Jump to content

Recommended Posts

Guest name cool

Rootkits cause damage to systems and the problem lies in the protection programs all its types in the foundation is not able to detect a rootkit, which may enable hackers to know what is taking placeon on the system.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:48:57 PM, on 3/19/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\Program Files\Hotspot Shield\bin\hsswd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Hotspot Shield\bin\openvpntray.exe

C:\Documents and Settings\ANYUSER\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: ????? ????? ?????? ??? Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O9 - Extra button: ????? ??? ?? ??????? - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &????? ??? ?? Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1300364236765

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--

End of file - 5750 bytes

Link to post
Share on other sites

  • Root Admin

I'm sorry but you've already been warned not to infect your box for testing and to use a virtual computer if want to test.

We cannot continue to use resources when you've not followed directions. Please backup your data and rebuild your computer from scratch to include FDISK, FORMAT and install Windows. Then restore your data and install a virtual system if you want to test malware.

Link to post
Share on other sites

  • Root Admin

Okay, run the following then and post back the log.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

  • Root Admin

STEP 01

Please download the following scanning tool.
GMER

  • Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.

  • Double click on
    random named exe file
    and run it.

  • It may take a minute to load and become available.

  • Uncheck
    Sections
    ,
    IAT/EAT
    , and
    Show All
    and only select your C: drive (unless you've installed to another drive)

  • Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

STEP 02

RootRepeal - Rootkit Detector

    Close ALL applications and as many items in the task tray that will stop and exit.

  • Please download the following tool:
    RootRepeal - Rootkit Detector

  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    rootrepeal.txt

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

STEP 03

    Please create a BOOTLOG
  • Delete the following file if it exists.
    C:\Windows\ntbtlog.txt

  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.

  • Select "Enable Boot Logging" option and press enter.

  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)

  • This boots windows normally and creates a boot log named
    ntbtlog.txt
    and saves it to
    C:\Windows
Link to post
Share on other sites

Guest name cool

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2011/03/25 05:45

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\DOCUME~1\ANYUSER\LOCALS~1\Temp\catchme.sys

Address: 0xF87E1000 Size: 31744 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAA2F9000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8A7B000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF8A8B000 Size: 7872 File Visible: No Signed: -

Status: -

Name: pxtdqpow.sys

Image Path: C:\DOCUME~1\ANYUSER\LOCALS~1\Temp\pxtdqpow.sys

Address: 0xA94E1000 Size: 100480 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA99CE000 Size: 49152 File Visible: No Signed: -

Status: -

==EOF==

Service Pack 3 3 25 2011 05:54:42.500

Loaded driver \WINDOWS\system32\TUKERNEL.EXE

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver pcmcia.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver ACPIEC.sys

Loaded driver \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\igxpmp32.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\bcmwl5.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\e100b325.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\system32\DRIVERS\cpqbttn.sys

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\wmiacpi.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\HssDrv.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\taphss.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\CHDAud.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSFHWAZL.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSF_DPV.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Did not load driver

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \??\C:\WINDOWS\system32\drivers\mbam.sys

Loaded driver \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Did not load driver \SystemRoot\System32\Drivers\Parport.SYS

Did not load driver \SystemRoot\System32\Drivers\Serial.SYS

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \??\C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Vino's Event Viewer v01c run on Windows XP in English

Report run at 25/03/2011 6:12:50 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 24/03/2011 5:19:09 PM

Type: error Category: 0

Event: 1000 Source: Application Error

Faulting application iexplore.exe, version 8.0.6001.18702, faulting module jvm.dll, version 19.1.0.2, fault address 0x000c87b2.

Log: 'Application' Date/Time: 22/03/2011 4:01:12 PM

Type: error Category: 0

Event: 5000 Source: .NET Runtime 2.0 Error Reporting

EventType clr20r3, P1 updatechecker[1].exe, P2 1.38.0.0, P3 4c5ff8fb, P4 updatechecker, P5 1.38.0.0, P6 4c5ff8fb, P7 e6, P8 d, P9 system.typeinitialization, P10 NIL.

Log: 'Application' Date/Time: 21/03/2011 11:48:52 PM

Type: error Category: 101

Event: 1002 Source: Application Hang

Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 21/03/2011 9:16:07 PM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 21/03/2011 9:16:07 PM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 21/03/2011 9:16:06 PM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 21/03/2011 9:16:06 PM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 21/03/2011 9:16:06 PM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 21/03/2011 9:16:06 PM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 20/03/2011 8:21:04 PM

Type: error Category: 101

Event: 1002 Source: Application Hang

Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 19/03/2011 10:44:51 AM

Type: error Category: 101

Event: 1002 Source: Application Hang

Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 19/03/2011 10:44:51 AM

Type: error Category: 101

Event: 1002 Source: Application Hang

Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 19/03/2011 10:44:51 AM

Type: error Category: 101

Event: 1002 Source: Application Hang

Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 19/03/2011 7:08:29 AM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 19/03/2011 7:08:29 AM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 19/03/2011 7:08:29 AM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 19/03/2011 7:08:28 AM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 19/03/2011 7:08:28 AM

Type: error Category: 0

Event: 10103 Source: HotspotShieldService

The event description cannot be found.

Log: 'Application' Date/Time: 17/03/2011 12:05:57 AM

Type: error Category: 0

Event: 1000 Source: Application Error

Faulting application javasetup6u24.exe, version 6.0.240.71, faulting module javasetup6u24.exe, version 6.0.240.71, fault address 0x001b2788.

Log: 'Application' Date/Time: 17/03/2011 12:05:05 AM

Type: error Category: 0

Event: 1000 Source: Application Error

Faulting application javasetup6u24.exe, version 6.0.240.71, faulting module javasetup6u24.exe, version 6.0.240.71, fault address 0x001b2788.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'System' Log - error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 25/03/2011 3:55:29 AM

Type: error Category: 0

Event: 1 Source: sr

The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

Log: 'System' Date/Time: 24/03/2011 10:34:07 PM

Type: error Category: 0

Event: 1002 Source: Dhcp

The IP address lease 10.72.40.52 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.72.71.254 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 24/03/2011 6:33:42 PM

Type: error Category: 0

Event: 1002 Source: Dhcp

The IP address lease 10.72.80.48 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.72.47.254 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 19/03/2011 2:20:33 PM

Type: error Category: 0

Event: 1 Source: sr

The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

Log: 'System' Date/Time: 19/03/2011 10:48:26 AM

Type: error Category: 0

Event: 1002 Source: Dhcp

The IP address lease 10.61.80.24 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.84.39.254 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 19/03/2011 9:25:34 AM

Type: error Category: 0

Event: 1002 Source: Dhcp

The IP address lease 10.68.72.44 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.61.87.254 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 19/03/2011 7:08:37 AM

Type: error Category: 0

Event: 1002 Source: Dhcp

The IP address lease 10.33.24.41 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.68.79.254 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 18/03/2011 10:19:04 PM

Type: error Category: 0

Event: 1002 Source: Dhcp

The IP address lease 10.68.40.29 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.33.31.254 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 18/03/2011 10:18:03 PM

Type: error Category: 0

Event: 7034 Source: Service Control Manager

The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 17/03/2011 5:40:17 PM

Type: error Category: 0

Event: 1 Source: sr

The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

SIGVERIF.zip

gmerlog.zip.zip

Link to post
Share on other sites

  • Root Admin

The current logs do not show or indicate any type of rootkit being active on the system.

