Need assistance

TheCatKing · October 14, 2011

Hello MBAM forums,

I was redirected by a moderator to this board to ask for assistance removing a virus.

I have done everything recommended here (http://forums.malwarebytes.org//index.php?showtopic=9573) that I was able to do.

-MBAM would not run even though I am in safe mode.

-Microsoft Security essentials could not install properly.

-Defogger ran but never prompted me to reboot and showed the same screen as if I had never disabled my drives.

-DDS log is:

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Administrator at 3:25:22 on 2011-10-14

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.627 [GMT -4:00]

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\892681630:1640155850.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\igfxsrvc.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.sony.com/vaiopeople

uURLSearchHooks: H - No File

uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe

mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_07\bin\jusched.exe

mRun: [sonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"

mRun: [iSBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe

mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary

mRun: [VAIOSecurity] "c:\program files\sony\vaio security center\VSC.exe" 1

mRun: [switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe

mRun: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe

mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{5C4A479F-F946-4BB3-8C8C-09D5BC37E435} : DhcpNameServer = 75.75.75.75 75.75.76.76

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tqm5cjr0.default\

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

.

============= SERVICES / DRIVERS ===============

.

R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-10-12 232512]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

S2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2011-10-10 1120960]

S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-9-1 226304]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-10-14 06:42:01 -------- d-----w- c:\documents and settings\administrator\application data\DDMSettings

2011-10-14 06:22:32 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2011-10-14 06:08:57 133616 ------w- c:\windows\system32\pxafs.dll

2011-10-14 06:07:37 -------- d-----w- c:\windows\system32\drivers\nss\0306000.01F

2011-10-14 06:07:37 -------- d-----w- c:\windows\system32\drivers\NSS

2011-10-14 06:07:37 -------- d-----w- c:\program files\Norton Security Scan

2011-10-14 06:07:37 -------- d-----w- c:\documents and settings\all users\application data\Norton

2011-10-14 06:07:33 -------- d-----w- c:\program files\NortonInstaller

2011-10-14 06:07:33 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller

2011-10-14 06:04:38 645632 ----a-w- c:\windows\system32\xvidcore.dll

2011-10-14 06:04:38 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2011-10-14 06:04:38 153088 ----a-w- c:\windows\system32\xvid.ax

2011-10-14 06:04:36 -------- d-----w- c:\program files\Xvid

2011-10-14 05:31:52 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll

2011-10-14 05:30:58 -------- d-----w- c:\program files\common files\xing shared

2011-10-14 05:30:27 150696 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll

2011-10-14 05:30:19 107008 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll

2011-10-14 04:32:07 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe

2011-10-14 03:15:45 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla

2011-10-13 23:29:45 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2011-10-13 06:48:48 -------- d-----w- c:\program files\common files\DivX Shared

2011-10-13 06:48:19 -------- d-----w- c:\program files\DivX

2011-10-13 06:47:45 -------- d-----w- c:\documents and settings\all users\application data\DivX

2011-10-13 05:06:54 -------- d-----w- c:\program files\CureROM

2011-10-13 04:30:59 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll

2011-10-13 04:25:21 -------- d--h--w- c:\windows\msdownld.tmp

2011-10-13 04:25:03 -------- d-----w- c:\windows\Logs

2011-10-13 03:39:46 -------- d-----w- c:\windows\ie8updates

2011-10-13 03:29:16 -------- dc-h--w- c:\windows\ie8

2011-10-13 03:27:31 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-10-13 03:27:31 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-10-13 03:27:30 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-10-13 03:27:30 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-10-13 03:27:29 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-10-13 03:27:29 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-10-13 03:27:27 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-10-12 20:31:03 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2011-10-12 06:50:58 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-10-12 06:37:03 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-10-12 06:36:47 -------- d-----w- c:\program files\DAEMON Tools Lite

2011-10-12 06:18:18 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite

2011-10-11 19:08:31 -------- d-----w- c:\windows\system32\XPSViewer

2011-10-11 19:07:54 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-10-11 19:07:41 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-10-11 19:07:41 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-10-11 19:07:41 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-10-11 19:07:41 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-10-11 19:07:41 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-10-11 19:07:41 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2011-10-11 19:07:41 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-10-11 19:07:41 117760 ------w- c:\windows\system32\prntvpt.dll

