BleepingComputer.com: tdsskiller trojanTDSS modified ??

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

tdsskiller trojanTDSS modified ?? results of removal are different from shown

#31 User is online   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 39,019
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 24 December 2011 - 02:08 AM

I replied to your other topic.
Please let me know how you want to continue in this topic, are you going with the reformat right now, or do you first want to clean it.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#32 User is offline   dewalt 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 64
  • Joined: 02-August 06

Posted 24 December 2011 - 03:37 AM

I'm not sure which is the best way to go. I would rely on your recommendation and experience, but my understanding is that if you reformat you need a copy of the OS to load back over the reformatted (C:\) drive and I don't have a copy of Win 7 just now (again, it was loaded by a computer technician). So if I need the copy of Win 7, I guess I'll have to wait 'til I get a copy, or the second option is to try to clean it the best way I can, . . . but you did not seem very enthusiastic about going that route. But whichever, I would still like to be able to use the computer again.

I guess I need to find out what is involved in reformatting, but then wouldn't we still would have to scan the second drive to see if the malware has put duplicate or replicating files on the second drive?

David

#33 User is online   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 39,019
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 24 December 2011 - 04:25 AM

In that case I would definitely go for cleaning right now, that way at least your machine is no longer infected. Please follow the combofix steps I posted earlier.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#34 User is offline   dewalt 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 64
  • Joined: 02-August 06

Posted 24 December 2011 - 05:41 AM

Will do, but will much later today or even tomorrow

David

#35 User is online   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 39,019
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 24 December 2011 - 06:11 AM

No problem, post when ready! :)
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#36 User is offline   dewalt 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 64
  • Joined: 02-August 06

Posted 24 December 2011 - 01:23 PM

Have replied to status on COMPUTER 2. You can read at other thread, but bottom line is first dds.scr will not download, then when try to run from copy on flash drive, appears to scan to same point, then stops with no report to post.

Will be leaving for holiday festivities and will not have any further time until tomorrow, US Houston time.

If you participate in this holiday, hope you take time for yourself and family and friends.

David

#37 User is online   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 39,019
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 24 December 2011 - 01:41 PM

Please keep this topic only about the computer we are working on, I'll see your replies in the other topic and reply to it there.

Happy holidays!
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#38 User is offline   dewalt 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 64
  • Joined: 02-August 06

Posted 27 December 2011 - 12:24 AM

Elise:

Okay, have gotten back to it. Biggest part of the holiday season is over so it was time to find out where things were and where to get started.

So I started with downloading COMBOFIX onto COMPUTER1 to run. Even though I thought I had unchecked it as real protection, COMBOFIX apparently could still see it and said that if I continued, it would be at my risk, but go ahead. It apparently ran, got a quick message that the machine was infected by rootkit A? message disappeared very quickly something about infected in tcp/ip? stack, something like that but eventually finished. Log is included. Won't know if it's fixed everything, but will use the second computer because I see a notice that the primary HD is indicated as bad.


