Jump to content

redirect virus


Recommended Posts

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

2011/06/23 08:33:52.0004 3948 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15

2011/06/23 08:33:52.0555 3948 ================================================================================

2011/06/23 08:33:52.0555 3948 SystemInfo:

2011/06/23 08:33:52.0555 3948

2011/06/23 08:33:52.0555 3948 OS Version: 5.1.2600 ServicePack: 3.0

2011/06/23 08:33:52.0555 3948 Product type: Workstation

2011/06/23 08:33:52.0555 3948 ComputerName: DELLLAPTOP

2011/06/23 08:33:52.0555 3948 UserName: Bob

2011/06/23 08:33:52.0555 3948 Windows directory: C:\WINDOWS

2011/06/23 08:33:52.0555 3948 System windows directory: C:\WINDOWS

2011/06/23 08:33:52.0555 3948 Processor architecture: Intel x86

2011/06/23 08:33:52.0555 3948 Number of processors: 1

2011/06/23 08:33:52.0555 3948 Page size: 0x1000

2011/06/23 08:33:52.0555 3948 Boot type: Normal boot

2011/06/23 08:33:52.0555 3948 ================================================================================

2011/06/23 08:33:54.0778 3948 Initialize success

2011/06/23 08:33:58.0403 3100 ================================================================================

2011/06/23 08:33:58.0403 3100 Scan started

2011/06/23 08:33:58.0403 3100 Mode: Manual;

2011/06/23 08:33:58.0403 3100 ================================================================================

2011/06/23 08:34:04.0151 3100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/06/23 08:34:04.0221 3100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/06/23 08:34:04.0341 3100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/06/23 08:34:04.0452 3100 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/06/23 08:34:04.0542 3100 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/06/23 08:34:04.0672 3100 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/06/23 08:34:05.0042 3100 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/06/23 08:34:05.0243 3100 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/06/23 08:34:05.0483 3100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/06/23 08:34:05.0543 3100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/06/23 08:34:05.0713 3100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/06/23 08:34:05.0854 3100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/06/23 08:34:06.0034 3100 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2011/06/23 08:34:06.0214 3100 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2011/06/23 08:34:06.0324 3100 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2011/06/23 08:34:06.0485 3100 bcm4sbxp (e727776a56a51b7e6b7c87c02ea8b405) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2011/06/23 08:34:06.0635 3100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/06/23 08:34:06.0785 3100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/06/23 08:34:06.0935 3100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/06/23 08:34:07.0065 3100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/06/23 08:34:07.0156 3100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/06/23 08:34:07.0286 3100 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/06/23 08:34:07.0366 3100 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/06/23 08:34:07.0656 3100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/06/23 08:34:07.0796 3100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/06/23 08:34:07.0937 3100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/06/23 08:34:08.0027 3100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/06/23 08:34:08.0187 3100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/06/23 08:34:08.0758 3100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/06/23 08:34:08.0908 3100 Epfwndis (52310e0e603d7da79ecca7d764937a91) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