I see where you may potentially have some hard drive errors so please run the following to correct those.

STEP 01

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

Though this program is legitimate and is not malware it is also known to have issues for many users. Unless you really think you need it you may want to consider removing this program from your computer, but again, that's up to you.

TuneUp Utilities 2011

After running the CHKDSK and rebooting please run the following.

STEP 02

Please download the Microsoft Genuine Advantage Diagnostic Tool

Double-click to run it and press the CONTINUE button and allow the program to check your system. When completed cick the COPY button and post back the results.

Link to post
Share on other sites

Guest name cool

Rootkits shown up again. every time I running the Combo Fix ', it can not the scan for the first time since the Combo Fix operation ', then comes a message that says to me Combo Fix has detected rootkit.

And then tells me to press OK to reboot and then Combo Fix scan begins again, until the completion of the scan and without any removal of this infection, however, is unable to locate the infection.& These infections do not shown up in the log.

ComboFix 11-03-24.06 - ANYUSER 03/25/2011 23:00:24.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.304 [GMT 3:00]

Running from: c:\documents and settings\ANYUSER\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-02-25 to 2011-03-25 )))))))))))))))))))))))))))))))

.

.

2011-03-18 10:20 . 2011-03-25 14:51 -------- d-----w- C:\FU_Backup

2011-03-17 12:32 . 2011-03-17 12:32 -------- d-----w- C:\92551cd91d502ed7fcb458

2011-03-17 07:14 . 2011-03-17 07:15 -------- d-----w- C:\Hotspot Shield

2011-03-17 04:52 . 2011-03-16 21:29 -------- d-----w- C:\SWSetup

2011-03-17 04:51 . 2011-03-17 04:51 -------- d-----w- C:\Intel

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2004-08-03 21:56 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-03 21:56 186880 ----a-w- c:\windows\system32\encdec.dll

2011-01-21 14:44 . 2004-08-03 21:56 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-03 21:56 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-03 20:17 1854976 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((( SnapShot_2011-03-25_01.11.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-03-25 19:59 . 2011-03-25 19:59 16384 c:\windows\Temp\Perflib_Perfdata_368.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities 2011\WinStyler\tu_logonui.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Ares\\Ares.exe"=

.

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/17/2011 2:42 PM 363344]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [3/4/2011 7:30 PM 1523008]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/17/2011 2:42 PM 20952]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\ANYUSER\Local Settings\Temporary Internet Files\Content.IE5\I2HN2ULH\SASKUTIL.SYS --> c:\documents and settings\ANYUSER\Local Settings\Temporary Internet Files\Content.IE5\I2HN2ULH\SASKUTIL.SYS [?]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-25 c:\windows\Tasks\User_Feed_Synchronization-{346D76C5-8E54-4CBC-9BEF-63C9255A4439}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Crawler Search - tbr:iemenu

FF - ProfilePath - c:\documents and settings\ANYUSER\Application Data\Mozilla\Firefox\Profiles\malvqzn4.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.bigseekpro.com/aresdestiny/{72D01AD4-B75B-4BC4-A194-896511A26AEF}

FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/aresdestiny/{72D01AD4-B75B-4BC4-A194-896511A26AEF}?q=

FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Facemoods: ffxtlbr@Facemoods.com - %profile%\extensions\ffxtlbr@Facemoods.com

FF - Ext: Billeo: {4be68a18-deba-49e0-9e09-ee7796f3b62a} - %profile%\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}

FF - Ext: FileBulldogToolbar: {75656794-AB59-4712-BFBC-5D816D56F3BC} - %profile%\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program files\Crawler\Toolbar\firefox

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-25 23:07

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-03-25 23:09:37

ComboFix-quarantined-files.txt 2011-03-25 20:09

ComboFix2.txt 2011-03-25 01:13

ComboFix3.txt 2011-03-22 12:13

ComboFix4.txt 2011-03-20 12:23

ComboFix5.txt 2011-03-25 19:53

.

Pre-Run: 33,141,583,872 bytes free

Post-Run: 33,320,546,304 bytes free

.

- - End Of File - - 9D8503B0965D35C149EC62CBE9F1636D

Link to post
Share on other sites

  • Root Admin

Well the only thing I see odd is the SABKUTIL.SYS driver running from your IE cache which it should not be.

Please start a DOS prompt and type or copy/paste the following and then press the enter key.

SC DELETE SABKUTIL

It should say successful and if it does, then reboot your computer and run Combofix again please and post back the new log.

Link to post
Share on other sites

Guest name cool

:) Other things. Along with the rootkit

First, the rootkit is still present., As follows ( comofix has detected the presence of rootkit activity and need to reboot the machine

Secondly, i have been Submitted these samples to the research center, But they are not been added out as a database, which It turned out later that it Malware programs,. And those who working there, and Believed to be he was the on rightful. and that we on completely wrong, and will certainly say, (this is legitimate), although it does not have anything enough, so with VirusTotal. This is of course the softwares is infected.

These are some links.

https://support.mozilla.com/en-US/questions/775941

http://www.siteadvisor.ca/sites/bigseekpro.com/postid?p=7303182

Thirdly, have been hijacked browsers. (Internet Explorer and Firefox).

Fourthly, I have a problem and will be postponed to a later date. After fixing of these problems.

ComboFix 11-03-25.01 - ANYUSER 03/26/2011 12:30:59.7.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.307 [GMT 3:00]

Running from: c:\documents and settings\ANYUSER\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))

.

.

2011-03-18 10:20 . 2011-03-25 14:51 -------- d-----w- C:\FU_Backup

2011-03-17 12:32 . 2011-03-17 12:32 -------- d-----w- C:\92551cd91d502ed7fcb458

2011-03-17 07:14 . 2011-03-17 07:15 -------- d-----w- C:\Hotspot Shield

2011-03-17 04:52 . 2011-03-16 21:29 -------- d-----w- C:\SWSetup

2011-03-17 04:51 . 2011-03-17 04:51 -------- d-----w- C:\Intel

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2004-08-03 21:56 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-03 21:56 186880 ----a-w- c:\windows\system32\encdec.dll

2011-01-21 14:44 . 2004-08-03 21:56 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-03 21:56 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-03 20:17 1854976 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((( SnapShot_2011-03-25_01.11.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-03-26 09:29 . 2011-03-26 09:29 16384 c:\windows\Temp\Perflib_Perfdata_3a0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities 2011\WinStyler\tu_logonui.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Ares\\Ares.exe"=

.