ComboFix 11-12-26.03 - David 12/26/2011 22:08:06.2.1 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1263.364 [GMT -6:00]
Running from: c:\users\David\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\David\AppData\Local\Temp\7zS5227\HPSLPSVC32.DLL
c:\windows\$NtUninstallKB62967$
c:\windows\$NtUninstallKB62967$\3507692772\@
c:\windows\$NtUninstallKB62967$\3507692772\bckfg.tmp
c:\windows\$NtUninstallKB62967$\3507692772\cfg.ini
c:\windows\$NtUninstallKB62967$\3507692772\Desktop.ini
c:\windows\$NtUninstallKB62967$\3507692772\keywords
c:\windows\$NtUninstallKB62967$\3507692772\kwrd.dll
c:\windows\$NtUninstallKB62967$\3507692772\L\xadqgnnk
c:\windows\$NtUninstallKB62967$\3507692772\lsflt7.ver
c:\windows\$NtUninstallKB62967$\3507692772\U\00000001.@
c:\windows\$NtUninstallKB62967$\3507692772\U\00000002.@
c:\windows\$NtUninstallKB62967$\3507692772\U\00000004.@
c:\windows\$NtUninstallKB62967$\3507692772\U\80000000.@
c:\windows\$NtUninstallKB62967$\3507692772\U\80000004.@
c:\windows\$NtUninstallKB62967$\3507692772\U\80000032.@
c:\windows\$NtUninstallKB62967$\868331540
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_HPSLPSVC
.
.
((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
.
.
2011-12-27 04:16 . 2011-12-27 04:20 -------- d-----w- c:\users\David\AppData\Local\temp
2011-12-27 04:16 . 2011-12-27 04:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-12-27 04:16 . 2011-12-27 04:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-27 04:06 . 2011-12-27 04:19 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{189A4997-78F9-440F-8167-B573E1774173}\offreg.dll
2011-12-27 03:53 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-27 03:11 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{189A4997-78F9-440F-8167-B573E1774173}\mpengine.dll
2011-12-22 03:22 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2011-12-21 22:44 . 2011-12-21 22:45 -------- d-----w- c:\program files\ERUNT
2011-12-15 15:05 . 2011-12-15 15:05 -------- d-----w- c:\windows\system32\AppLogs
2011-12-14 19:58 . 2011-12-14 19:58 -------- d-----w- C:\New folder
2011-12-14 19:49 . 2011-12-14 19:50 -------- d-----w- c:\program files\Cobian Backup 10
2011-12-14 19:46 . 2011-12-14 19:46 -------- d-----w- c:\users\David\AppData\Local\Safe mirror
2011-12-14 16:12 . 2011-11-05 04:35 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 16:12 . 2011-11-05 04:30 860672 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-12-14 16:11 . 2011-11-05 04:30 163328 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2011-12-14 16:11 . 2011-11-05 02:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-14 16:11 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 16:11 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 16:10 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 16:10 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 16:10 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 16:10 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-13 04:03 . 2011-12-13 04:03 -------- d-----w- c:\users\David\AppData\Roaming\SUPERAntiSpyware.com
2011-12-13 04:01 . 2011-12-22 22:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-13 04:01 . 2011-12-13 04:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-09 04:28 . 2009-08-20 04:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-12-07 15:51 . 2011-11-21 04:04 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-06 12:21 . 2011-12-06 12:21 -------- d-----w- c:\program files\Common Files\xing shared
2011-11-30 02:32 . 2011-12-06 12:20 -------- d-----w- c:\users\David\AppData\Roaming\IObit
2011-11-30 02:32 . 2011-11-30 02:32 -------- d-----w- c:\program files\IObit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 10:47 . 2011-08-29 19:46 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-12 04:33 . 2011-11-12 04:33 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54 . 2011-02-17 05:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-11 00:05 . 2011-10-11 00:06 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00357790-C18C-42EE-995D-3831CD806E73}\gapaengine.dll
