Jump to content

Recommended Posts

My symptoms are the following:

Google Surfing will redirect me to a random page, sometimes a fake antivirus scanner.

Windows Update can't be access. I'm talking about the web page for Windows XP to update in which the page can't be found. I checked the host file and didn't find the web address for windows update so it's not the hosts problem ;)

XP Antivirus 2011, Windows Security 2011, fake antivirus invading the computer occasionally after removals (Think it's coming from IEXPLORE.exe in the background or search redirects which occur in all browsers)

Attach.zip

Link to post
Share on other sites

Welcome to the forum.

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory and look something like this:

TDSSKiller.2.4.17.0_12.02.2011_14.35.56_log.txt

---------------------------------------

The most important things to remember when running ComboFix is download and run it from your desktop and make sure you disable your anti-virus programs before you run it.

------------------------------

Please download and run ComboFix:

A few notes first:

[*]ComboFix is compatible exclusively with XP and W2K (32-bit only) <===> Vista and Windows 7 (32-bit and 64-bit)

[*]ComboFix must be run from an Administrative account.

[*]Vista and W7 users - Right click, choose "Run as Administrator"

[*]It must be downloaded to and run from your desktop.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (see below)

[*]ComboFix Guide <---please read!

Download ComboFix from one of these locations: (you may have to use right click > save target as)

[*]Link 1

[*]Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover

[*]Double click on ComboFix.exe & follow the prompts.

[*]Note: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

[*] Note: If you have SP3, use the SP2 package.

If Vista or Windows 7, skip the Recovery Console part

[*]ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[*]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

[*]1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

[*]2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

[*]3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

[*]4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

[*]5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

Here is my log for TDSS:

2011/04/03 15:01:32.0734 2672 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/04/03 15:01:34.0734 2672 ================================================================================

2011/04/03 15:01:34.0734 2672 SystemInfo:

2011/04/03 15:01:34.0734 2672

2011/04/03 15:01:34.0734 2672 OS Version: 5.1.2600 ServicePack: 2.0

2011/04/03 15:01:34.0734 2672 Product type: Workstation

2011/04/03 15:01:34.0734 2672 ComputerName: RACHEL-GF

2011/04/03 15:01:34.0734 2672 UserName: Administrator

2011/04/03 15:01:34.0734 2672 Windows directory: C:\WINDOWS

2011/04/03 15:01:34.0734 2672 System windows directory: C:\WINDOWS

2011/04/03 15:01:34.0734 2672 Processor architecture: Intel x86

2011/04/03 15:01:34.0734 2672 Number of processors: 2

2011/04/03 15:01:34.0734 2672 Page size: 0x1000

2011/04/03 15:01:34.0734 2672 Boot type: Normal boot

2011/04/03 15:01:34.0734 2672 ================================================================================

2011/04/03 15:01:34.0734 2672 SetPrivileges failed!

2011/04/03 15:02:13.0906 2672 Initialize success

2011/04/03 15:02:35.0015 0220 ================================================================================

2011/04/03 15:02:35.0015 0220 Scan started

2011/04/03 15:02:35.0015 0220 Mode: Manual;

2011/04/03 15:02:35.0015 0220 ================================================================================

2011/04/03 15:02:35.0546 0220 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/04/03 15:02:35.0609 0220 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/04/03 15:02:35.0656 0220 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2011/04/03 15:02:35.0703 0220 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys

2011/04/03 15:02:35.0984 0220 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/04/03 15:02:36.0015 0220 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/04/03 15:02:36.0109 0220 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/04/03 15:02:36.0156 0220 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/04/03 15:02:36.0187 0220 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/04/03 15:02:36.0406 0220 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) D:\D Drive\Software Files\Avira\AntiVir Desktop\avgio.sys

2011/04/03 15:02:36.0437 0220 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2011/04/03 15:02:36.0468 0220 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2011/04/03 15:02:36.0546 0220 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/04/03 15:02:36.0609 0220 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/04/03 15:02:36.0656 0220 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/04/03 15:02:36.0703 0220 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/04/03 15:02:36.0781 0220 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/04/03 15:02:36.0812 0220 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

2011/04/03 15:02:37.0000 0220 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/04/03 15:02:37.0078 0220 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/04/03 15:02:37.0156 0220 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys

2011/04/03 15:02:37.0187 0220 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/04/03 15:02:37.0218 0220 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/04/03 15:02:37.0281 0220 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/04/03 15:02:37.0312 0220 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/04/03 15:02:37.0375 0220 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/04/03 15:02:37.0406 0220 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/04/03 15:02:37.0453 0220 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/04/03 15:02:37.0484 0220 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/04/03 15:02:37.0515 0220 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/04/03 15:02:37.0593 0220 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/04/03 15:02:37.0640 0220 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/04/03 15:02:37.0671 0220 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/04/03 15:02:37.0765 0220 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/04/03 15:02:37.0843 0220 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/04/03 15:02:37.0875 0220 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/04/03 15:02:37.0953 0220 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/04/03 15:02:37.0984 0220 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/04/03 15:02:38.0015 0220 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/04/03 15:02:38.0062 0220 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/04/03 15:02:38.0078 0220 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/04/03 15:02:38.0125 0220 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/04/03 15:02:38.0156 0220 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/04/03 15:02:38.0187 0220 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/04/03 15:02:38.0234 0220 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/04/03 15:02:38.0265 0220 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/04/03 15:02:38.0296 0220 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

2011/04/03 15:02:38.0328 0220 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/04/03 15:02:38.0421 0220 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/04/03 15:02:38.0468 0220 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/04/03 15:02:38.0484 0220 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/04/03 15:02:38.0515 0220 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/04/03 15:02:38.0562 0220 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/04/03 15:02:38.0625 0220 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/04/03 15:02:38.0703 0220 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/04/03 15:02:38.0750 0220 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/04/03 15:02:38.0781 0220 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/04/03 15:02:38.0812 0220 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/04/03 15:02:38.0843 0220 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/04/03 15:02:38.0859 0220 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/04/03 15:02:38.0906 0220 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/04/03 15:02:38.0968 0220 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/04/03 15:02:39.0015 0220 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/04/03 15:02:39.0046 0220 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/04/03 15:02:39.0078 0220 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/04/03 15:02:39.0125 0220 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/04/03 15:02:39.0156 0220 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/04/03 15:02:39.0234 0220 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/04/03 15:02:39.0265 0220 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/04/03 15:02:39.0359 0220 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/04/03 15:02:39.0406 0220 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/04/03 15:02:39.0421 0220 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/04/03 15:02:39.0453 0220 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys

2011/04/03 15:02:39.0484 0220 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys

2011/04/03 15:02:39.0531 0220 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys

2011/04/03 15:02:39.0640 0220 NWRDR (03373a79440473062c6f3aedec6a49c8) C:\WINDOWS\system32\DRIVERS\nwrdr.sys

2011/04/03 15:02:39.0718 0220 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/04/03 15:02:39.0750 0220 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/04/03 15:02:39.0796 0220 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/04/03 15:02:39.0843 0220 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/04/03 15:02:39.0906 0220 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2011/04/03 15:02:39.0968 0220 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/04/03 15:02:40.0015 0220 PCTAppEvent (f767f3b35c3ecf8a60b2a65beec50ef5) C:\WINDOWS\system32\drivers\PCTAppEvent.sys

2011/04/03 15:02:40.0046 0220 PCTFW-PacketFilter (58db891ca76a2d49e33ba9fa13b86c89) C:\WINDOWS\system32\drivers\pctNdis-PacketFilter.sys

2011/04/03 15:02:40.0093 0220 pctgntdi (b76c829f00b9b534405b4ed5f58b8f52) C:\WINDOWS\system32\drivers\pctgntdi.sys

2011/04/03 15:02:40.0140 0220 pctNdis (3ec79cfb2e0e74aada8b561ed8904577) C:\WINDOWS\system32\DRIVERS\pctNdis.sys

2011/04/03 15:02:40.0171 0220 pctNdisMP (3ec79cfb2e0e74aada8b561ed8904577) C:\WINDOWS\system32\DRIVERS\pctNdis.sys

2011/04/03 15:02:40.0203 0220 pctplfw (78d871114e7cb3115e058d1f85751c7f) C:\WINDOWS\system32\drivers\pctplfw.sys

2011/04/03 15:02:40.0406 0220 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/04/03 15:02:40.0437 0220 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/04/03 15:02:40.0468 0220 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/04/03 15:02:40.0500 0220 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/04/03 15:02:40.0640 0220 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/04/03 15:02:40.0687 0220 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/04/03 15:02:40.0718 0220 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/04/03 15:02:40.0765 0220 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/04/03 15:02:40.0812 0220 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/04/03 15:02:40.0843 0220 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/04/03 15:02:40.0890 0220 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/04/03 15:02:40.0937 0220 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/04/03 15:02:40.0984 0220 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/04/03 15:02:41.0031 0220 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2011/04/03 15:02:41.0296 0220 SbieDrv (0e37b22d506d09f349885049db34f0dc) D:\D Drive\Software Files\SandboxiePortable\App\Sandboxie\SbieDrv.sys