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [3/4/2011 7:30 PM 1523008]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/17/2011 2:42 PM 20952]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/17/2011 2:42 PM 363344]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-26 c:\windows\Tasks\User_Feed_Synchronization-{346D76C5-8E54-4CBC-9BEF-63C9255A4439}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Crawler Search - tbr:iemenu

FF - ProfilePath - c:\documents and settings\ANYUSER\Application Data\Mozilla\Firefox\Profiles\malvqzn4.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.bigseekpro.com/aresdestiny/{72D01AD4-B75B-4BC4-A194-896511A26AEF}

FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/aresdestiny/{72D01AD4-B75B-4BC4-A194-896511A26AEF}?q=

FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Facemoods: ffxtlbr@Facemoods.com - %profile%\extensions\ffxtlbr@Facemoods.com

FF - Ext: Billeo: {4be68a18-deba-49e0-9e09-ee7796f3b62a} - %profile%\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}

FF - Ext: FileBulldogToolbar: {75656794-AB59-4712-BFBC-5D816D56F3BC} - %profile%\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program files\Crawler\Toolbar\firefox

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-26 12:37

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-03-26 12:39:10

ComboFix-quarantined-files.txt 2011-03-26 09:39

ComboFix2.txt 2011-03-25 20:09

ComboFix3.txt 2011-03-25 01:13

ComboFix4.txt 2011-03-22 12:13

ComboFix5.txt 2011-03-26 09:18

.

Pre-Run: 33,211,424,768 bytes free

Post-Run: 33,277,325,312 bytes free

.

- - End Of File - - E5C23FE06304C95BE2AEAF50FC997993

This log shows infection

ComboFix 11-03-21.02 - ANYUSER 03/22/2011 15:06:33.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.305 [GMT 3:00]

Running from: c:\documents and settings\ANYUSER\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\ANYUSER\Application Data\facemoods.com

c:\program files\facemoods.com

c:\program files\facemoods.com\facemoods\1.4.17.5\bh\facemoods.dll

c:\program files\facemoods.com\facemoods\1.4.17.5\facemoods.crx

c:\program files\facemoods.com\facemoods\1.4.17.5\facemoods.png

c:\program files\facemoods.com\facemoods\1.4.17.5\facemoodsApp.dll

c:\program files\facemoods.com\facemoods\1.4.17.5\facemoodsEng.dll

c:\program files\facemoods.com\facemoods\1.4.17.5\facemoodssrv.exe

c:\program files\facemoods.com\facemoods\1.4.17.5\facemoodsTlbr.dll

c:\program files\facemoods.com\facemoods\1.4.17.5\uninstall.exe

c:\program files\FileBulldog Toolbar\tbHElper.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))

.

.

2011-03-18 10:20 . 2011-03-21 22:55 -------- d-----w- C:\FU_Backup

2011-03-17 12:32 . 2011-03-17 12:32 -------- d-----w- C:\92551cd91d502ed7fcb458

2011-03-17 07:14 . 2011-03-17 07:15 -------- d-----w- C:\Hotspot Shield

2011-03-17 04:52 . 2011-03-16 21:29 -------- d-----w- C:\SWSetup

2011-03-17 04:51 . 2011-03-17 04:51 -------- d-----w- C:\Intel

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2004-08-03 21:56 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-03 21:56 186880 ----a-w- c:\windows\system32\encdec.dll

2011-01-21 14:44 . 2004-08-03 21:56 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-03 21:56 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-03 20:17 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-03 21:56 301568 ----a-w- c:\windows\system32\kerberos.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-03-20_12.21.50 )))))))))))))))))))))))))))))))))))))))))

.

- 2011-03-20 12:12 . 2011-03-20 12:12 16384 c:\windows\Temp\Perflib_Perfdata_474.dat

+ 2011-03-22 12:05 . 2011-03-22 12:05 16384 c:\windows\Temp\Perflib_Perfdata_474.dat

+ 2011-03-20 14:32 . 2005-08-25 22:50 77312 c:\windows\system32\ztvunace26.dll

+ 2011-03-20 14:32 . 2006-06-19 10:01 69632 c:\windows\system32\ztvcabinet.dll

+ 2011-03-20 14:32 . 2002-03-05 22:00 75264 c:\windows\system32\unacev2.dll

+ 2001-08-23 12:00 . 2011-03-21 19:10 68062 c:\windows\system32\perfc009.dat

- 2001-08-23 12:00 . 2011-03-20 12:17 68062 c:\windows\system32\perfc009.dat

+ 2011-03-20 16:50 . 2005-07-20 11:23 24576 c:\windows\Slideshow Screensaver.scr

+ 2011-03-20 14:32 . 2006-05-25 12:52 162304 c:\windows\system32\ztvunrar36.dll

+ 2011-03-20 14:32 . 2003-02-02 17:06 153088 c:\windows\system32\UNRAR3.dll

- 2001-08-23 12:00 . 2011-03-20 12:17 433256 c:\windows\system32\perfh009.dat

+ 2001-08-23 12:00 . 2011-03-21 19:10 433256 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Ares\\Ares.exe"=

.

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/17/2011 2:42 PM 20952]

S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\ANYUSER\Local Settings\Temporary Internet Files\Content.IE5\I2HN2ULH\SASKUTIL.SYS --> c:\documents and settings\ANYUSER\Local Settings\Temporary Internet Files\Content.IE5\I2HN2ULH\SASKUTIL.SYS [?]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/17/2011 2:42 PM 363344]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-22 c:\windows\Tasks\User_Feed_Synchronization-{346D76C5-8E54-4CBC-9BEF-63C9255A4439}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.crawler.com/homepage.aspx?tbid=60045

IE: Crawler Search - tbr:iemenu

FF - ProfilePath - c:\documents and settings\ANYUSER\Application Data\Mozilla\Firefox\Profiles\malvqzn4.default\

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.5\uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-22 15:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-03-22 15:13:42

ComboFix-quarantined-files.txt 2011-03-22 12:13

ComboFix2.txt 2011-03-20 12:23

ComboFix3.txt 2011-03-19 10:44

ComboFix4.txt 2011-03-18 13:09

.

Pre-Run: 32,452,968,448 bytes free

Post-Run: 32,444,620,800 bytes free

.

- - End Of File - - 19E56C29672D79877C301D4ACAB7F632

This is a list of suspicious programs.

Crawler Toolbar

FileBulldog Toolbar

bigseekpro toolbar

The Most "infections were detected by the Combo Fix

Link to post
Share on other sites

  • Root Admin

You either did not do as I asked or you did not respond with what it said.

Please click on START - RUN and type in CMD.EXE and click OK.

Then type in or copy/paste the following and press the Enter key and let me know what it says. Reboot the computer after.

SC DELETE SABKUTIL

I am taking you at your word that Combofix says there is a rootkit but I have never seen it say that and not log it unless the malware has stopped CF from running which in your case is not true. Simply having redirects does not mean you have a root kit. Many are simply dumb redirects caused by manipulation of javascript code in mozilla browsers or in IE.

Please also run the following DDS scan and post back both logs.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.


    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Guest name cool

Already done it. This file has been removed.

and rootkit also still exist.