2011-09-29 16:03 . 2011-11-09 17:46 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-21 04:04 . 2011-12-07 15:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-22 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-12-08 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-08-05 135568]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-06 296056]
.
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl01efa4c5;MpKsl01efa4c5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4346531B-2274-42E1-8745-677F5DF286B8}\MpKsl01efa4c5.sys [x]
R1 MpKsl020f2f28;MpKsl020f2f28;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{65D0D691-13FA-4CFF-BFD3-BA011D3014A3}\MpKsl020f2f28.sys [x]
R1 MpKsl050eaaeb;MpKsl050eaaeb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{173BE732-A390-4121-A279-EBC4C2E3846D}\MpKsl050eaaeb.sys [x]
R1 MpKsl0c0aee25;MpKsl0c0aee25;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A6CEDCF7-2306-49E5-85F0-1F212F80F95F}\MpKsl0c0aee25.sys [x]
R1 MpKsl0d2cf68f;MpKsl0d2cf68f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{996A4059-0F77-4851-BA4F-7077681505F0}\MpKsl0d2cf68f.sys [x]
R1 MpKsl1174540e;MpKsl1174540e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE2E1C48-8709-41E1-BB3C-3C498897CB04}\MpKsl1174540e.sys [x]
R1 MpKsl12714f95;MpKsl12714f95;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2BEB5520-6268-4AE7-8490-3BCC05BDCD8E}\MpKsl12714f95.sys [x]
R1 MpKsl1b44fe7e;MpKsl1b44fe7e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E9B5FE89-6F7E-44C8-AC00-07AA166FB9F9}\MpKsl1b44fe7e.sys [x]
R1 MpKsl1c0828dc;MpKsl1c0828dc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F325DDE2-C55D-41EC-897A-DA2B9B9AC892}\MpKsl1c0828dc.sys [x]
R1 MpKsl1e91e674;MpKsl1e91e674;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5AAB7F9F-829E-416B-8307-277835DC6FE8}\MpKsl1e91e674.sys [x]
R1 MpKsl24f4059a;MpKsl24f4059a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1620E03-99F5-4EC9-8CE2-8BCF8FFFB5DB}\MpKsl24f4059a.sys [x]
R1 MpKsl2db1aee1;MpKsl2db1aee1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2BEB5520-6268-4AE7-8490-3BCC05BDCD8E}\MpKsl2db1aee1.sys [x]
R1 MpKsl2f19667a;MpKsl2f19667a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6DE9D27F-5350-4793-BCA7-D374CF922D53}\MpKsl2f19667a.sys [x]
R1 MpKsl2f33240f;MpKsl2f33240f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9BB331F-3AC9-4F02-A415-0637A5764A5F}\MpKsl2f33240f.sys [x]
R1 MpKsl374fc2dd;MpKsl374fc2dd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{311BD396-F98D-41FE-8B01-F75740160CDA}\MpKsl374fc2dd.sys [x]
R1 MpKsl3fd6dd48;MpKsl3fd6dd48;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DFC2926A-378A-4CBD-BA84-5E8600948227}\MpKsl3fd6dd48.sys [x]
R1 MpKsl402c93e4;MpKsl402c93e4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{542B114C-7F92-4B99-A98D-D7C7CB2BD649}\MpKsl402c93e4.sys [x]
R1 MpKsl42243816;MpKsl42243816;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A5831939-54B7-4BFB-973A-DC1432B53681}\MpKsl42243816.sys [x]
R1 MpKsl444058cb;MpKsl444058cb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CC6ED2CD-486A-4BEB-BBFF-8359BC6A5901}\MpKsl444058cb.sys [x]
R1 MpKsl44fc95bb;MpKsl44fc95bb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7F5D3D68-C6A6-424A-B173-83E7B9F2671D}\MpKsl44fc95bb.sys [x]
R1 MpKsl4933d497;MpKsl4933d497;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{17305C5A-2563-43C4-8DEB-40511FEF0647}\MpKsl4933d497.sys [x]
R1 MpKsl4b8d3a12;MpKsl4b8d3a12;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6DFAD255-7939-45E1-AA36-7BAAE1A433B5}\MpKsl4b8d3a12.sys [x]
R1 MpKsl4d77083d;MpKsl4d77083d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EF905281-F160-467C-A7A8-74D5BD799771}\MpKsl4d77083d.sys [x]
R1 MpKsl5289dc37;MpKsl5289dc37;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2133105F-31E1-4B26-ABB6-D712F60B6A7D}\MpKsl5289dc37.sys [x]