2011-10-11 19:07:38 -------- d-----w- C:\e08a0cee64044d24ec

2011-10-11 19:04:35 -------- d-----w- c:\program files\MSXML 6.0

2011-10-11 06:00:30 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-10-11 05:53:37 -------- d-----w- c:\program files\MSXML 4.0

2011-10-11 05:50:06 420352 -c--a-w- c:\windows\system32\dllcache\vbscript.dll

2011-10-11 05:49:55 -------- d-----w- c:\program files\Pidgin

2011-10-11 05:44:55 -------- d-----w- c:\windows\system32\PreInstall

2011-10-11 05:42:00 -------- d-----w- c:\windows\system32\appmgmt

2011-10-11 05:37:57 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-11 05:33:00 -------- d-----w- c:\program files\uTorrent

2011-10-11 05:23:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-11 05:14:11 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-10-11 05:14:11 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-11 05:12:51 -------- d-----w- c:\documents and settings\all users\ImageConverter2

2011-10-11 05:12:49 -------- d-----w- c:\program files\common files\Napster Shared

2011-10-11 05:12:46 -------- d-----w- c:\program files\Napster

2011-10-11 05:11:36 -------- d-----w- c:\program files\common files\InterVideo

2011-10-11 05:11:29 -------- d-----w- c:\program files\InterVideo

2011-10-10 07:24:53 -------- d-----w- C:\6f2676f81ac18667369835d4f8adf8f7

2011-10-10 07:06:04 -------- d-----w- c:\windows\ServicePackFiles

2011-10-10 07:02:37 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-10-10 07:02:37 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-10-10 07:01:55 138368 -c----w- c:\windows\system32\dllcache\afd.sys

2011-10-10 07:01:53 352640 -c----w- c:\windows\system32\dllcache\srv.sys

2011-10-10 07:01:12 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-10-10 07:00:13 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

2011-10-10 06:59:31 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe

2011-10-10 06:59:29 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys

2011-10-10 06:59:08 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-10-10 06:58:42 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll

2011-10-10 06:58:37 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2011-10-10 06:58:11 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2011-10-10 06:57:55 23040 ------w- c:\windows\kb913800.exe

2011-10-10 06:54:10 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2011-10-10 06:54:03 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll

2011-10-10 06:52:48 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2011-10-10 06:52:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-10-10 06:51:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-10 06:49:50 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe

2011-10-10 06:49:49 76288 -c----w- c:\windows\system32\dllcache\telnet.exe

2011-10-10 06:49:45 58880 -c----w- c:\windows\system32\dllcache\atl.dll

2011-10-10 06:49:42 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe

2011-10-10 06:49:41 283648 -c----w- c:\windows\system32\dllcache\gdi32.dll

2011-10-10 06:49:19 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll

2011-10-10 04:59:01 -------- d-----w- c:\program files\Mozilla Firefox(2)

2011-10-10 04:49:08 -------- d-----w- c:\windows\system32\SoftwareDistribution

2011-10-10 04:42:05 2817752 ----a-w- c:\windows\WindowsXPMediaCenter2005-kb908250-enu.bak

2011-10-10 04:41:44 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll

2011-10-10 04:41:44 20480 ----a-w- c:\windows\system32\IVIresize.dll

2011-10-10 04:41:44 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll

2011-10-10 04:41:44 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll

2011-10-10 04:41:44 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll

2011-10-10 04:41:44 188416 ----a-w- c:\windows\system32\IVIresizePX.dll

2011-10-10 04:40:25 -------- d-----w- c:\program files\Microsoft Digital Image 2006

2011-10-10 04:36:17 10344 ----a-w- c:\windows\system32\drivers\symlcbrd.sys

2011-10-10 04:34:39 -------- d-----w- c:\program files\Symantec

2011-10-10 04:34:34 -------- d-----w- c:\documents and settings\all users\application data\Symantec

2011-10-10 04:34:24 -------- d-----w- c:\program files\common files\Symantec Shared

2011-10-10 04:31:45 -------- d-----w- c:\documents and settings\all users\application data\VAIO Media Platform