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by ANYUSER at 2:23:27.90 on Sun 03/27/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.215 [GMT 3:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\ANYUSER\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = local

mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities 2011\winstyler\tu_logonui.exe

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -

TB: Billeo: {6adb0f93-1aa5-4bcf-9df4-cea689a3c111} - c:\program files\billeo\billeo.dll

TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Easy-Hide-IP] c:\program files\easy-hide-ip\easy-hide-ip.exe

IE: Crawler Search - tbr:iemenu

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.bigseekpro.com/aresdestiny/{72D01AD4-B75B-4BC4-A194-896511A26AEF}

FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/aresdestiny/{72D01AD4-B75B-4BC4-A194-896511A26AEF}?q=

FF - component: c:\documents and settings\anyuser\application data\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\billeotoolbar.dll

FF - component: c:\documents and settings\anyuser\application data\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@facemoods.com\components\FFHst.dll

FF - component: c:\program files\crawler\toolbar\firefox\components\xcomm.dll

FF - component: c:\program files\crawler\toolbar\firefox\components\xshared.dll

FF - component: c:\program files\crawler\toolbar\firefox\components\xsupport.dll

FF - component: c:\program files\crawler\toolbar\firefox\components\xwsg.dll

FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\ourbabymaker_27ei\installr\1.bin\NP27EISb.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Facemoods: ffxtlbr@Facemoods.com - %profile%\extensions\ffxtlbr@Facemoods.com

FF - Ext: Billeo: {4be68a18-deba-49e0-9e09-ee7796f3b62a} - %profile%\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}

FF - Ext: FileBulldogToolbar: {75656794-AB59-4712-BFBC-5D816D56F3BC} - %profile%\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program files\crawler\toolbar\firefox

.

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

============= SERVICES / DRIVERS ===============

.

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-3-17 54760]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2011-3-4 1523008]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]

.

=============== Created Last 30 ================

.

2011-03-26 23:02:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\hsswpr

2011-03-26 22:46:02 -------- d-----w- c:\program files\Easy-Hide-IP

2011-03-26 21:55:16 -------- d-----w- C:\Hotspot Shield

2011-03-26 17:58:10 -------- d-----w- c:\docume~1\anyuser\applic~1\SmartHideIP

2011-03-26 17:58:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\SmartHideIP

2011-03-26 17:56:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Arovax

2011-03-25 02:58:17 -------- d-----w- c:\windows\pss

2011-03-22 19:38:35 -------- d-----w- c:\docume~1\anyuser\locals~1\applic~1\Babylon

2011-03-22 19:38:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Babylon

2011-03-22 19:38:32 -------- d-----w- c:\docume~1\anyuser\applic~1\Babylon

2011-03-22 19:27:53 -------- d--h--w- c:\windows\Icons

2011-03-22 19:23:16 2332416 ----a-w- c:\windows\system32\TUKernel.exe

2011-03-22 19:03:48 29504 ----a-w- c:\windows\system32\uxtuneup.dll

2011-03-22 18:59:00 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2011-03-22 18:58:43 -------- d-----w- c:\docume~1\anyuser\applic~1\TuneUp Software

2011-03-22 18:58:24 -------- d-----w- c:\program files\TuneUp Utilities 2011

2011-03-22 18:58:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software

2011-03-22 18:58:03 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}

2011-03-22 14:58:30 -------- d-----w- c:\program files\ASIO4ALL v2

2011-03-22 14:23:13 225280 ----a-w- c:\windows\system32\rewire.dll

2011-03-22 14:23:00 1554944 ----a-w- c:\windows\system32\vorbis.acm

2011-03-22 14:22:35 -------- d-----w- c:\program files\VstPlugins

2011-03-22 14:22:30 -------- d-----w- c:\program files\Outsim

2011-03-22 14:20:11 -------- d-----w- c:\program files\Image-Line

2011-03-20 17:24:31 -------- d-----w- c:\docume~1\anyuser\applic~1\Toolbar4

2011-03-20 17:24:27 -------- d-----w- c:\program files\FileBulldog Toolbar

2011-03-20 17:24:08 -------- d-----w- c:\docume~1\anyuser\locals~1\applic~1\Ares

2011-03-20 17:24:06 -------- d-----w- c:\program files\Ares

2011-03-20 16:50:28 24576 ----a-w- c:\windows\Slideshow Screensaver.scr

2011-03-20 16:33:18 -------- d-----w- c:\docume~1\anyuser\applic~1\KC Softwares

2011-03-20 16:27:41 -------- d-----w- c:\program files\Crawler

2011-03-20 16:27:07 -------- d-----w- c:\program files\Billeo

2011-03-20 16:26:06 -------- d-----w- c:\docume~1\anyuser\applic~1\PCFixSpeed

2011-03-20 16:26:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCFixSpeed

2011-03-20 16:26:05 -------- d-----w- c:\program files\PCFixSpeed

2011-03-20 16:25:41 -------- d-----w- c:\program files\KC Softwares

2011-03-20 14:32:52 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2011-03-20 14:32:52 75264 ----a-w- c:\windows\system32\unacev2.dll

2011-03-20 14:32:52 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2011-03-20 14:32:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2011-03-20 14:32:52 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2011-03-20 14:32:50 -------- d-----w- c:\program files\Trojan Remover

2011-03-20 14:32:50 -------- d-----w- c:\docume~1\anyuser\applic~1\Simply Super Software

2011-03-20 14:32:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2011-03-20 14:30:28 10488608 ----a-w- c:\docume~1\anyuser\locals~1\applic~1\trojan-remover-6.8.2.exe

2011-03-20 13:52:09 -------- d-----w- c:\docume~1\anyuser\locals~1\applic~1\Identities

2011-03-20 10:21:59 215920 ----a-w- c:\windows\system32\muweb.dll

2011-03-19 16:12:05 -------- d-----w- c:\program files\Bandoo

2011-03-19 15:54:00 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-03-19 15:54:00 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-03-19 15:54:00 1060864 ----a-w- c:\windows\system32\MFC71.dll

2011-03-19 15:54:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Max Secure

2011-03-19 15:53:59 907920 --s-a-w- c:\windows\system32\Eraser.dll

2011-03-19 15:53:58 -------- d-----w- c:\program files\Max PC Privacy

2011-03-19 15:47:58 -------- d-----w- c:\program files\OurBabyMaker_27EI

2011-03-19 15:32:11 -------- d-----w- c:\program files\Windows Media Connect 2

2011-03-19 15:30:23 -------- d-----w- c:\windows\system32\LogFiles

2011-03-19 09:50:58 -------- d-----w- c:\program files\Utherverse Digital Inc

2011-03-18 12:52:53 -------- d-sha-r- C:\cmdcons

2011-03-18 12:50:47 98816 ----a-w- c:\windows\sed.exe

2011-03-18 12:50:47 89088 ----a-w- c:\windows\MBR.exe

2011-03-18 12:50:47 256512 ----a-w- c:\windows\PEV.exe

2011-03-18 12:50:47 161792 ----a-w- c:\windows\SWREG.exe

2011-03-18 10:20:43 -------- d-----w- c:\docume~1\anyuser\applic~1\CheeseSoft

2011-03-18 10:20:41 -------- d-----w- C:\FU_Backup

2011-03-18 10:20:28 -------- d-----w- c:\program files\FinalUninstaller

2011-03-18 08:57:11 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-03-18 08:57:11 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-03-17 13:12:43 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2011-03-17 13:12:42 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2011-03-17 13:11:46 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2011-03-17 13:08:29 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2011-03-17 12:54:21 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2011-03-17 12:34:03 -------- d-----w- c:\windows\system32\XPSViewer