R1 MpKsl52dd355b;MpKsl52dd355b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{542363FB-FC90-4788-A1BD-F5895DF65991}\MpKsl52dd355b.sys [x]
R1 MpKsl5500b8e5;MpKsl5500b8e5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1812D30F-8809-4D72-BE1E-1DC2D75F36DF}\MpKsl5500b8e5.sys [x]
R1 MpKsl55389f15;MpKsl55389f15;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D484BDA9-9E02-4DC3-A026-F50F4EBA03DD}\MpKsl55389f15.sys [x]
R1 MpKsl55f5fd72;MpKsl55f5fd72;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{759E2B82-505B-4911-887B-171D02A3C8D4}\MpKsl55f5fd72.sys [x]
R1 MpKsl56eb9f29;MpKsl56eb9f29;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{189A4997-78F9-440F-8167-B573E1774173}\MpKsl56eb9f29.sys [x]
R1 MpKsl579c06d7;MpKsl579c06d7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1265605D-9D41-405F-9918-62D9B424760E}\MpKsl579c06d7.sys [x]
R1 MpKsl5826ddb3;MpKsl5826ddb3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D46D4FE6-313E-4FC7-AEE6-909527D351D0}\MpKsl5826ddb3.sys [x]
R1 MpKsl5aae7665;MpKsl5aae7665;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7963A08B-E9D9-48FE-BD37-0C32077E2305}\MpKsl5aae7665.sys [x]
R1 MpKsl5acb1d04;MpKsl5acb1d04;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E7AAB492-1266-49A5-ABA2-5EDDFBD12FAA}\MpKsl5acb1d04.sys [x]
R1 MpKsl5bce8634;MpKsl5bce8634;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B879A893-A10D-402A-8C7F-CEC43F1B5DB8}\MpKsl5bce8634.sys [x]
R1 MpKsl61886000;MpKsl61886000;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0194F211-BEE0-49A7-A4BE-3A71A388616F}\MpKsl61886000.sys [x]
R1 MpKsl621accdc;MpKsl621accdc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{09AC49EE-7263-43B2-ADC4-FB56EFFFD66B}\MpKsl621accdc.sys [x]
R1 MpKsl6a26e131;MpKsl6a26e131;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9EB8F737-1963-48AA-BFC4-8832892BF332}\MpKsl6a26e131.sys [x]
R1 MpKsl6b297fde;MpKsl6b297fde;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EB618AC0-9FD1-4E9C-86D5-F428D6029299}\MpKsl6b297fde.sys [x]
R1 MpKsl6c49170a;MpKsl6c49170a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{189A4997-78F9-440F-8167-B573E1774173}\MpKsl6c49170a.sys [x]
R1 MpKsl70433953;MpKsl70433953;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{80902D89-CDA0-42DC-B2D0-707E830D7671}\MpKsl70433953.sys [x]
R1 MpKsl7119c393;MpKsl7119c393;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AD95E1FB-B163-431B-A934-215EBC0F988F}\MpKsl7119c393.sys [x]
R1 MpKsl7238b695;MpKsl7238b695;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16495D8F-1E48-4EC3-88B0-334BFF260D4F}\MpKsl7238b695.sys [x]
R1 MpKsl73523c4c;MpKsl73523c4c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{88710B9E-1ED9-4C66-BE8D-7CFDD55F47F0}\MpKsl73523c4c.sys [x]
R1 MpKsl76b17213;MpKsl76b17213;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{92680A25-8C57-4D82-B6F9-9711FCC34175}\MpKsl76b17213.sys [x]
R1 MpKsl78185757;MpKsl78185757;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3D9E4735-8D7E-455E-A2AB-1E3100A56C04}\MpKsl78185757.sys [x]
R1 MpKsl78981089;MpKsl78981089;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{419AA5BC-9304-4B37-B082-6744F3D14C80}\MpKsl78981089.sys [x]
R1 MpKsl78cd0412;MpKsl78cd0412;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1CA0514-3989-4FA6-9A26-8A6E7C745AB3}\MpKsl78cd0412.sys [x]
R1 MpKsl78e7b9f9;MpKsl78e7b9f9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C25B89DC-0B3D-44BA-B996-81759C4A8B78}\MpKsl78e7b9f9.sys [x]
R1 MpKsl7a48f81c;MpKsl7a48f81c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ABCEE109-FD5A-4AA7-B18B-0C69D9526E64}\MpKsl7a48f81c.sys [x]
R1 MpKsl8065c15f;MpKsl8065c15f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A42E9023-ACD5-4F33-B70A-7A8F52C1C6AC}\MpKsl8065c15f.sys [x]
R1 MpKsl82a74b74;MpKsl82a74b74;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0520F2FE-72B8-412D-B424-4E5821AD6296}\MpKsl82a74b74.sys [x]
R1 MpKsl89e45efa;MpKsl89e45efa;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1A0CB85E-0CD5-4EB4-80DB-F364FD1388D0}\MpKsl89e45efa.sys [x]