2011/06/23 08:34:09.0058 3100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/06/23 08:34:09.0178 3100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/06/23 08:34:09.0259 3100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/06/23 08:34:09.0309 3100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/06/23 08:34:09.0409 3100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/06/23 08:34:09.0639 3100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/06/23 08:34:09.0729 3100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/06/23 08:34:09.0839 3100 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/06/23 08:34:09.0950 3100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/06/23 08:34:10.0070 3100 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/06/23 08:34:10.0340 3100 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/06/23 08:34:10.0410 3100 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/06/23 08:34:10.0971 3100 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/06/23 08:34:11.0171 3100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/06/23 08:34:11.0382 3100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/06/23 08:34:11.0472 3100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/06/23 08:34:11.0662 3100 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/06/23 08:34:11.0732 3100 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/06/23 08:34:11.0772 3100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/06/23 08:34:11.0882 3100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/06/23 08:34:11.0992 3100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/06/23 08:34:12.0093 3100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/06/23 08:34:12.0163 3100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/06/23 08:34:12.0223 3100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/06/23 08:34:12.0343 3100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/06/23 08:34:12.0483 3100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/06/23 08:34:12.0593 3100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/06/23 08:34:12.0744 3100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/06/23 08:34:12.0924 3100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/06/23 08:34:13.0034 3100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/06/23 08:34:13.0134 3100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/06/23 08:34:13.0274 3100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/06/23 08:34:13.0394 3100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/06/23 08:34:13.0495 3100 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/06/23 08:34:13.0645 3100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/06/23 08:34:13.0805 3100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/06/23 08:34:13.0875 3100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/06/23 08:34:13.0965 3100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/06/23 08:34:14.0045 3100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/06/23 08:34:14.0106 3100 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/06/23 08:34:14.0266 3100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/06/23 08:34:14.0376 3100 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/06/23 08:34:14.0426 3100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/06/23 08:34:14.0566 3100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/06/23 08:34:14.0666 3100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/06/23 08:34:14.0776 3100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/06/23 08:34:14.0837 3100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/06/23 08:34:14.0957 3100 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/06/23 08:34:14.0997 3100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/06/23 08:34:15.0087 3100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/06/23 08:34:15.0207 3100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/06/23 08:34:15.0467 3100 nv (9e4b052c76949de445ad6439cd473548) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/06/23 08:34:15.0968 3100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/06/23 08:34:16.0118 3100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/06/23 08:34:16.0229 3100 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/06/23 08:34:16.0279 3100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/06/23 08:34:16.0399 3100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/06/23 08:34:16.0499 3100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/06/23 08:34:16.0569 3100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/06/23 08:34:16.0689 3100 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2011/06/23 08:34:16.0769 3100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/06/23 08:34:17.0190 3100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/06/23 08:34:17.0250 3100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/06/23 08:34:17.0320 3100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/06/23 08:34:17.0560 3100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/06/23 08:34:17.0651 3100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/06/23 08:34:17.0761 3100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/06/23 08:34:17.0871 3100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/06/23 08:34:17.0981 3100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/06/23 08:34:18.0051 3100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/06/23 08:34:18.0171 3100 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/06/23 08:34:18.0662 3100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/06/23 08:34:18.0993 3100 s24trans (e2c6abcbefb1d44f6aaeb1cd5d6062d4) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2011/06/23 08:34:19.0193 3100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/06/23 08:34:19.0333 3100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/06/23 08:34:19.0513 3100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/06/23 08:34:19.0804 3100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/06/23 08:34:19.0924 3100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/06/23 08:34:20.0064 3100 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/06/23 08:34:20.0194 3100 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2011/06/23 08:34:20.0304 3100 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys

2011/06/23 08:34:20.0425 3100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/06/23 08:34:20.0805 3100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/06/23 08:34:21.0086 3100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/06/23 08:34:21.0236 3100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/06/23 08:34:21.0376 3100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/06/23 08:34:21.0446 3100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/06/23 08:34:21.0536 3100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/06/23 08:34:21.0676 3100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/06/23 08:34:21.0927 3100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/06/23 08:34:22.0057 3100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/06/23 08:34:22.0187 3100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/06/23 08:34:22.0277 3100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/06/23 08:34:22.0417 3100 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/06/23 08:34:22.0548 3100 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/06/23 08:34:22.0658 3100 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/06/23 08:34:22.0768 3100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/06/23 08:34:22.0938 3100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/06/23 08:34:23.0068 3100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/06/23 08:34:23.0309 3100 w29n51 (d6006de6a6ed423d8016a03bc50cbe6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys

2011/06/23 08:34:23.0589 3100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/06/23 08:34:23.0759 3100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/06/23 08:34:24.0010 3100 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/06/23 08:34:24.0140 3100 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/06/23 08:34:24.0230 3100 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/06/23 08:34:24.0350 3100 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0

2011/06/23 08:34:24.0350 3100 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/06/23 08:34:24.0360 3100 ================================================================================

2011/06/23 08:34:24.0360 3100 Scan finished

2011/06/23 08:34:24.0360 3100 ================================================================================

2011/06/23 08:34:24.0370 2836 Detected object count: 1

2011/06/23 08:34:24.0370 2836 Actual detected object count: 1

2011/06/23 08:34:48.0315 2836 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/06/23 08:34:48.0315 2836 \Device\Harddisk0\DR0 - ok

2011/06/23 08:34:48.0315 2836 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure

2011/06/23 08:35:18.0057 0124 Deinitialize success

Link to post
Share on other sites

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Here is a copy of the log, I will let you know how the computer behaves.

ComboFix 11-06-23.01 - Bob 06/23/2011 19:19:38.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.208 [GMT -4:00]

Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Bob\g2mdlhlpx.exe

c:\documents and settings\Owner\WINDOWS

c:\windows\system32\Settings

c:\windows\system32\Settings\Settings.ini

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MYWEBSEARCHSERVICE

.