2011-03-17 12:32:43 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-03-17 12:32:09 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-03-17 12:32:09 117760 ------w- c:\windows\system32\prntvpt.dll

2011-03-17 12:32:08 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-03-17 12:32:08 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-03-17 12:32:08 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-03-17 12:32:08 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-03-17 12:32:08 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2011-03-17 12:32:08 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-03-17 12:32:07 -------- d-----w- C:\92551cd91d502ed7fcb458

2011-03-17 11:42:27 -------- d-----w- c:\docume~1\anyuser\applic~1\Malwarebytes

2011-03-17 11:42:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-03-17 10:51:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\ESTsoft

2011-03-17 10:51:44 -------- d-----w- c:\program files\ESTsoft

2011-03-17 10:51:44 -------- d-----w- c:\docume~1\anyuser\applic~1\ESTsoft

2011-03-17 10:43:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Messenger Plus!

2011-03-17 10:42:52 -------- d-----w- c:\program files\Yuna Software

2011-03-17 10:42:06 -------- d-----w- c:\documents and settings\anyuser\Tracing

2011-03-17 10:41:39 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys

2011-03-17 10:37:59 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-03-17 10:37:54 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-03-17 10:36:26 -------- d-----w- c:\program files\Microsoft

2011-03-17 10:36:09 -------- d-----w- c:\program files\Windows Live SkyDrive

2011-03-17 10:34:34 23510720 ----a-w- c:\program files\common files\windows live\.cache\e7fc46301cbe48e\dotnetfx.exe

2011-03-17 10:29:50 74520 ----a-w- c:\program files\common files\windows live\.cache\3edb75d01cbe48e\DSETUP.dll

2011-03-17 10:29:50 484632 ----a-w- c:\program files\common files\windows live\.cache\3edb75d01cbe48e\DXSETUP.exe

2011-03-17 10:29:50 1670936 ----a-w- c:\program files\common files\windows live\.cache\3edb75d01cbe48e\dsetup32.dll

2011-03-17 10:29:22 1013800 ----a-w- c:\program files\common files\windows live\.cache\2e5d11321cbe48e\WindowsXP-KB954708-x86-ENU.exe

2011-03-17 10:23:17 -------- d-----w- c:\program files\common files\Windows Live

2011-03-17 09:50:07 -------- d-----w- c:\windows\system32\scripting

2011-03-17 09:50:07 -------- d-----w- c:\windows\l2schemas

2011-03-17 09:50:06 -------- d-----w- c:\windows\system32\en

2011-03-17 09:50:06 -------- d-----w- c:\windows\system32\bits

2011-03-17 09:46:23 -------- d-----w- c:\windows\network diagnostic

2011-03-17 09:44:58 -------- d-----w- c:\windows\system32\ReinstallBackups

2011-03-17 09:28:17 -------- d-sh--w- c:\documents and settings\anyuser\IECompatCache

2011-03-17 09:27:47 -------- d-sh--w- c:\documents and settings\anyuser\PrivacIE

2011-03-17 09:26:27 -------- d-sh--w- c:\documents and settings\anyuser\IETldCache

2011-03-17 09:21:40 -------- d-----w- c:\windows\ie8updates

2011-03-17 09:21:25 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-03-17 09:21:24 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-03-17 09:21:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-03-17 09:21:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-03-17 09:21:24 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-03-17 09:21:23 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-03-17 09:21:23 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-03-17 09:20:03 -------- dc-h--w- c:\windows\ie8

2011-03-17 09:10:56 -------- d-----w- c:\windows\ServicePackFiles

2011-03-17 09:10:07 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-03-17 08:54:24 73216 ------w- c:\windows\system32\drivers\atintuxx.sys

2011-03-17 08:00:32 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-03-17 08:00:31 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-03-17 08:00:03 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2011-03-17 08:00:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2011-03-17 07:59:53 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2011-03-17 07:57:48 357248 -c----w- c:\windows\system32\dllcache\srv.sys

2011-03-17 07:54:19 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-03-17 07:53:37 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-03-17 07:52:01 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2011-03-17 07:52:00 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2011-03-17 07:52:00 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2011-03-17 07:52:00 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2011-03-17 07:52:00 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2011-03-17 07:52:00 110592 -c----w- c:\windows\system32\dllcache\services.exe

2011-03-17 07:51:59 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2011-03-17 07:51:59 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll

2011-03-17 07:51:59 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2011-03-17 07:51:58 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2011-03-17 07:51:56 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2011-03-17 07:51:55 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2011-03-17 07:44:42 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2011-03-17 07:41:02 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2011-03-17 07:40:17 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-03-17 07:40:17 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe

2011-03-17 07:33:38 -------- d-----w- c:\windows\system32\PreInstall

2011-03-17 07:33:35 -------- d--h--w- c:\windows\$hf_mig$

2011-03-17 04:53:55 87280 ----a-w- c:\windows\system32\bcmwlcoi.dll

2011-03-17 04:53:55 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS

2011-03-17 04:53:55 -------- d-----w- c:\program files\Broadcom

2011-03-17 04:52:59 -------- d-----w- C:\SWSetup

2011-03-17 04:52:22 172032 ----a-w- c:\windows\system32\igfxres.dll

2011-03-17 04:49:31 -------- d-----w- c:\windows\system32\appmgmt

2011-03-17 01:02:10 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll

2011-03-17 01:01:59 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll

2011-03-17 01:00:59 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll

.

==================== Find3M ====================

.

2011-03-16 21:12:12 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-16 21:12:11 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 2:24:19.71 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 3/17/2011 4:02:21 AM

System Uptime: 3/27/2011 1:18:05 AM (1 hours ago)

.

Motherboard: Hewlett-Packard | | 30D5

Processor: Intel® Celeron® M CPU 440 @ 1.86GHz | U10 | 1862/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 39 GiB total, 30.927 GiB free.

D: is FIXED (NTFS) - 35 GiB total, 24.892 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP17: 3/22/2011 9:58:23 PM - Installed TuneUp Utilities 2011

RP18: 3/24/2011 1:16:51 PM - Software Distribution Service 3.0

RP19: 3/26/2011 12:18:08 PM - ComboFix created restore point

.

==== Installed Programs ======================

.