2011/04/03 15:02:41.0375 0220 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/04/03 15:02:41.0437 0220 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys

2011/04/03 15:02:41.0515 0220 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/04/03 15:02:41.0531 0220 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/04/03 15:02:41.0593 0220 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/04/03 15:02:41.0671 0220 smwdm (0066ff77aeb4ae70066f7e94d5a6d866) C:\WINDOWS\system32\drivers\smwdm.sys

2011/04/03 15:02:41.0734 0220 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

2011/04/03 15:02:41.0796 0220 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/04/03 15:02:41.0843 0220 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/04/03 15:02:41.0921 0220 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2011/04/03 15:02:41.0953 0220 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/04/03 15:02:41.0984 0220 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/04/03 15:02:42.0140 0220 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/04/03 15:02:42.0187 0220 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/04/03 15:02:42.0234 0220 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/04/03 15:02:42.0265 0220 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/04/03 15:02:42.0296 0220 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/04/03 15:02:42.0406 0220 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/04/03 15:02:42.0468 0220 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2011/04/03 15:02:42.0531 0220 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/04/03 15:02:42.0578 0220 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/04/03 15:02:42.0625 0220 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/04/03 15:02:42.0656 0220 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/04/03 15:02:42.0671 0220 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/04/03 15:02:42.0734 0220 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/04/03 15:02:42.0781 0220 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/04/03 15:02:42.0843 0220 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/04/03 15:02:43.0062 0220 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/04/03 15:02:43.0062 0220 ================================================================================

2011/04/03 15:02:43.0062 0220 Scan finished

2011/04/03 15:02:43.0062 0220 ================================================================================

2011/04/03 15:02:43.0078 2412 Detected object count: 1

2011/04/03 15:02:55.0984 2412 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/04/03 15:02:55.0984 2412 \HardDisk0 - ok

2011/04/03 15:02:55.0984 2412 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/04/03 15:03:26.0343 2668 Deinitialize success

Here is my log for combofix:

ComboFix 11-04-03.01 - Administrator 04/03/2011 15:15:24.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1085 [GMT -7:00]

Running from: c:\documents and settings\Administrator.RACHEL-GF\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Norton AntiVirus *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\dfinstall.log

c:\docume~1\ADMINI~1.RAC\LOCALS~1\Temp\nsa8.tmp\registry.dll

c:\documents and settings\Administrator.RACHEL-GF\Local Settings\Temp\nsa8.tmp\registry.dll

c:\jdownloader\JDownloader.exe

c:\windows\system32\config\software.sav

c:\windows\system32\null0.8966410422799596.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))

.

.

2011-04-03 22:09 . 2011-04-03 22:09 -------- d-----r- C:\32788R22FWJFW

2011-03-31 10:18 . 2011-03-31 10:18 -------- d-----r- C:\Sandbox

2011-03-31 00:26 . 2011-03-31 00:26 52428800 ----a-w- c:\documents and settings\Administrator.RACHEL-GF\data.dll

2011-03-30 07:34 . 2011-03-30 07:34 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\ProgSense

2011-03-30 07:33 . 2011-03-30 07:33 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\GrabPro

2011-03-30 07:23 . 2011-03-31 05:52 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\Orbit

2011-03-28 09:02 . 2011-03-28 09:03 -------- d-----w- c:\documents and settings\rachel.GRANDCIT-22CDB2\Application Data\PCToolsFirewallPlus

2011-03-28 08:07 . 2011-03-28 08:07 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\PCToolsFirewallPlus

2011-03-28 08:05 . 2011-04-03 22:55 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2011-03-28 08:05 . 2011-03-28 08:06 -------- d-----w- c:\program files\Common Files\PC Tools

2011-03-28 08:05 . 2011-03-30 19:35 -------- d-----w- c:\program files\PC Tools Firewall Plus

2011-03-28 07:51 . 2011-03-28 07:51 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\Sincell

2011-03-28 07:51 . 2011-03-28 07:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Sincell

2011-03-28 07:51 . 2011-03-28 07:51 -------- d-----w- c:\program files\Sincell

2011-03-26 21:27 . 2011-03-26 21:27 -------- d-----w- c:\program files\SystemRequirementsLab

2011-03-26 21:26 . 2011-03-26 21:26 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\SystemRequirementsLab