2011-10-10 04:31:19 2981888 ----a-w- c:\windows\system32\iplw7.dll

2011-10-10 04:31:19 2502656 ----a-w- c:\windows\system32\iplpx.dll

2011-10-10 04:31:18 53248 ----a-w- c:\windows\system32\ipl.dll

2011-10-10 04:31:18 2973696 ----a-w- c:\windows\system32\ipla6.dll

2011-10-10 04:31:18 2785280 ----a-w- c:\windows\system32\iplm6.dll

2011-10-10 04:31:18 2686976 ----a-w- c:\windows\system32\iplm5.dll

2011-10-10 04:31:18 2531328 ----a-w- c:\windows\system32\iplp6.dll

2011-10-10 04:31:18 19968 ----a-w- c:\windows\system32\Cpuinf32.dll

2011-10-10 04:30:37 -------- d-----w- c:\windows\Downloaded Installations

2011-10-10 04:29:52 -------- d-----w- c:\program files\Quicken

2011-10-10 04:29:52 -------- d-----w- c:\documents and settings\administrator\application data\Intuit

2011-10-10 04:29:49 -------- d-----w- c:\documents and settings\all users\application data\Intuit

2011-10-10 04:27:48 25840 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll

2011-10-10 04:27:48 24816 ----a-w- c:\windows\system32\mdimon.dll

2011-10-10 04:27:17 -------- d-----w- c:\program files\Microsoft ActiveSync

2011-10-10 04:27:03 -------- d-----w- c:\windows\SHELLNEW

2011-10-10 04:24:13 -------- d-----w- c:\documents and settings\all users\application data\Digital Interactive Systems Corporation

2011-10-10 04:20:57 -------- d-----w- c:\program files\Trend Micro

2011-10-10 04:19:57 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll

2011-10-10 04:19:56 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll

2011-10-10 04:19:56 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll

2011-10-10 04:19:56 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe

2011-10-10 04:19:56 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll

2011-10-10 04:19:56 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll

2011-10-10 04:19:56 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll

2011-10-10 04:19:41 770048 ----a-w- c:\windows\system32\CDDBUISony.dll

2011-10-10 04:19:41 73728 ----a-w- c:\windows\system32\CddbLinkSony.dll

2011-10-10 04:19:41 643072 ----a-w- c:\windows\system32\CDDBControlSony.dll

2011-10-10 04:19:41 585728 ----a-w- c:\windows\system32\CddbMusicIDSony.dll

2011-10-10 04:19:41 520192 ----a-w- c:\windows\system32\CddbPlaylist2Sony.dll

.

==================== Find3M ====================

.

2011-07-22 20:51:50 94208 ----a-w- c:\windows\system32\dpl100.dll

.

============= FINISH: 3:31:02.59 ===============

-When I attempt to install GMER Rootkit I am given the error

LoadDriver(

"C:\DOCUME~1\ADMINI~1\Locals~1\Temp\uwtorpog.sys") error

0xC000010E: Cannot create a stable subkey under a volatile parent key.

GMER Rootkit then opens and shows a blank GUI, I'm not sure how to use it, so I closed it.

I'm in over my head on this one, whatever I have has resisted MBAM, Norton, AVAST, and it continues to disable a lot of functions in Safe Mode.

Any assistance will be greatly appreciated.

Thanks,

Rob

screen317 · October 18, 2011

Hi and welcome to Malwarebytes.

Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
Execute the file TDSSKiller.exe by double-clicking on it.
Wait for the scan and disinfection process to be over.
When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

TheCatKing · October 19, 2011

I cannot run TDSS Killer in Safemode.

I'm not sure if the rest of the applications are of any use if I do not ron TDSS first so I will wait for further instructions.

Thank you

screen317 · October 19, 2011

Can you not boot into Normal Mode? If not, proceed with the rest of my instructions.

TheCatKing · October 19, 2011

When I boot up, I am presented with the "windows did not boot normally; select a start up option" screen.

If I choose

Start Windows Normally, it restarts and gives me the same screen

Will do.