???? ??? Windows Live

???? ??????? ?? Windows Live

???? ??????? Windows Live Upload Tool

???? Windows Live

????? ????? ?????? ??? Windows Live

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

ALTools Update

ALZip

Ares 3.1

ASIO4ALL

Billeo

Broadcom 802.11 Wireless LAN Adapter

Conexant HD Audio

Crawler Slideshow Screensaver

Drumaxx

Easy-Hide-IP 3.7.4

FileBulldog Toolbar

Final Uninstaller

FL Studio 9

Hardcore

HDAUDIO Soft Data Fax Modem with SmartCP

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

IL Download Manager

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

Java Auto Updater

Java 6 Update 24

Junk Mail filter update

KC Softwares KCleaner

Max PC Privacy

Messenger Plus! 5

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Search Enhancement Pack

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Mozilla Firefox (3.6.15)

MSVCRT

PC Fix Speed 1.0.0.0

PoiZone

Sakura

Sawer

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB982381)

Segoe UI

Toxic Biohazard

Trojan Remover 6.8.2

TuneUp Utilities 2011

TuneUp Utilities Language Pack (en-US)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Web Security Guard with Crawler Toolbar

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 8

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Toolbar

Windows Live Writer

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

.

==== Event Viewer Messages From Past Week ========

.

3/26/2011 8:27:35 PM, error: Service Control Manager [7034] - The Hotspot Shield Monitoring Service service terminated unexpectedly. It has done this 1 time(s).

3/26/2011 8:27:27 PM, error: Service Control Manager [7034] - The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 2 time(s).

3/26/2011 5:36:28 PM, error: Service Control Manager [7034] - The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 1 time(s).

3/26/2011 12:06:12 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the TuneUp.UtilitiesSvc service.

3/26/2011 11:49:47 PM, error: Service Control Manager [7034] - The TuneUp Utilities Service service terminated unexpectedly. It has done this 1 time(s).

3/26/2011 11:49:47 PM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).

3/26/2011 11:49:47 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

3/25/2011 6:06:14 PM, error: Dhcp [1002] - The IP address lease 10.67.72.7 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.76.71.254 (The DHCP Server sent a DHCPNACK message).

3/25/2011 3:55:29 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

3/25/2011 3:21:25 PM, error: Dhcp [1002] - The IP address lease 10.72.64.85 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.67.79.254 (The DHCP Server sent a DHCPNACK message).

3/24/2011 6:33:42 PM, error: Dhcp [1002] - The IP address lease 10.72.80.48 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.72.47.254 (The DHCP Server sent a DHCPNACK message).

3/24/2011 10:34:07 PM, error: Dhcp [1002] - The IP address lease 10.72.40.52 for the Network Card with network address 00FF5CB840CA has been denied by the DHCP server 10.72.71.254 (The DHCP Server sent a DHCPNACK message).

.

==== End Of File ===========================

Link to post
Share on other sites

  • Root Admin

STEP 01

Please uninstall the following programs

???? ??? Windows Live

???? ??????? ?? Windows Live

???? ??????? Windows Live Upload Tool

???? Windows Live

????? ????? ?????? ??? Windows Live

Crawler Slideshow Screensaver

FileBulldog Toolbar

The privacy policy doesn't say much for the software, might want to consider removing it too

http://www.msgplus.net/Privacy-Policy

Messenger Plus! 5

Max PC Privacy

Trojan Remover 6.8.2

STEP 02

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines


DDS::
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.
IE: Crawler Search - tbr:iemenu
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Firefox::
FF - ProfilePath - c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigseekpro.com/aresdestiny/{72D01AD4-B75B-4BC4-A194-896511A26AEF}
FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/aresdestiny/{72D01AD4-B75B-4BC4-A194-896511A26AEF}?q=
FF - component: c:\documents and settings\anyuser\application data\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@facemoods.com\components\FFHst.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xshared.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xwsg.dll
FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
FF - Ext: Facemoods: ffxtlbr@Facemoods.com - %profile%\extensions\ffxtlbr@Facemoods.com
FF - Ext: Billeo: {4be68a18-deba-49e0-9e09-ee7796f3b62a} - %profile%\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}
FF - Ext: FileBulldogToolbar: {75656794-AB59-4712-BFBC-5D816D56F3BC} - %profile%\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542}

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

If Combofix does say there is a root kit then take a screen shot of that message box and show me please.

Link to post
Share on other sites

Guest name cool

OK,

ComboFix 11-03-26.01 - ANYUSER 03/27/2011 6:12.8.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.302 [GMT 3:00]

Running from: c:\documents and settings\ANYUSER\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\ANYUSER\Desktop\CFscript.txt

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\chrome.manifest

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\chrome\chrome_user.jar

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\defaults\preferences\defaults.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\install.rdf

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\chrome.manifest

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\chrome\billeotoolbar.jar

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\BilleoHelper.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\billeohelper.xpt

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\billeotoolbar.dll

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\BilleoWorker.xpt

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\cache\toolbar.xml

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\billeo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\billeologo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\billpay.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\billpay_inactive.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\billpay_mo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\bing.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\fillform.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\fillform_inactive.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\fillform_mo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\google.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\logo_signed_out.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\password.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\password_inactive.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\password_mo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\redflag.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\savepage.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\savepage_inactive.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\savepage_mo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\shopping.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\shopping_inactive.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\shopping_mo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\signin.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\signin_mo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\downloads\yahoo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\install.rdf

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\META-INF\manifest.mf

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\META-INF\zigbert.rsa

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\META-INF\zigbert.sf

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome.manifest

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\1.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\10.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\11.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\12.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\13.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\14.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\15.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\16.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\17.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\18.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\19.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\2.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\20.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\21.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\22.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\23.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\24.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\25.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\26.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\27.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\28.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\29.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\3.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\30.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\31.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\32.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\33.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\34.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\35.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\36.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\37.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\38.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\39.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\4.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\40.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\41.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\42.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\43.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\44.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\45.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\46.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\47.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\48.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\49.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\5.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\50.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\51.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\52.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\53.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\54.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\55.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\56.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\57.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\6.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\7.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\8.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\9.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\affid.dat

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\basis.xml

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\bubble.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\bubble.xul

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\colorpicker.htm

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\contents.rdf

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\icons.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\info.txt

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\jscontainer.htm

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\mbback.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\mbbigopen.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\mbclose.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\mbfwd.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\mbsep.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\md5.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\mozilla.xul

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\mymenuitem.xml

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\nav1c.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\options.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\options.xul

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\separator.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\tb.css

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\tb.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\tb.xsl

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\tb.xul

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\tbcore3.inf

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\chrome\content\somoto\version.txt

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}\install.rdf

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\chrome.manifest

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\components\FFHst.dll

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\components\FFHst.xpt

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\facemoods.css

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\facemoods.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\facemoods.xul

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\fcmdDef.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\facebook_But.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\facebook_But2.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\facemoods.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\fb.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\fbhome.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\fbmsgs.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\fbphotos.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\fbprofile.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\fbsettings.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\fbshare.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\fbuploads.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\help_16.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\home.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\ibario_ball.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\logo.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\moodsIcon.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\pref.jpg

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\privecy_16_hot.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\stripicons.png