2011-03-26 01:28 . 2011-04-03 22:26 -------- d-----w- C:\JDownloader

2011-03-24 08:00 . 2011-03-24 08:00 -------- d-----w- C:\Downloads

2011-03-24 07:59 . 2011-03-24 08:03 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Local Settings\Application Data\FileServe Manager

2011-03-24 01:47 . 2011-03-31 00:18 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\Mipony

2011-03-24 01:46 . 2011-03-24 01:46 -------- d-----w- c:\program files\MiPony

2011-03-23 06:39 . 2011-03-23 06:39 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData

2011-03-23 04:26 . 2011-03-23 04:26 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\Malwarebytes

2011-03-23 04:26 . 2011-03-23 04:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2011-03-23 04:26 . 2011-03-23 04:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-17 07:23 . 2004-08-03 22:56 25600 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2011-03-17 07:08 . 2011-03-17 07:08 -------- d-----w- c:\documents and settings\Administrator.RACHEL-GF\Application Data\Avira

2011-03-17 07:06 . 2011-03-17 07:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira

2011-03-17 07:04 . 2011-03-25 10:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2011-03-17 06:56 . 2011-03-17 06:56 -------- d-s---w- c:\documents and settings\Administrator.RACHEL-GF\UserData

2011-03-17 03:30 . 2011-03-17 03:30 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrator.RACHEL-GF\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-02 133104]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]

"avgnt"="d:\d drive\Software Files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]

"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-11-29 2676696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"d:\\D Drive\\Software Files\\Orbitdownloader\\Orbitdownloader\\orbitdm.exe"=

"d:\\D Drive\\Software Files\\Orbitdownloader\\Orbitdownloader\\orbitnet.exe"=

"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

.

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [3/28/2011 1:05 AM 249616]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\d drive\Software Files\Avira\AntiVir Desktop\sched.exe [3/17/2011 12:06 AM 135336]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [3/28/2011 1:06 AM 160448]

R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [3/28/2011 1:05 AM 89192]

R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [3/28/2011 1:05 AM 57536]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [3/28/2011 1:05 AM 124992]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:37 PM 135664]

S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [3/28/2011 1:05 AM 57536]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 05:37]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 05:37]

.

2011-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-492894223-682003330-500Core.job

- c:\documents and settings\Administrator.RACHEL-GF\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 01:46]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-492894223-682003330-500UA.job

- c:\documents and settings\Administrator.RACHEL-GF\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 01:46]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: &Download by Orbit - d:\d drive\Software Files\Orbitdownloader\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - d:\d drive\Software Files\Orbitdownloader\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - d:\d drive\Software Files\Orbitdownloader\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - d:\d drive\Software Files\Orbitdownloader\Orbitdownloader\orbitmxt.dll/202

IE: Download with Mipony - file://c:\program files\MiPony\Browser\IEContext.htm

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

TCP: {506DE3C4-9FB7-427C-9AE0-8BC457D17794} = 208.67.220.220,208.67.222.222

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe

AddRemove-JDownloader - c:\program files\JDownloader\uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-03 15:54

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.EXE'(976)

c:\windows\system32\msi.dll

c:\windows\system32\browselc.dll

d:\ddrive~1\SOFTWA~1\SPYBOT~1\SDHelper.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

c:\windows\system32\shdoclc.dll

.

Completion time: 2011-04-03 15:59:41 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-03 22:59

.

Pre-Run: 30,150,328,320 bytes free

Post-Run: 30,575,861,760 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

***multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional in 89+" /fastdetect /noexecute=optin

***multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional in 50.78+" /fastdetect /noexecute=optin

.

- - End Of File - - 6365DA0B7CD29AC8798C271632B98A6C

Link to post
Share on other sites

Delete your copy of TDSSKiller and download a fresh one.

Run it and make sure nothing is found.

Then Update and run a Quick scan with MBAM, post the log.

MrC

Oh when I said that my svchost crashes, it didn't just happen during the TDSSKiller and MBAM so I don't think it's their fault but I'll continue to follow your instructions.

Here's the log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6271

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

4/4/2011 5:34:43 PM

mbam-log-2011-04-04 (17-34-43).txt

Scan type: Quick scan

Objects scanned: 317892

Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

OK, lets do this:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

For now please uninstall Spybot-S&D from your add/remove programs.

---------------------

Can you tell me what this folder is:

C:\Documents and Settings\Administrator.RACHEL-GF\Desktop\DBZSUPAKIDd

------------------------

Enable Hidden files:

http://www.howtogeek.com/howto/windows/display-hidden-folders-in-xp/

Can you check these folders for me, I think they're all related to the malware.

Let me know if you recognize any of them.

