:00]

Running from: c:\documents and settings\Landon Bryan\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Landon Bryan\Desktop\CFScript.txt

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))

.

.

2011-03-22 00:44 . 2011-03-22 00:43 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-22 00:44 . 2011-03-22 00:43 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-03-22 00:44 . 2011-03-22 00:43 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-21 03:05 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-03-21 03:05 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr

2011-03-21 03:04 . 2011-03-21 03:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-18 16:46 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{7E583B0E-7D71-470C-B17D-29397A612F23}\mpengine.dll

2011-03-13 21:48 . 2011-03-13 21:48 -------- d-----w- c:\documents and settings\Landon Bryan\Local Settings\Application Data\Namco

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-23 14:04 . 2010-06-14 14:39 190016 ----a-w- c:\windows\system32\aswBoot.exe

2011-02-23 13:56 . 2010-06-14 14:40 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-02-23 13:55 . 2010-06-14 14:40 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-02-23 13:55 . 2010-06-14 14:40 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-02-23 13:55 . 2010-06-14 14:40 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-02-23 13:55 . 2010-06-14 14:40 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-02-23 13:54 . 2010-06-14 14:40 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-02-23 13:54 . 2010-06-14 14:40 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-02-11 06:54 . 2007-05-13 19:26 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-02-09 13:53 . 2004-08-10 17:51 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 22:11 . 2009-10-03 06:36 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-02-02 07:58 . 2004-08-10 18:01 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2004-08-10 18:01 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-10 17:51 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-08 185896]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\Landon Bryan\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Landon Bryan^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Landon Bryan\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Landon Bryan^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]

path=c:\documents and settings\Landon Bryan\Start Menu\Programs\Startup\Logitech . Product Registration.lnk

backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

2006-02-09 22:34 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]

2005-03-29 15:41 1245184 ----a-w- c:\program files\D-Link\AirPlus G\AirGCFG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]

2007-11-13 21:46 135168 ----a-w- c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]

2006-10-28 02:34 65536 ----a-w- c:\program files\Photo Toolkit\IvBar\phototoolkitmem.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-10-15 01:46 77824 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-10-15 01:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2005-10-15 01:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]

2006-10-13 21:01 277296 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]

2010-12-06 13:31 1910152 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

2007-03-23 17:20 227328 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2008-06-08 00:32 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-05-13 20:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-22 05:43 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2008-06-08 00:32 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

2008-11-08 22:34 1233800 ----a-w- c:\program files\Trojan Remover\Trjscan.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]

2008-08-13 22:06 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]

2006-10-13 21:04 707376 ----a-w- c:\windows\vVX3000.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]

2010-09-29 18:43 4861720 ----a-w- c:\program files\XoftSpySE6\XoftSpySE.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"CCALib8"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"AOL ACS"=2 (0x2)

"MSCamSvc"=2 (0x2)

"Hamachi2Svc"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\puzzle quest\\Puzzle Quest.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\puzzlequest2\\PuzzleQuest2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15047:TCP"= 15047:TCP:*:Disabled:BitComet 15047 TCP

"15047:UDP"= 15047:UDP:*:Disabled:BitComet 15047 UDP

"3724:TCP"= 3724:TCP:blizzard

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [20/03/2011 11:05 PM 371544]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [14/06/2010 10:40 AM 301528]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14/06/2010 10:40 AM 19544]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [18/02/2011 7:12 PM 10384]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [01/05/2009 1:34 AM 24652]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 6:19 PM 13592]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]

S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [29/09/2010 2:43 PM 582424]

S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [06/12/2010 9:31 AM 1238408]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-22 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

.

2010-10-14 c:\windows\Tasks\ParetoLogic Update Version3.job

- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2010-09-29 18:43]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%s

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Landon Bryan\Application Data\Mozilla\Firefox\Profiles\gcq3rxzn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: AIM Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: ActiveGS: activegs@freetoolsassociation.com - %profile%\extensions\activegs@freetoolsassociation.com

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files\Veoh Networks\Veoh\Plugins\noreg\VideoFinder4

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-21 23:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4004002206-3661569763-1099999999-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(664)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

- - - - - - - > 'explorer.exe'(2240)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Logishrd\Bluetooth\LBTServ.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

c:\program files\Logitech\SetPoint\LBTWiz.exe

.

**************************************************************************

.

Completion time: 2011-03-21 23:38:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-03-22 03:38

ComboFix2.txt 2011-03-22 02:10

.

Pre-Run: 116,821,016,576 bytes free

Post-Run: 116,797,579,264 bytes free

.

- - End Of File - - A90FDC99EF529AC6F2AC52E0313B89EB

Link to post
Share on other sites

It seems to be in working order! I haven't experienced any of the problems I was for the past few days.

Thank you so much Kenny! I very much appreciate your time and effort to help me with this. =)

Was the problem mostly due to out dated stuff?

Link to post
Share on other sites

Yes old java and LimeWire was no help. You should remove it as well, but this us to you..... :)

Secunia software inspector & update checker

is what I use. Let's run this last scan to make sure all is gone.

Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

C:\Documents and Settings\Landon Bryan\Desktop\FOLDER OF FOLDERS\Echo\If she want's to dance dance dance\Flobots-Happy Together.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan

C:\Documents and Settings\Landon Bryan\Desktop\FOLDER OF FOLDERS\Phoenix Downs\XPMedic_Setup.exe Win32/Adware.XPMedic application

C:\Documents and Settings\Landon Bryan\Desktop\FOLDER OF FOLDERS\Phoenix Downs\XPMedic_Setup.zip Win32/Adware.XPMedic application

C:\Documents and Settings\Landon Bryan\Shared\andrew wk long live the party.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan

Is this it? I think I messed up somewhere. I went to C:\Program Files\ESET\EsetOnlineScanner, however, there was no log. Just OnlineScannerUninstaller.exe, OnlineScannerApp.exe, and OnlineScanner.ocx (which I tried to open in notepad incase that's what you meant, but it was just a giant bunch of wingdings text).

Link to post
Share on other sites

I would remove these:

C:\Documents and Settings\Landon Bryan\Desktop\FOLDER OF FOLDERS\Echo\If she want's to dance dance dance\Flobots-Happy Together.mp3

C:\Documents and Settings\Landon Bryan\Desktop\FOLDER OF FOLDERS\Phoenix Downs\XPMedic_Setup.exe

C:\Documents and Settings\Landon Bryan\Desktop\FOLDER OF FOLDERS\Phoenix Downs\XPMedic_Setup.zip

C:\Documents and Settings\Landon Bryan\Shared\andrew wk long live the party.mp3

Your Computer is Clean

mr-clean.gif

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial for Spywareblaster can be found here.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

  • 3 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.