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\tellafriend.gif

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\Thumbs.db

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\images\vssver.scc

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\instlgc.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\JSonButtons.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\Loader.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\mtrprt.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\newTabLgc.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\PPCB.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\preferences\preferences.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\preferences\preferences.xul

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\prefman.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\script-compiler.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\Thumbs.db

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\utils.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\vssver.scc

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\xmlhttprequester.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\content\xpiInstallLgc.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\defaults\preferences\instlPref.js

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\defaults\preferences\vssver.scc

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\install.rdf

c:\docume~1\anyuser\applic~1\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@Facemoods.com\vssver.scc

c:\documents and settings\anyuser\application data\mozilla\firefox\profiles\malvqzn4.default\extensions\ffxtlbr@facemoods.com\components\FFHst.dll

c:\program files\crawler\toolbar\firefox\components\xcomm.dll

c:\program files\crawler\toolbar\firefox\components\xshared.dll

c:\program files\crawler\toolbar\firefox\components\xsupport.dll

c:\program files\crawler\toolbar\firefox\components\xwsg.dll

c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension\chrome.manifest

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension\chrome\chrome.jar

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension\defaults\preferences\defaults.js

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension\install.rdf

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension\MicrosoftDotNetFrameworkAssistant.xpi

.

.

((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))

.

.

2011-03-26 21:55 . 2011-03-27 00:26 -------- d-----w- C:\Hotspot Shield

2011-03-18 10:20 . 2011-03-26 21:48 -------- d-----w- C:\FU_Backup

2011-03-17 12:32 . 2011-03-17 12:32 -------- d-----w- C:\92551cd91d502ed7fcb458

2011-03-17 04:52 . 2011-03-16 21:29 -------- d-----w- C:\SWSetup

2011-03-17 04:51 . 2011-03-17 04:51 -------- d-----w- C:\Intel

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2004-08-03 21:56 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-03 21:56 186880 ----a-w- c:\windows\system32\encdec.dll

2011-01-21 14:44 . 2004-08-03 21:56 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-03 21:56 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-03 20:17 1854976 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((( SnapShot_2011-03-25_01.11.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-03-27 03:11 . 2011-03-27 03:11 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Easy-Hide-IP"="c:\program files\Easy-Hide-IP\easy-hide-ip.exe" [2010-10-20 4539392]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities 2011\WinStyler\tu_logonui.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Ares\\Ares.exe"=

"c:\\Program Files\\Easy-Hide-IP\\easy-hide-ip.exe"=

.

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [3/4/2011 7:30 PM 1523008]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-27 c:\windows\Tasks\User_Feed_Synchronization-{346D76C5-8E54-4CBC-9BEF-63C9255A4439}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = local

FF - ProfilePath - c:\documents and settings\ANYUSER\Application Data\Mozilla\Firefox\Profiles\malvqzn4.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - Ext: afurladvisor: afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program files\Crawler\Toolbar\firefox

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-27 06:18

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-03-27 06:21:33

ComboFix-quarantined-files.txt 2011-03-27 03:21

ComboFix2.txt 2011-03-26 09:39

ComboFix3.txt 2011-03-25 20:09

ComboFix4.txt 2011-03-25 01:13

ComboFix5.txt 2011-03-27 03:05

.

Pre-Run: 33,045,729,280 bytes free

Post-Run: 33,142,681,600 bytes free

.

- - End Of File - - 4144C24E88061B42AC81B0D8471BAC1D

post-44308-0-90186700-1301196500.jpg

Link to post
Share on other sites

Guest name cool

2011/03/27 07:04:36.0656 4048 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/03/27 07:04:38.0593 4048 ================================================================================

2011/03/27 07:04:38.0593 4048 SystemInfo:

2011/03/27 07:04:38.0593 4048

2011/03/27 07:04:38.0593 4048 OS Version: 5.1.2600 ServicePack: 3.0

2011/03/27 07:04:38.0593 4048 Product type: Workstation

2011/03/27 07:04:38.0593 4048 ComputerName: BTC

2011/03/27 07:04:38.0593 4048 UserName: ANYUSER

2011/03/27 07:04:38.0593 4048 Windows directory: C:\WINDOWS

2011/03/27 07:04:38.0593 4048 System windows directory: C:\WINDOWS

2011/03/27 07:04:38.0593 4048 Processor architecture: Intel x86

2011/03/27 07:04:38.0593 4048 Number of processors: 1

2011/03/27 07:04:38.0593 4048 Page size: 0x1000

2011/03/27 07:04:38.0593 4048 Boot type: Normal boot

2011/03/27 07:04:38.0593 4048 ================================================================================

2011/03/27 07:04:38.0828 4048 Initialize success

2011/03/27 07:04:44.0750 1076 ================================================================================

2011/03/27 07:04:44.0750 1076 Scan started

2011/03/27 07:04:44.0750 1076 Mode: Manual;

2011/03/27 07:04:44.0750 1076 ================================================================================

2011/03/27 07:04:47.0125 1076 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/03/27 07:04:47.0171 1076 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/03/27 07:04:47.0265 1076 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/03/27 07:04:47.0312 1076 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/03/27 07:04:47.0671 1076 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/03/27 07:04:47.0718 1076 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/03/27 07:04:47.0781 1076 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/03/27 07:04:47.0843 1076 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/03/27 07:04:47.0953 1076 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/03/27 07:04:48.0078 1076 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/03/27 07:04:48.0265 1076 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/03/27 07:04:48.0343 1076 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/03/27 07:04:48.0390 1076 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/03/27 07:04:48.0421 1076 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/03/27 07:04:48.0531 1076 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/03/27 07:04:48.0609 1076 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/03/27 07:04:48.0765 1076 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/03/27 07:04:48.0843 1076 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/03/27 07:04:48.0968 1076 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/03/27 07:04:49.0015 1076 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/03/27 07:04:49.0062 1076 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/03/27 07:04:49.0156 1076 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/03/27 07:04:49.0218 1076 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/03/27 07:04:49.0312 1076 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/03/27 07:04:49.0375 1076 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/03/27 07:04:49.0421 1076 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/03/27 07:04:49.0468 1076 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/03/27 07:04:49.0500 1076 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/03/27 07:04:49.0562 1076 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/03/27 07:04:49.0609 1076 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/03/27 07:04:49.0671 1076 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/03/27 07:04:49.0750 1076 HBtnKey (cef316dbbd1b3845a6d53ed620eb1aeb) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

2011/03/27 07:04:49.0812 1076 HdAudAddService (47f106735bad58a4d4a05c4a38315cd9) C:\WINDOWS\system32\drivers\CHDAud.sys

2011/03/27 07:04:49.0875 1076 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/03/27 07:04:49.0984 1076 HSFHWAZL (0aaef566e6782957252fa79f566fbc0b) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2011/03/27 07:04:50.0046 1076 HSF_DPV (e472e0cb4e716cc34c0e045f2c196221) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2011/03/27 07:04:50.0156 1076 HssDrv (4f28652ec514fa1ba473bc1a695a5c98) C:\WINDOWS\system32\DRIVERS\HssDrv.sys