C:\Documents and Settings\All Users.WINDOWS\Application Data\~15064884r

C:\Documents and Settings\All Users.WINDOWS\Application Data\~15064884

C:\Documents and Settings\All Users.WINDOWS\Application Data\15064884

C:\Documents and Settings\All Users.WINDOWS\Application Data\3849895953

C:\Documents and Settings\All Users.WINDOWS\Application Data\(+.X)+.,-V),X

C:\Documents and Settings\All Users.WINDOWS\Application Data\461324706

C:\Documents and Settings\All Users.WINDOWS\Application Data\1756877096

C:\Documents and Settings\All Users.WINDOWS\Application Data\3444670578

C:\Documents and Settings\Administrator.RACHEL-GF\Local Settings\Application Data\1756877096

C:\Documents and Settings\Administrator.RACHEL-GF\Local Settings\Application Data\3849895953

C:\Documents and Settings\Administrator.RACHEL-GF\Local Settings\Application Data\461324706

C:\Documents and Settings\Administrator.RACHEL-GF\Local Settings\Application Data\(+.X)+.,-V),X

---------------------

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = File not found
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk = File not found
    O12 - Plugin for: .IE5 - Reg Error: Value error. File not found
    [2011/03/25 01:57:33 | 000,011,476 | -HS- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv
    [2011/03/24 23:01:28 | 000,013,386 | -HS- | M] () -- C:\Documents and Settings\Administrator.RACHEL-GF\Local Settings\Application Data\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Ok, I uninstalled SB and looked at those files. They're all unknown to me so I ran malwarebytes on them and the game, found nothing so I deleted the files and left my game untouched (DBZSUPAKIDD Folder)

I ran it. It restarted my computer and gave me this log:

All processes killed

========== OTL ==========

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk moved successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.IE5\ deleted successfully.

File C:\Documents and Settings\All Users.WINDOWS\Application Data\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv not found.

C:\Documents and Settings\Administrator.RACHEL-GF\Local Settings\Application Data\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: administrator.GCTDOMAIN

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Administrator.RACHEL-GF

->Temp folder emptied: 31661636 bytes

->Temporary Internet Files folder emptied: 4427200 bytes

->Java cache emptied: 673526 bytes

->FireFox cache emptied: 46704225 bytes

->Google Chrome cache emptied: 250246663 bytes

->Flash cache emptied: 3070 bytes

User: All Users

User: All Users.WINDOWS

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Default User.WINDOWS

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Jonathan

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: jonathan.GCTDOMAIN.000

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

->Flash cache emptied: 2190 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: LocalService.NT AUTHORITY

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 3604614 bytes

->Java cache emptied: 17496 bytes

->Flash cache emptied: 4848 bytes

User: NetworkService

->Temp folder emptied: 583408 bytes

->Temporary Internet Files folder emptied: 799717 bytes

User: NetworkService.NT AUTHORITY

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 3063942 bytes

->Java cache emptied: 13193 bytes

->Flash cache emptied: 7230 bytes

User: peter

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

->Flash cache emptied: 348 bytes

User: peter.GCTDOMAIN

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: rachel

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

->Java cache emptied: 1417196 bytes

->Flash cache emptied: 587 bytes

User: rachel.GCTDOMAIN

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 1759982 bytes

User: rachel.GRANDCIT-22CDB2

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 25493450 bytes

User: RACHEL~1~GRA

User: ricky

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: sally

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

->Flash cache emptied: 348 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 6428142 bytes

%systemroot%\System32 .tmp files removed: 455697 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 263552 bytes

Windows Temp folder emptied: 838279 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 122322 bytes

Total Files Cleaned = 361.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04092011_162029

Files\Folders moved on Reboot...

C:\WINDOWS\temp\JET7634.tmp moved successfully.

File\Folder C:\WINDOWS\temp\Perflib_Perfdata_274.dat not found!

Registry entries deleted on Reboot...

Link to post
Share on other sites

The redirects have stopped and svchost stopped crashing so far. I can access windows Update and everything. Thanks!

However, I'm wondering how I received the virus. Had antivir and malwarebyte free and spybot. But the malware continues to reinfect my system until I followed your instructions. Thanks for the help.

Link to post
Share on other sites

However, I'm wondering how I received the virus. Had antivir and malwarebyte free and spybot. But the malware continues to reinfect my system until I followed your instructions. Thanks for the help.

Malware uses all kinds of methods to install.

MBAM free doesn't give you any realtime protection, you have to purchase the Full Version (which is highly recommended )

Spybot may have been conflicting with your other programs.

----------------------------

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

--------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

-------------------

Any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.