R1 MpKsl8ab28837;MpKsl8ab28837;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7F5D3D68-C6A6-424A-B173-83E7B9F2671D}\MpKsl8ab28837.sys [x]
R1 MpKsl8e765a58;MpKsl8e765a58;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{068829CC-5D8F-4AEB-8599-4FB93199371B}\MpKsl8e765a58.sys [x]
R1 MpKsl9168659a;MpKsl9168659a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9416F615-AEA9-49C8-B761-D6921E0E6171}\MpKsl9168659a.sys [x]
R1 MpKsl92624d78;MpKsl92624d78;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8F235DFD-B019-415B-8D86-D7AEE3854762}\MpKsl92624d78.sys [x]
R1 MpKsl92d2bff5;MpKsl92d2bff5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C7C500BC-E522-44C2-A58B-6A7AEE82319B}\MpKsl92d2bff5.sys [x]
R1 MpKsl9771078e;MpKsl9771078e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{996E453D-9A12-4700-B922-142DC56E77D1}\MpKsl9771078e.sys [x]
R1 MpKsl99c6d216;MpKsl99c6d216;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{86054BB5-ACAF-47AF-BF94-50A71C03F11A}\MpKsl99c6d216.sys [x]
R1 MpKsl9a2ce5a6;MpKsl9a2ce5a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6A25D997-A46F-45A0-BEB9-A6F04FB9E84D}\MpKsl9a2ce5a6.sys [x]
R1 MpKsl9ff1e599;MpKsl9ff1e599;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1620E03-99F5-4EC9-8CE2-8BCF8FFFB5DB}\MpKsl9ff1e599.sys [x]
R1 MpKsla0c9f835;MpKsla0c9f835;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{119334AA-07D2-4491-9832-CF3B93329BB8}\MpKsla0c9f835.sys [x]
R1 MpKsla4cef2ee;MpKsla4cef2ee;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC8E5FEE-2BAA-469D-BD6A-4BB7A9A6C6E0}\MpKsla4cef2ee.sys [x]
R1 MpKslb03e988c;MpKslb03e988c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C069DBDB-18C9-4908-BB60-10AD15E15DB0}\MpKslb03e988c.sys [x]
R1 MpKslb11c993f;MpKslb11c993f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9D841666-A89C-4F38-A353-ECF903F482CA}\MpKslb11c993f.sys [x]
R1 MpKslb161abe2;MpKslb161abe2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5737CC6D-4C49-4B5B-84A7-3211E722542E}\MpKslb161abe2.sys [x]
R1 MpKslb52ea5b8;MpKslb52ea5b8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BF57B4D8-BAF7-4CFC-A40A-23ED971ABFC2}\MpKslb52ea5b8.sys [x]
R1 MpKslb5ca4edb;MpKslb5ca4edb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{65D0D691-13FA-4CFF-BFD3-BA011D3014A3}\MpKslb5ca4edb.sys [x]
R1 MpKslb60f479a;MpKslb60f479a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4CEA08D2-DA83-481B-A92A-842A728FB260}\MpKslb60f479a.sys [x]
R1 MpKslb621ac61;MpKslb621ac61;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{948666FB-838F-4E3F-A30F-20721D41A0CD}\MpKslb621ac61.sys [x]
R1 MpKslb845ccde;MpKslb845ccde;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7A792A30-5DA8-44B4-8808-41258F8EAD03}\MpKslb845ccde.sys [x]
R1 MpKslbd2744bc;MpKslbd2744bc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{422E98ED-85D2-463B-A71B-0283D05183B9}\MpKslbd2744bc.sys [x]
R1 MpKslbfde0f13;MpKslbfde0f13;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C069DBDB-18C9-4908-BB60-10AD15E15DB0}\MpKslbfde0f13.sys [x]
R1 MpKslc2115605;MpKslc2115605;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0136EA33-49C5-42C8-9A1C-82CEA0DBC384}\MpKslc2115605.sys [x]
R1 MpKslc455b53f;MpKslc455b53f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F325DDE2-C55D-41EC-897A-DA2B9B9AC892}\MpKslc455b53f.sys [x]
R1 MpKslc725d3cc;MpKslc725d3cc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0194F211-BEE0-49A7-A4BE-3A71A388616F}\MpKslc725d3cc.sys [x]
R1 MpKslc83f0160;MpKslc83f0160;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EDCD6D2C-6185-494F-A09A-6BB54DE9E5DF}\MpKslc83f0160.sys [x]
R1 MpKslc8b1c06d;MpKslc8b1c06d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{92402D92-E670-40F9-86DD-FA7DA22F9A22}\MpKslc8b1c06d.sys [x]
R1 MpKsld0b47f17;MpKsld0b47f17;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EF905281-F160-467C-A7A8-74D5BD799771}\MpKsld0b47f17.sys [x]