2011/03/27 07:04:50.0234 1076 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/03/27 07:04:50.0328 1076 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/03/27 07:04:50.0578 1076 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/03/27 07:04:50.0843 1076 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/03/27 07:04:50.0968 1076 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/03/27 07:04:51.0015 1076 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/03/27 07:04:51.0078 1076 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/03/27 07:04:51.0125 1076 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/03/27 07:04:51.0187 1076 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/03/27 07:04:51.0234 1076 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/03/27 07:04:51.0281 1076 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/03/27 07:04:51.0312 1076 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/03/27 07:04:51.0359 1076 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/03/27 07:04:51.0406 1076 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/03/27 07:04:51.0453 1076 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/03/27 07:04:51.0500 1076 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/03/27 07:04:51.0640 1076 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/03/27 07:04:51.0703 1076 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/03/27 07:04:51.0750 1076 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/03/27 07:04:51.0796 1076 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/03/27 07:04:51.0828 1076 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/03/27 07:04:51.0906 1076 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/03/27 07:04:51.0968 1076 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/03/27 07:04:52.0046 1076 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/03/27 07:04:52.0125 1076 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/03/27 07:04:52.0171 1076 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/03/27 07:04:52.0203 1076 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/03/27 07:04:52.0250 1076 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/03/27 07:04:52.0312 1076 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/03/27 07:04:52.0359 1076 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/03/27 07:04:52.0406 1076 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/03/27 07:04:52.0453 1076 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/03/27 07:04:52.0484 1076 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/03/27 07:04:52.0546 1076 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/03/27 07:04:52.0609 1076 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/03/27 07:04:52.0656 1076 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/03/27 07:04:52.0750 1076 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/03/27 07:04:52.0828 1076 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/03/27 07:04:52.0937 1076 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/03/27 07:04:52.0968 1076 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/03/27 07:04:53.0031 1076 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/03/27 07:04:53.0125 1076 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/03/27 07:04:53.0171 1076 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/03/27 07:04:53.0218 1076 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/03/27 07:04:53.0281 1076 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/03/27 07:04:53.0359 1076 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/03/27 07:04:53.0406 1076 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/03/27 07:04:53.0671 1076 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/03/27 07:04:53.0734 1076 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/03/27 07:04:53.0796 1076 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/03/27 07:04:53.0921 1076 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/03/27 07:04:53.0984 1076 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/03/27 07:04:54.0062 1076 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/03/27 07:04:54.0125 1076 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/03/27 07:04:54.0203 1076 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/03/27 07:04:54.0234 1076 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/03/27 07:04:54.0281 1076 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/03/27 07:04:54.0343 1076 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/03/27 07:04:54.0390 1076 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/03/27 07:04:54.0546 1076 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/03/27 07:04:54.0593 1076 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/03/27 07:04:54.0671 1076 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/03/27 07:04:54.0812 1076 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/03/27 07:04:54.0859 1076 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/03/27 07:04:55.0015 1076 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/03/27 07:04:55.0203 1076 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/03/27 07:04:55.0250 1076 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/03/27 07:04:55.0453 1076 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/03/27 07:04:55.0515 1076 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys

2011/03/27 07:04:55.0562 1076 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/03/27 07:04:55.0625 1076 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/03/27 07:04:55.0656 1076 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/03/27 07:04:55.0718 1076 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/03/27 07:04:55.0875 1076 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys

2011/03/27 07:04:55.0921 1076 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/03/27 07:04:56.0078 1076 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/03/27 07:04:56.0140 1076 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/03/27 07:04:56.0187 1076 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/03/27 07:04:56.0218 1076 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/03/27 07:04:56.0265 1076 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/03/27 07:04:56.0296 1076 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/03/27 07:04:56.0375 1076 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/03/27 07:04:56.0437 1076 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/03/27 07:04:56.0593 1076 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/03/27 07:04:56.0687 1076 winachsf (0e666ac2766f2fd860cc03f405a2ace1) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/03/27 07:04:56.0828 1076 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/03/27 07:04:56.0953 1076 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/03/27 07:04:57.0000 1076 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/03/27 07:04:57.0093 1076 ================================================================================

2011/03/27 07:04:57.0093 1076 Scan finished

2011/03/27 07:04:57.0093 1076 ================================================================================

Link to post
Share on other sites

Guest name cool

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-27 07:15:21

-----------------------------

07:15:21.375 OS Version: Windows 5.1.2600 Service Pack 3

07:15:21.375 Number of processors: 1 586 0xE0C

07:15:21.375 ComputerName: BTC UserName:

07:15:21.734 Initialize success

07:15:26.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

07:15:26.578 Disk 0 Vendor: ST980811AS 3.BHE Size: 76319MB BusType: 3

07:15:28.671 Disk 0 MBR read successfully

07:15:28.671 Disk 0 MBR scan

07:15:30.671 Disk 0 scanning sectors +156295440

07:15:30.718 Disk 0 scanning C:\WINDOWS\system32\drivers

07:15:34.703 Service scanning

07:15:36.390 Disk 0 trace - called modules:

07:15:36.437 TUKERNEL.EXE catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

07:15:36.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x822f3370]

07:15:36.453 3 CLASSPNP.SYS[f8581fd7] -> nt!IofCallDriver -> \Device\00000080[0x8229e3b8]

07:15:36.453 5 ACPI.sys[f84f8620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8229ed98]

07:15:36.453 Scan finished successfully

Link to post
Share on other sites

  • Root Admin

Okay let's run an Anti-Virus detector then and see what it says.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

Guest name cool

:(

I've run Dr. Web Scanner 'but with a normal scan is okay, and also is not detected a rootkit or other, but some of the samples that I have.

With the change some things happened and I got many problems! Just like a slow scanner and the lack of response in many cases, however, comes an error message saying that windows virtual memory is low ... And so be stuck Most "time ...

Then stopped working, and take its freezing in my computer.

Link to post
Share on other sites

  • Root Admin

I really don't know. Many things can cause memory depletion.

Please download and burn the following ISO image to CD and boot from it and do a scan.

Kaspersky RescueDisk

If you need a FREE utility to properly burn the ISO image

ImgBurn

How to write an image file to a disc with ImgBurn

Kaspersky Rescue Disk 10 - Knowledge base

Link to post
Share on other sites

Guest name cool

I have a big problem with CD-room 'where he can not respond and is likely to hit an internal malfunction.

What about these programs ,should download it now?

Link to post
Share on other sites

  • Root Admin

Well at this point I'm not really sure how to help you. The combofix entry was probably due to some driver making it look like a TDL3 infection. No other tool you've run shows that to be the case.

You seem to be having some type of hardware issue that you need to get resolved. You may need access to another computer to burn some diagnostic disks as well as possibly replacing your CD/DVD drive if you cannot boot from the current one.

I would like to help you but ever time we try to run something else you run into an issue which seems to be related to possible hardware problems on that computer.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.