.

((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))

.

.

2011-06-23 08:36 . 2011-06-23 08:36 215552 ----a-w- c:\windows\system32\bthsvw32.dll

2011-06-23 08:36 . 2011-06-23 08:36 34816 ----a-w- c:\windows\system32\btwdiw32.dll

2011-06-19 19:00 . 2011-06-21 21:31 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Apple Computer

2011-06-19 19:00 . 2011-06-19 19:02 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Application Data\Apple Computer

2011-06-19 17:24 . 2011-06-23 19:12 -------- d-----w- c:\windows\system32\NtmsData

2011-06-19 17:23 . 2011-06-19 17:23 -------- d-----w- c:\documents and settings\Bob\Application Data\Avira

2011-06-19 16:57 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-19 16:57 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-19 16:57 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-19 16:57 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-19 16:57 . 2011-06-19 16:57 -------- d-----w- c:\program files\Avira

2011-06-19 16:57 . 2011-06-19 16:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira

2011-06-18 02:43 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-18 02:43 . 2011-06-18 02:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-18 02:43 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-16 21:26 . 2011-06-16 21:26 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-16 12:05 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-16 11:22 . 2011-06-17 00:02 -------- d-----w- C:\79215b8c7ec6ebc91742

2011-06-15 21:32 . 2011-06-18 20:25 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Apple Computer

2011-06-15 21:32 . 2011-06-15 21:32 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\Apple Computer

2011-06-15 21:31 . 2011-06-15 21:31 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Application Data\Apple Computer

2011-06-15 21:27 . 2011-06-15 21:31 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Apple Computer

2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-18 21:15 . 2011-05-20 13:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-02 15:31 . 2010-01-31 14:37 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-12 13:59 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-12 13:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-12 13:57 385024 ------w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-12 14:01 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

"nwiz"="nwiz.exe" [2004-10-26 921600]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2008-10-26 135168]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdiw32]

2011-06-23 08:36 34816 ----a-w- c:\windows\system32\btwdiw32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdlns]

2011-06-23 08:36 34816 ----a-w- c:\windows\system32\btwdiw32.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dleacoms.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/19/2011 12:57 PM 136360]

R2 btwdlns;Bluetooth Services;c:\windows\System32\svchost.exe -k bthsvc [8/12/2004 10:06 AM 14336]

R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 1:30 PM 136176]

S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\DCalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 1:30 PM 136176]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvc REG_MULTI_SZ btwdlns

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 17:30]

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 17:30]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.kitco.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.74.166 68.87.68.166

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

HKLM-Run-cleanddm - c:\documents and settings\Bob\Application Data\cleanddm.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-23 19:37

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(812)

c:\windows\system32\btwdiw32.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(548)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\dleacoms.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Apoint\HidFind.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

.

**************************************************************************

.

Completion time: 2011-06-23 19:45:09 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-23 23:45

.

Pre-Run: 52,245,159,936 bytes free

Post-Run: 56,877,412,352 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 1D157699E78471F287ED00A59E5846BD

Link to post
Share on other sites

ComboFix 11-06-23.01 - Bob 06/23/2011 19:19:38.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.208 [GMT -4:00]

Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Bob\g2mdlhlpx.exe

c:\documents and settings\Owner\WINDOWS

c:\windows\system32\Settings

c:\windows\system32\Settings\Settings.ini

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MYWEBSEARCHSERVICE

.

.

((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))

.

.

2011-06-23 08:36 . 2011-06-23 08:36 215552 ----a-w- c:\windows\system32\bthsvw32.dll

2011-06-23 08:36 . 2011-06-23 08:36 34816 ----a-w- c:\windows\system32\btwdiw32.dll

2011-06-19 19:00 . 2011-06-21 21:31 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Apple Computer

2011-06-19 19:00 . 2011-06-19 19:02 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Application Data\Apple Computer

2011-06-19 17:24 . 2011-06-23 19:12 -------- d-----w- c:\windows\system32\NtmsData

2011-06-19 17:23 . 2011-06-19 17:23 -------- d-----w- c:\documents and settings\Bob\Application Data\Avira

2011-06-19 16:57 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-19 16:57 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-19 16:57 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-19 16:57 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-19 16:57 . 2011-06-19 16:57 -------- d-----w- c:\program files\Avira

2011-06-19 16:57 . 2011-06-19 16:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira

2011-06-18 02:43 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-18 02:43 . 2011-06-18 02:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-18 02:43 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-16 21:26 . 2011-06-16 21:26 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-16 12:05 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-16 11:22 . 2011-06-17 00:02 -------- d-----w- C:\79215b8c7ec6ebc91742

2011-06-15 21:32 . 2011-06-18 20:25 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Apple Computer

2011-06-15 21:32 . 2011-06-15 21:32 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\Apple Computer

2011-06-15 21:31 . 2011-06-15 21:31 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Application Data\Apple Computer

2011-06-15 21:27 . 2011-06-15 21:31 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Apple Computer

2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-18 21:15 . 2011-05-20 13:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-02 15:31 . 2010-01-31 14:37 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-12 13:59 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-12 13:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-12 13:57 385024 ------w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-12 14:01 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

"nwiz"="nwiz.exe" [2004-10-26 921600]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2008-10-26 135168]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdiw32]

2011-06-23 08:36 34816 ----a-w- c:\windows\system32\btwdiw32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdlns]

2011-06-23 08:36 34816 ----a-w- c:\windows\system32\btwdiw32.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dleacoms.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/19/2011 12:57 PM 136360]

R2 btwdlns;Bluetooth Services;c:\windows\System32\svchost.exe -k bthsvc [8/12/2004 10:06 AM 14336]

R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 1:30 PM 136176]

S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\DCalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 1:30 PM 136176]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvc REG_MULTI_SZ btwdlns

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 17:30]

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 17:30]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.kitco.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.74.166 68.87.68.166

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

HKLM-Run-cleanddm - c:\documents and settings\Bob\Application Data\cleanddm.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-23 19:37

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(812)

c:\windows\system32\btwdiw32.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(548)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\dleacoms.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Apoint\HidFind.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

.

**************************************************************************

.

Completion time: 2011-06-23 19:45:09 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-23 23:45

.

Pre-Run: 52,245,159,936 bytes free

Post-Run: 56,877,412,352 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 1D157699E78471F287ED00A59E5846BD

Link to post
Share on other sites

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\windows\system32\btwdiw32.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

Link to post
Share on other sites

btwdiw32.dll

Submission date: 2011-06-24 11:19:01 (UTC)

Current status: queued (#34) queued (#34) analysing finished

Result: 8/ 42 (19.0%)