TheCatKing · October 20, 2011

MBAM log

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7985

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 6.0.2900.2180

10/19/2011 9:05:02 PM

mbam-log-2011-10-19 (21-05-02).txt

Scan type: Quick scan

Objects scanned: 165142

Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

COMBOFIX log

ComboFix 11-10-19.06 - Administrator 10/19/2011 21:29:56.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.783 [GMT -4:00]

Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\dasetup.log

c:\windows\kb835221.exe

c:\windows\kb913800.exe

c:\windows\setup.exe

c:\windows\system32\d3d9caps.dat

c:\windows\system32\Thumbs.db

c:\windows\windows-kb870669-x86-enu.exe

c:\windows\windowsinstaller-kb893803-v2-x86.exe

c:\windows\windowsmedia10-kb917734-x86-enu.exe

c:\windows\windowsxp-kb307154-x86-enu.exe

c:\windows\windowsxp-kb873339-x86-enu.exe

c:\windows\windowsxp-kb884018-x86-enu.exe

c:\windows\windowsxp-kb884575-x86-enu.exe

c:\windows\windowsxp-kb885250-x86-enu.exe

c:\windows\windowsxp-kb885835-x86-enu.exe

c:\windows\windowsxp-kb885836-x86-enu.exe

c:\windows\windowsxp-kb886185-x86-enu.exe

c:\windows\windowsxp-kb887472-x86-enu.exe

c:\windows\windowsxp-kb887742-x86-enu.exe

c:\windows\windowsxp-kb888113-x86-enu.exe

c:\windows\windowsxp-kb888239-x86-enu.exe

c:\windows\windowsxp-kb888302-x86-enu.exe

c:\windows\windowsxp-kb888321-x86-enu.exe

c:\windows\windowsxp-kb890046-x86-enu.exe

c:\windows\windowsxp-kb890859-x86-enu.exe

c:\windows\windowsxp-kb891781-x86-enu.exe

c:\windows\windowsxp-kb892130-enu-x86.exe

c:\windows\WindowsXP-KB893056-x86-ENU.exe

c:\windows\windowsxp-kb893066-v2-x86-enu.exe

c:\windows\windowsxp-kb893357-v2-x86-enu.exe

c:\windows\windowsxp-kb893756-x86-enu.exe

c:\windows\windowsxp-kb894391-x86-enu.exe

c:\windows\windowsxp-kb896358-x86-enu.exe

c:\windows\windowsxp-kb896422-x86-enu.exe

c:\windows\windowsxp-kb896423-x86-enu.exe

c:\windows\windowsxp-kb896424-x86-enu.exe

c:\windows\windowsxp-kb896428-x86-enu.exe

c:\windows\windowsxp-kb896688-x86-enu.exe

c:\windows\windowsxp-kb896727-x86-enu.exe

c:\windows\windowsxp-kb899587-x86-enu.exe

c:\windows\windowsxp-kb899588-x86-enu.exe

c:\windows\windowsxp-kb899589-x86-enu.exe

c:\windows\windowsxp-kb899591-x86-enu.exe

c:\windows\windowsxp-kb900466-x86-enu.exe

c:\windows\windowsxp-kb900485-v2-x86-enu.exe

c:\windows\windowsxp-kb900725-x86-enu.exe

c:\windows\windowsxp-kb901017-x86-enu.exe

c:\windows\windowsxp-kb901214-x86-enu.exe

c:\windows\windowsxp-kb902400-x86-enu.exe

c:\windows\windowsxp-kb903235-x86-enu.exe

c:\windows\windowsxp-kb904706-x86-enu.exe

c:\windows\windowsxp-kb905414-x86-enu.exe

c:\windows\windowsxp-kb905749-x86-enu.exe

c:\windows\windowsxp-kb905915-x86-enu.exe

c:\windows\windowsxp-kb908519-x86-enu.exe

c:\windows\windowsxp-kb908531-x86-enu.exe

c:\windows\windowsxp-kb909667-x86-enu.exe

c:\windows\windowsxp-kb910437-x86-enu.exe

c:\windows\windowsxp-kb910728-x86-enu.exe

c:\windows\windowsxp-kb911280-x86-enu.exe

c:\windows\windowsxp-kb911562-x86-enu.exe

c:\windows\windowsxp-kb911567-x86-enu.exe

c:\windows\windowsxp-kb911927-x86-enu.exe

c:\windows\windowsxp-kb912919-x86-enu.exe

c:\windows\windowsxp-kb912945-x86-enu.exe

c:\windows\windowsxp-kb914388-x86-enu.exe

c:\windows\windowsxp-kb914389-x86-enu.exe

c:\windows\windowsxp-kb916281-x86-enu.exe

c:\windows\windowsxp-kb917159-x86-enu.exe

c:\windows\windowsxp-kb917344-x86-enu.exe

c:\windows\windowsxp-kb917953-x86-enu.exe

c:\windows\windowsxp-kb918439-x86-enu.exe

.