R1 MpKsld4e87743;MpKsld4e87743;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6D6C6950-8B15-4ADC-813A-4CD228CB9774}\MpKsld4e87743.sys [x]
R1 MpKsld55eb292;MpKsld55eb292;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{17305C5A-2563-43C4-8DEB-40511FEF0647}\MpKsld55eb292.sys [x]
R1 MpKsld8b9cff0;MpKsld8b9cff0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6201EB38-EE22-4B60-8060-401AE002C502}\MpKsld8b9cff0.sys [x]
R1 MpKsld94a810f;MpKsld94a810f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{727A8F9E-180A-4CEE-A626-7328CEFA0F1F}\MpKsld94a810f.sys [x]
R1 MpKslda44112e;MpKslda44112e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D853E3E4-783B-488D-96C5-BC661E16D3C7}\MpKslda44112e.sys [x]
R1 MpKsldaacca65;MpKsldaacca65;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1620E03-99F5-4EC9-8CE2-8BCF8FFFB5DB}\MpKsldaacca65.sys [x]
R1 MpKsldc2cc71e;MpKsldc2cc71e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6DE9D27F-5350-4793-BCA7-D374CF922D53}\MpKsldc2cc71e.sys [x]
R1 MpKsldd378ef9;MpKsldd378ef9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00882BDB-3222-4FD1-9387-08D0D23687EE}\MpKsldd378ef9.sys [x]
R1 MpKslddc4d976;MpKslddc4d976;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{542363FB-FC90-4788-A1BD-F5895DF65991}\MpKslddc4d976.sys [x]
R1 MpKsle07aca7c;MpKsle07aca7c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{996A4059-0F77-4851-BA4F-7077681505F0}\MpKsle07aca7c.sys [x]
R1 MpKsle206ac72;MpKsle206ac72;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0A89C4F1-E245-44E0-AB14-A350ECCBBAE1}\MpKsle206ac72.sys [x]
R1 MpKsle80bb377;MpKsle80bb377;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{31CF2BCE-B384-4028-AAB1-D1833ED6CB80}\MpKsle80bb377.sys [x]
R1 MpKsle8992cd2;MpKsle8992cd2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0C55262F-0C2A-4808-ABCF-0678066F646D}\MpKsle8992cd2.sys [x]
R1 MpKslf4364373;MpKslf4364373;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A5831939-54B7-4BFB-973A-DC1432B53681}\MpKslf4364373.sys [x]
R1 MpKslf8768107;MpKslf8768107;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{996A4059-0F77-4851-BA4F-7077681505F0}\MpKslf8768107.sys [x]
R1 MpKslfe6c95f9;MpKslfe6c95f9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4682D84-2CCE-48CC-8445-EB05F4A8AA18}\MpKslfe6c95f9.sys [x]
R1 RapportCerberus_26169;RapportCerberus_26169;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\win7_x86\FileMonitor.sys [2011-10-08 18768]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\drivers\win7_x86\regfilter.sys [2011-09-20 30600]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-08-05 121744]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\drivers\win7_x86\UrlFilter.sys [2011-09-20 19792]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-03 1343400]
R4 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-04-28 870200]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-04-28 53816]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-04-28 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-04-28 158904]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [2011-10-08 820568]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2011-08-10 94880]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-11 106104]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\rfdmilye.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe
MSConfigStartUp-ccleaner - g:\ccleaner\CCleaner.exe
AddRemove-RealPlayer 15.0 - c:\program files\real\realplayer\Update\r1puninst.exe
AddRemove-SmartDraw VP - c:\smartd~1\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\rundll32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\conhost.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\Symantec AntiVirus\SavUI.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-12-26 22:26:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-27 04:26
.
Pre-Run: 238,740,283,392 bytes free
Post-Run: 238,691,729,408 bytes free
.
- - End Of File - - 6060AE8CAAB74E3A86B683464E7F2C30