VT Community

not reviewed

Safety score: -

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.06.24.01 2011.06.24 -

AntiVir 7.11.10.97 2011.06.24 -

Antiy-AVL 2.0.3.7 2011.06.23 -

Avast 4.8.1351.0 2011.06.24 -

Avast5 5.0.677.0 2011.06.24 -

AVG 10.0.0.1190 2011.06.24 BackDoor.Delf.19.A

BitDefender 7.2 2011.06.24 Gen:Variant.Sasfis.2

CAT-QuickHeal 11.00 2011.06.24 -

ClamAV 0.97.0.0 2011.06.24 -

Commtouch 5.3.2.6 2011.06.24 -

Comodo 9176 2011.06.24 TrojWare.Win32.TrojanDownloader.Murlo.~JH2

DrWeb 5.0.2.03300 2011.06.24 -

eSafe 7.0.17.0 2011.06.23 -

eTrust-Vet 36.1.8404 2011.06.24 -

F-Prot 4.6.2.117 2011.06.23 -

F-Secure 9.0.16440.0 2011.06.24 Gen:Variant.Sasfis.2

Fortinet 4.2.257.0 2011.06.24 W32/Koblu.FA!tr

GData 22 2011.06.24 Gen:Variant.Sasfis.2

Ikarus T3.1.1.104.0 2011.06.24 Trojan.Backdoor.Delf

Jiangmin 13.0.900 2011.06.23 -

K7AntiVirus 9.106.4837 2011.06.23 -

Kaspersky 9.0.0.837 2011.06.24 -

McAfee 5.400.0.1158 2011.06.24 -

McAfee-GW-Edition 2010.1D 2011.06.24 -

Microsoft 1.7000 2011.06.24 -

NOD32 6235 2011.06.24 -

Norman 6.07.10 2011.06.24 -

nProtect 2011-06-24.01 2011.06.24 Gen:Variant.Sasfis.2

Panda 10.0.3.5 2011.06.23 -

PCTools 8.0.0.5 2011.06.23 -

Prevx 3.0 2011.06.24 -

Rising 23.63.04.01 2011.06.24 -

Sophos 4.66.0 2011.06.24 -

SUPERAntiSpyware 4.40.0.1006 2011.06.24 -

Symantec 20111.1.0.186 2011.06.24 -

TheHacker 6.7.0.1.239 2011.06.23 -

TrendMicro 9.200.0.1012 2011.06.24 -

TrendMicro-HouseCall 9.200.0.1012 2011.06.24 -

VBA32 3.12.16.2 2011.06.23 -

VIPRE 9676 2011.06.24 -

ViRobot 2011.6.24.4531 2011.06.24 -

VirusBuster 14.0.92.1 2011.06.23 -

Additional informationShow all

MD5 : 3e610f841f6d349657aa8bc2f19068bc

SHA1 : e4cd24d1a221a309fe52e8a23a66d0fc3b43bb48

SHA256: d4e85c0330f61c412ff1c994058346a5017fdb22ff1d694d6f29aeeb166b6ef2

ssdeep: 768:Y2htj67c4/GENWjU8wZoZMcSaWRWaOgcMs73159tH:Y6j63/OU3QMcS6ad0Vp

File size : 34816 bytes

First seen: 2011-06-24 11:19:01

Last seen : 2011-06-24 11:19:01

Symantec reputation:Suspicious.Insight

VT Community

Link to post
Share on other sites

BackDoor That's not good. I need to give you this advice:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

We need to collect those

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

http://forums.malwarebytes.org/index.php?showtopic=87777&st=0&gopid=445059entry445059

Collect::
c:\windows\system32\bthsvw32.dll
c:\windows\system32\btwdiw32.dll


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdiw32]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Computer behaving normally....

ComboFix 11-06-24.01 - Bob 06/24/2011 8:50.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.116 [GMT -4:00]

Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

file zipped: c:\windows\system32\bthsvw32.dll

file zipped: c:\windows\system32\btwdiw32.dll

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\bthsvw32.dll

c:\windows\system32\btwdiw32.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_btwdlns

-------\Service_btwdlns

.

.

((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))

.

.

2011-06-19 19:00 . 2011-06-21 21:31 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Apple Computer

2011-06-19 19:00 . 2011-06-19 19:02 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Application Data\Apple Computer

2011-06-19 17:24 . 2011-06-23 19:12 -------- d-----w- c:\windows\system32\NtmsData

2011-06-19 17:23 . 2011-06-19 17:23 -------- d-----w- c:\documents and settings\Bob\Application Data\Avira

2011-06-19 16:57 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-19 16:57 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-19 16:57 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-19 16:57 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-19 16:57 . 2011-06-19 16:57 -------- d-----w- c:\program files\Avira

2011-06-19 16:57 . 2011-06-19 16:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira

2011-06-18 02:43 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-18 02:43 . 2011-06-18 02:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-18 02:43 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-16 21:26 . 2011-06-16 21:26 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-16 12:05 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-16 11:22 . 2011-06-17 00:02 -------- d-----w- C:\79215b8c7ec6ebc91742

2011-06-15 21:32 . 2011-06-18 20:25 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Apple Computer

2011-06-15 21:32 . 2011-06-15 21:32 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\Apple Computer

2011-06-15 21:31 . 2011-06-15 21:31 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Application Data\Apple Computer

2011-06-15 21:27 . 2011-06-15 21:31 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Apple Computer

2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-18 21:15 . 2011-05-20 13:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-02 15:31 . 2010-01-31 14:37 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-12 13:59 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-12 13:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-12 13:57 385024 ------w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-12 14:01 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

"nwiz"="nwiz.exe" [2004-10-26 921600]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2008-10-26 135168]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dleacoms.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/19/2011 12:57 PM 136360]

R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 1:30 PM 136176]

S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\DCalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 1:30 PM 136176]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvc REG_MULTI_SZ btwdlns

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 17:30]

.

2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 17:30]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.kitco.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.74.166 68.87.68.166

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-24 09:07

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(808)

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(468)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\dleacoms.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\wscntfy.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-06-24 09:13:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-24 13:13

ComboFix2.txt 2011-06-23 23:45

.

Pre-Run: 56,861,495,296 bytes free

Post-Run: 56,894,627,840 bytes free

.

- - End Of File - - AC53FB967653318C2C4AE88551413233

Upload was successful

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

    •Free browser plug-in for Internet Explorer and Firefox

    •Real-time safety ratings

    •Ideal for Facebook, Twitter and LinkedIn

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.