((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))

.

2011-10-20 00:59 . 2011-10-20 00:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-10-20 00:59 . 2011-10-20 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-10-20 00:59 . 2011-10-20 00:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-20 00:59 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-19 04:40 . 2011-10-19 04:40 -------- d-----w- c:\documents and settings\Rob

2011-10-19 04:38 . 2011-10-19 04:28 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Skype

2011-10-19 04:38 . 2011-10-19 04:28 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory

2011-10-19 04:38 . 2011-10-18 16:52 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\.purple

2011-10-19 04:38 . 2006-09-01 23:44 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sony Corporation

2011-10-19 04:38 . 2011-10-15 06:39 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla

2011-10-19 04:38 . 2011-10-15 06:34 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

2011-10-19 04:38 . 2006-09-01 23:33 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150070}

2011-10-19 04:35 . 2011-10-15 06:34 -------- d-s---w- c:\documents and settings\Default User\UserData

2011-10-19 04:32 . 2011-10-19 19:01 -------- d-----w- c:\windows\LastGood

2011-10-18 16:52 . 2011-10-18 16:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\.purple

2011-10-18 16:51 . 2011-10-19 04:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2011-10-18 16:51 . 2011-10-18 16:51 -------- d-----r- c:\program files\Skype

2011-10-18 16:49 . 2011-10-18 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2011-10-17 07:04 . 2011-10-17 07:04 -------- d-----w- c:\windows\ServicePackFiles

2011-10-17 07:02 . 2011-10-17 07:02 -------- d-----w- c:\program files\MSXML 4.0

2011-10-17 05:15 . 2011-10-17 05:16 -------- d-----w- c:\program files\Pidgin

2011-10-16 18:44 . 2011-10-16 18:55 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-10-16 18:40 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-10-16 18:40 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-10-16 18:40 . 2009-12-31 16:14 352640 -c----w- c:\windows\system32\dllcache\srv.sys

2011-10-16 18:39 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-10-16 18:39 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

2011-10-16 18:39 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-10-16 18:38 . 2009-10-15 17:21 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll

2011-10-16 18:38 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2011-10-16 18:37 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe

2011-10-16 18:34 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys

2011-10-16 18:33 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2011-10-16 17:33 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2011-10-16 17:33 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll

2011-10-16 17:32 . 2009-07-31 04:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll

2011-10-16 17:06 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2011-10-15 13:02 . 2011-10-15 13:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2011-10-15 06:42 . 2011-10-15 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-10-15 06:42 . 2011-10-15 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2011-10-15 06:42 . 2011-10-15 13:02 -------- d-----w- c:\program files\McAfee Security Scan

2011-10-15 06:39 . 2011-10-15 06:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-10-15 06:37 . 2011-10-15 06:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-15 06:34 . 2011-10-15 06:34 -------- d-s---w- c:\documents and settings\Administrator\UserData

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-29 06:53 . 2011-10-15 06:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-10 217088]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]

"VAIOSecurity"="c:\program files\Sony\VAIO Security Center\VSC.exe" [2006-03-20 679936]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2006-06-20 23:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [9/1/2006 5:56 PM 226304]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MDMXSDK

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-19 c:\windows\Tasks\Registration reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-09-01 12:00]

.

2011-10-19 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-09-01 12:00]

.

2011-10-19 c:\windows\Tasks\Registration reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-09-01 12:00]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.sony.com/vaiopeople

uInternet Connection Wizard,ShellNext = hxxp://www.start-63749.com/ac3.php?aid=461&sid=direc32

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u2ki4ye3.default\

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-19 22:07

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(796)

c:\windows\system32\VESWinlogon.dll

.

Completion time: 2011-10-19 22:21:53

ComboFix-quarantined-files.txt 2011-10-20 02:21

.

Pre-Run: 84,541,202,432 bytes free

Post-Run: 84,411,617,280 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - B6874CDEAA05BB75E5D635AE035595A9

screen317 · October 23, 2011

Hi,

Click Start --> Run, enter cmd.exe, and press Enter

In the black box that appears, enter this command exactly as shown:

chkdsk>"%userprofile%\desktop\chkdsk.txt"

Press Enter.

When it finishes, open chkdsk.txt on your Desktop and post its contents here.

-screen317

screen317 · October 31, 2011

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

screen317 · November 10, 2011

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Need assistance

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information