But on the premise that things have been repaired, want to say how much I appreciate your help on this first machine. I have said that I use the 'net a lot for search and research and go to China, India, Russia and elsewhere where research or articles relating to my projects are published, so on the assumption that I could run into other bad programs by all of the 'netting, can you make any recommendations about procedures, techniques, software anti-virus or anti-malware programs to use? Maybe a favorite or two or yours that you entrust?

And for your help, thank you, THANK YOU THANK YOU. Please let me know if there's anything I can do to return the favor. If you are in Romania and ever need anything from the US that you have a hard time getting, let me know and I'll see if I can help.

And now onto COMPUTER 2 where I think things were left with dds.scr only running 1/2 to 2/3 through and not generating a log. But I'll make those remarks once I find that thread.

David

#39 User is online   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 39,019
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 27 December 2011 - 02:46 AM

Hi David,
ZeroAccess was indeed what had infected your computer and has been removed by combofix.

Can you please rerun DDS and post me attach.txt this time? This log will be minimized once the scan is finished.

You can find your other topic by clicking on the drop down menu (top right corner of the page) and selecting My Content.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#40 User is offline   dewalt 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 64
  • Joined: 02-August 06

Posted 28 December 2011 - 05:17 PM

Elise:

Sorry for the delay, but have finally gotten to reruning dds.scr as you requested. As I've said, don't know where you've learned all this stuff, but very lucky you have and that you've been willing others.

DDS.txt post: as of December 28, 2011


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_30
Run by David at 15:41:35 on 2011-12-28
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1263.673 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
c:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\rundll32.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/
uURLSearchHooks: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
StartupFolder: c:\users\david\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{9176008D-7A8F-4738-BD1F-521CF3027BEA} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\rfdmilye.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-12-14 67584]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-11-29 820568]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2011-11-22 94880]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-4 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-8-5 1966480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-11 106104]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\FileMonitor.sys [2011-11-29 18768]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-5 15872]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\RegFilter.sys [2011-11-29 30600]
S3 SavRoam;SavRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-8-5 121744]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-5 52224]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\UrlFilter.sys [2011-11-29 19792]
S3 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-3 1343400]
S4 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-28 870200]
.
=============== Created Last 30 ================
.
2011-12-28 20:27:49 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{189a4997-78f9-440f-8167-b573e1774173}\offreg.dll
2011-12-27 04:25:39 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-27 04:16:38 -------- d-----w- c:\users\david\appdata\local\temp
2011-12-27 03:53:54 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-27 03:11:48 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{189a4997-78f9-440f-8167-b573e1774173}\mpengine.dll
2011-12-22 03:22:37 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2011-12-15 15:05:10 -------- d-----w- c:\windows\system32\AppLogs
2011-12-14 19:58:08 -------- d-----w- C:\New folder
2011-12-14 19:49:34 -------- d-----w- c:\program files\Cobian Backup 10
2011-12-14 19:46:19 -------- d-----w- c:\users\david\appdata\local\Safe mirror
2011-12-14 16:12:05 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 16:12:01 860672 ----a-w- c:\program files\internet explorer\iedvtool.dll
2011-12-14 16:11:57 163328 ----a-w- c:\program files\internet explorer\ieproxy.dll
2011-12-14 16:11:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-14 16:11:49 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 16:11:41 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 16:10:48 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 16:10:46 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 16:10:42 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 16:10:41 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-13 04:03:00 -------- d-----w- c:\users\david\appdata\roaming\SUPERAntiSpyware.com
2011-12-13 04:01:48 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-13 04:01:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-09 04:28:47 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-12-07 15:51:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-06 12:21:00 -------- d-----w- c:\program files\common files\xing shared
2011-11-30 02:32:58 -------- d-----w- c:\users\david\appdata\roaming\IObit
2011-11-30 02:32:49 -------- d-----w- c:\program files\IObit
.
==================== Find3M ====================
.
2011-11-12 04:33:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 15:42:07.09 ===============



And I appreciate your observation that it appears that " ZeroAccess " was the responsible bad guy/malware, so any recommmendation on which anti-virus/anti-malware software would be a good program to install to keep this kind of virus/malware from getting installed in the future ??

Thanks again for your time.

David

#41 User is offline   dewalt 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 64
  • Joined: 02-August 06

Posted 28 December 2011 - 05:49 PM

Elise:

Haven't yet been able to figure out how to use the "My contents" drop down menu to find the other thread so I guess I'll just have to use the old fashioned method and go back in time posted. Tried using a search on COMPUTER 2, but I get a message that one of the search key words is less than 3 characters and it will not try a search. Go figure.

David

#42 User is online   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 39,019
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 29 December 2011 - 03:18 AM

My content is here: http://www.bleepingcomputer.com/forums/index.php?app=core&module=search&do=user_activity&mid=78996
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#43 User is online   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 39,019
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 06 January 2012 - 06:26 AM

If you still have issues with this computer, please let me know, otherwise this topic will be closed.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#44 User is online   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 39,019
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 26 January 2012 - 05:13 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users